Remove insecure TLS version fallback - Chrome Platform Status

Remove insecure TLS version fallback (removed)

TLS has a version negotiation mechanism to securely introduce new versions without breaking compatibility. Yet buggy servers implemented this wrong in the past, so browsers were forced to add (non-standard) insecure fallbacks to work around this. Unlike TLS's actual version negotiation, the fallback is insecure. Network attackers can downgrade to weaker versions, despite both client and server supporting newer, more secure versions. Note that this does *not* remove TLS 1.0 and TLS 1.1.

Status in Chromium

Blink components: Blink

Removed (tracking bug) in:

Chrome for desktop release 50
Opera release 37
Opera for Android release 37

Consensus & Standardization

Firefox: Shipped
Edge: No public signals
Safari: No public signals
Web Developers: No signals

Owner

davidben@chromium.org

Last updated on 2017-06-14