Why don't major browsers currently support TLS above version 1.0?
TLS 1.0 seem to be vulnerable to Beast, Lucky13 and maybe other attacks and is simply outdated. Common workaround used e.g. by Google was to use RC4 which was also recently broken, but none of the major browsers seem to be implementing newer version of TLS, except Microsoft IE for newer Windows versions.
Is there a reason why there has been so little movement?
Do I think right that to avoid problems with TLS 1.0 you have to forbid it? This can take time.
I'll misuse my questions to answer Thomas Pornin because this doesn't fit into comment.
As usual, you write many letters :)
"RC4 breakage is still "academic"
Do you remember WEP history? 2001 only certain key patterns were vulnerable which could be excluded without changing the protocol, 2004 it was no more the case and 2007 only 40k packets were enough. Attacks never get worse, only better. And in real life, all updates need time, years will past till all servers update, although it's not so much like on soho routers. Can you predict with reliable probability when it will become realistic? About workarounds - are they backwards compatible? How long will they hold? Isn't it easier to use newer TLS version?
Upgrading client support to TLS 1.2 will not change anything at all until most servers are upgraded, too.
So upgrades need time, earlier we'll begin, earlier it's done.
comparison with IPv6
Well, with IPv4 you can predict when you are out of IPs. This depends much of the country - those who were first in internets usually have no problems :) Those who are out of IPs advance IPv6, like China.
In practice, several widely used browser rely on the SSL/TLS code of the underlying OS
Which ones O_o? I thought only IE does this, who cares about it with no working AdBlock.
The main reason why there is little movement is that the "breaks" are not practical enough to show up on radar.
RC4 breakage is still "academic". It had been known for some time that RC4 had some serious biases. The recent results (March 2013) are some systematic measures which show that there are more biases than previously thought, so that an actual attack requires "only" observing a few millions of connections with the target secret always in the same place. While "a few millions" is rather low, it is still impractical, from the attacker's point of view, in a Web context. Thus, no cookie has been stolen in the wild through usage of RC4. Moreover, there are possible workarounds which are easier to implement in a browser.
Thus, there is no real incentive for a mass update of client TLS implementations. Indeed, browser vendors are accustomed to deal, on a weekly basis, with vulnerabilities which are much more devastating than that (typically entailing hostile hijack of the whole client system). A somewhat theoretical exploit of the cryptography in SSL is unlikely to be even noticed, let alone acted upon. What makes browser vendors move towards newer versions is the publicity which is made about these cryptographic attacks.
Moreover, and that's the important point, the protocol version which will be used for any given connection is constrained by what both client and server software support. Upgrading client support to TLS 1.2 will not change anything at all until most servers are upgraded, too. And, similarly, upgrading server support is not very useful until clients are upgraded. This is the classic Mexican stand-off, in which nobody moves, because it would require a massive simultaneous upgrade switch of several distinct vendors. For that matter, it is the same story as with IPv6 (which was scheduled for wide adoption in 2007).
In practice, several widely used browser rely on the SSL/TLS code of the underlying OS, so any mass upgrade will have to wait for the end-of-life of Windows XP (scheduled by Microsoft for next year).
I am not sure what you mean by not supported. Currently the following browsers support TLS 1.1 and 1.2:
- Chrome - v30 supports TLS 1.2. Previous to this only up to TLS 1.1 was supported
- Firefox - v27 enables TLS 1.1 and 1.2 by default
- Internet Explorer - v11 supports TLS 1.2 from Feb 2013
- Opera - v17 has added support for TLS 1.2. Versions 10-12 supported TLS 1.1 and 1.2 but disabled it by default, and versions 14-16 supported TLS 1.1 but not 1.2.
- Safari - v5 on iOS and v7 on OS X have added support for up to TLS 1.2.
BEAST has been fixed on modern browsers.
While people really should be moving to the newer TLS versions, there hasn't been a significant adoption of the newer protocols. There has been compatibility problems with servers that has not activated the newer protocols. See this link for more information. The article is almost a year old though, so there might have been improvements since that time.
One plausible reason for not shifting over to the newer TLS versions is that developers have been applying band-aids to the older protocols to fix any vulnerabilities is found. This obviously isn't sustainable in the long run. Hopefully the recent spate of attacks against SSL/TLS will push people to speed up the move to newer versions of the protocol.
<_There has been compatibility problems with servers that has not activated the newer protocols._> - you can still fallback to older versions. The problem is the clients.
@SmitJohnth "Firstly, there's the usual problem of buggy servers. TLS has a version negotiation mechanism, but some servers will fail if a client indicates that it supports the newer TLS versions." From the article I linked to. Like I said, the article is a year old though, things should have improved somewhat since then.
Update: As of June 13, 2013 Chrome Canary now supports TLS 1.2 as the relevant bug is fixed now.
https://bugzilla.mozilla.org/show_bug.cgi?id=480514#c86 2013-05-24 21:14:19 _"Seems abandoned. Sad really."_ lol