Page MenuHomePhabricator

Discovery: Deprecation of TLS 1.2
Open, LowPublic

Description

We're interested in deprecating TLS 1.2 in favor of using TLS 1.3. This is a long-term effort rather than an immediate change.

What do we need to do in order to eventually get there?

The last 30 days of traffic, broken down by TLS version

Screenshot at 2024-06-17 09-10-47.png (282×1 px, 13 KB)

User agent aggregation:

Screenshot at 2024-06-17 14-47-38.png (1×662 px, 124 KB)

Coordination with mediawiki's compatibility grades will be important here (Updating of Grade A support matrix).

Event Timeline

BCornwall moved this task from Backlog to Scheduled incidental work on the Traffic board.

This will mean Chrome<70 and Firefox<63 users will no longer be able to view Wikimedia projects.

Also, Safari (desktop) only have complete support for TLS 1.3 since Safari 14, released September 2020.

BCornwall renamed this task from Deprecate TLS 1.2 to Discovery: Deprecation of TLS 1.2.Jun 18 2024, 3:27 PM
BCornwall updated the task description. (Show Details)

"able to view Wikimedia projects" means Grade C, not Grade A.

Feel free to move the tag to a more specific subtask.

I think you might need to check your stats based on UserAgent (if that is possible). You might need to check with tool and bot authors which might be using outdated software. This is important because a single connection once a day by some tool might be used by thousands of users.

For example with some effort you can support TLS 1.2 as far back as Java 7. It is not possible to do that with TLS 1.3.

I guess most tools should be fairly easy to update, but probably not effortless.

TLS 1.3 is also available in Safari 12.1 and later. Full support in macOS Mojave and later, and iOS.

https://caniuse.com/tls1-3

However, Safari 12/13 on macOS Sierra and High Sierra are not compatible with TLS 1.3.

Let's give a update to market share:

  • Chrome 49: 0.02%
  • Chrome 50: 0.01%
  • Chrome 53: 0.01%
  • Chrome 56: 0.02%
  • Chrome 66: 0.02%
  • Chrome 69: 0.08%
  • Firefox 52: 0.04%
  • Firefox 56: 0.01%
  • Safari 12.1: 0.01%
  • Safari 13.1: 0.06%
  • Safari iOS 10.2: 0.01%
  • Safari iOS 10.3: 0.04%
  • Safari iOS 11.2: 0.16%
  • Safari iOS 11.4: 0.01%
  • Safari iOS 12.1: 0.01%

These browsers listed (0.50% total) don't support TLS 1.3.

Usually better to use our own stats.

Which my offline calculator puts at 1.488% total unsupported and another 0.309% mixed support (excluding the bots). Including the estimated bots adds another 0.306%. So potentially around 2% of traffic not supporting TLS 1.3. Plus Other and Redacted are in the realm of 0.6% which we don't (other) and can't (redacted) know details of. (I totally ignored all the smaller browsers which looks to be another 0.01% or so in relevant ranges. Yandex 0.004%, Chrome Mobile Webview 0.007%.)

TLS 1.3 is not as big of a issue for Android as with iOS.
Chrome 71 and Firefox 68 (both released 5 years ago) are compatible with Android 4.1 and above. These browsers support TLS 1.3.
Android 4.1 is 12 years old. However, iOS Safari 10-11, which are 7-8 years old, don't support TLS 1.3. Apple only managed to implement TLS 1.3 in iOS Safari 12.2, which is six years old.