Page MenuHomePhabricator
Create Task
Maniphest T367821

Discovery: Deprecation of TLS 1.2
Open, LowPublic
Actions

Assigned To
None
Authored By
BCornwall
Jun 17 2024, 9:44 PM
Tags
Referenced Files
F60773669: Screenshot at 2025-05-28 10-19-45.png
May 28 2025, 5:21 PM
F60733505: obraz.png
May 28 2025, 1:06 AM
F55437989: Screenshot at 2024-06-17 14-47-38.png
Jun 18 2024, 2:47 PM
F55415234: Screenshot at 2024-06-17 09-10-47.png
Jun 17 2024, 9:44 PM
Subscribers
Aklapper
BBlack
BCornwall
Bugreporter
gh87
Izno
Jdforrester-WMF
View All 18 Subscribers

Description

We're interested in deprecating TLS 1.2 in favor of using TLS 1.3. This is a long-term effort rather than an immediate change.

What do we need to do in order to eventually get there?

The last 30 days of traffic, broken down by TLS version

Screenshot at 2024-06-17 09-10-47.png (282×1 px, 13 KB)

User agent aggregation:

Screenshot at 2024-06-17 14-47-38.png (1×662 px, 124 KB)

Coordination with mediawiki's compatibility grades will be important here (Updating of Grade A support matrix).

Related Objects
Search...

Event Timeline

BCornwall created this task.Jun 17 2024, 9:44 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 17 2024, 9:44 PM
BCornwall triaged this task as Low priority.Jun 17 2024, 9:45 PM
BCornwall moved this task from Backlog to Scheduled incidental work on the Traffic board.
Bugreporter subscribed.EditedJun 18 2024, 12:49 AM

This will mean Chrome<70 and Firefox<63 users will no longer be able to view Wikimedia projects.

Also, Safari (desktop) only have complete support for TLS 1.3 since Safari 14, released September 2020.

Izno subscribed.Jun 18 2024, 4:58 AM
MoritzMuehlenhoff subscribed.Jun 18 2024, 7:16 AM
BCornwall updated the task description. (Show Details)Jun 18 2024, 2:47 PM
BCornwall updated the task description. (Show Details)Jun 18 2024, 2:59 PM
BCornwall renamed this task from Deprecate TLS 1.2 to Discovery: Deprecation of TLS 1.2.Jun 18 2024, 3:27 PM
BCornwall updated the task description. (Show Details)
BCornwall moved this task from Scheduled incidental work to Actively Servicing on the Traffic board.Jul 23 2024, 6:28 PM
BCornwall moved this task from Actively Servicing to Backlog on the Traffic board.Aug 21 2024, 8:56 PM
BCornwall updated the task description. (Show Details)
BCornwall updated the task description. (Show Details)Aug 21 2024, 8:58 PM
Bugreporter added a comment.Aug 22 2024, 12:54 AM

"able to view Wikimedia projects" means Grade C, not Grade A.

Volker_E added projects: Browser-Support-Firefox, Browser-Support-Google-Chrome, Browser-Support-Apple-Safari.Aug 23 2024, 9:21 AM
Volker_E subscribed.
Bugreporter added a project: User-notice.Aug 23 2024, 9:41 AM

Feel free to move the tag to a more specific subtask.

Pppery moved this task from To Triage to Not ready to announce on the User-notice board.Aug 23 2024, 4:01 PM
Nux subscribed.EditedSep 2 2024, 12:17 PM

I think you might need to check your stats based on UserAgent (if that is possible). You might need to check with tool and bot authors which might be using outdated software. This is important because a single connection once a day by some tool might be used by thousands of users.

For example with some effort you can support TLS 1.2 as far back as Java 7. It is not possible to do that with TLS 1.3.

I guess most tools should be fairly easy to update, but probably not effortless.

Bugreporter mentioned this in T271001: Transition to MathML rendering as default.Sep 9 2024, 9:33 AM
Bugreporter mentioned this in T357197: Allow ES2017 (ES8) syntax in gadgets.Sep 9 2024, 9:41 AM
Novem_Linguae subscribed.Sep 9 2024, 10:18 AM
Michael subscribed.Sep 25 2024, 3:38 PM
Bugreporter mentioned this in T380344: Safari support for Modern (Grade A) (proposal for current + 3 previous major versions).Nov 20 2024, 10:03 AM
Jdforrester-WMF subscribed.Nov 20 2024, 2:49 PM
Xeverything11 subscribed.Nov 20 2024, 4:23 PM
CCiufo-WMF mentioned this in T380576: Restate Basic (Grade C) browser support to last 7 years' versions.Nov 22 2024, 6:40 PM
Xeverything11 added a comment.Nov 22 2024, 7:00 PM

TLS 1.3 is also available in Safari 12.1 and later. Full support in macOS Mojave and later, and iOS.

https://caniuse.com/tls1-3

However, Safari 12/13 on macOS Sierra and High Sierra are not compatible with TLS 1.3.

Xeverything11 added a comment.Nov 22 2024, 7:04 PM
This comment was removed by Xeverything11.
Xeverything11 added a comment.Nov 22 2024, 7:12 PM

Let's give a update to market share:

  • Chrome 49: 0.02%
  • Chrome 50: 0.01%
  • Chrome 53: 0.01%
  • Chrome 56: 0.02%
  • Chrome 66: 0.02%
  • Chrome 69: 0.08%
  • Firefox 52: 0.04%
  • Firefox 56: 0.01%
  • Safari 12.1: 0.01%
  • Safari 13.1: 0.06%
  • Safari iOS 10.2: 0.01%
  • Safari iOS 10.3: 0.04%
  • Safari iOS 11.2: 0.16%
  • Safari iOS 11.4: 0.01%
  • Safari iOS 12.1: 0.01%

These browsers listed (0.50% total) don't support TLS 1.3.

Izno added a comment.EditedNov 22 2024, 8:00 PM

Usually better to use our own stats.

Which my offline calculator puts at 1.488% total unsupported and another 0.309% mixed support (excluding the bots). Including the estimated bots adds another 0.306%. So potentially around 2% of traffic not supporting TLS 1.3. Plus Other and Redacted are in the realm of 0.6% which we don't (other) and can't (redacted) know details of. (I totally ignored all the smaller browsers which looks to be another 0.01% or so in relevant ranges. Yandex 0.004%, Chrome Mobile Webview 0.007%.)

Aklapper added a parent task: T380344: Safari support for Modern (Grade A) (proposal for current + 3 previous major versions).Nov 26 2024, 11:49 AM
Xeverything11 added a comment.EditedNov 26 2024, 1:19 PM

TLS 1.3 is not as big of a issue for Android as with iOS.
Chrome 71 and Firefox 68 (both released 5 years ago) are compatible with Android 4.1 and above. These browsers support TLS 1.3.
Android 4.1 is 12 years old. However, iOS Safari 10-11, which are 7-8 years old, don't support TLS 1.3. Apple only managed to implement TLS 1.3 in iOS Safari 12.2, which is six years old.

TehKittyCat subscribed.Jan 8 2025, 12:26 AM
Volker_E mentioned this in T358062: Reduce output size of css-icon mixin.Jan 16 2025, 2:43 AM
Volker_E mentioned this in T369536: Remove background-image support from CSS icon mixin.Jan 16 2025, 10:01 PM
RhinosF1 subscribed.Jan 30 2025, 6:12 PM
Reedy mentioned this in T385222: Support TLS 1.3.Jan 30 2025, 6:36 PM
BCornwall added a comment.Jan 30 2025, 6:55 PM

@RhinosF1 was kind enough to do some investigation for AutoWikiBrowser/Windows. .NET applications (including AutoWikiBrowser) on Windows 10 do not support TLS 1.3 by default.

There's also this chart detailing Windows support: https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-

And this chart detailing .NET support: https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls

AutoWikiBrowser users have reported issues connecting to meta.miraheze.org, which has recently switched to TLS1.3-only.

gh87 subscribed.EditedApr 1 2025, 6:13 PM

Shall this task be stalled then? Many computers still use Windows 10, which still lacks TLS 1.3 support, and have yet to be upgraded to or replaced with Windows 11 or the Win 11 successor. We can revisit this when Windows 10 loses most of its market share by then.

Bugreporter added a comment.May 27 2025, 4:08 PM

This only affect 3rd party tools like AWB, not Edge browser which is based on Chromium. Also, Windows 10 will be EOL later this year.

BBlack subscribed.May 27 2025, 4:15 PM

FYI from the edge TLS stats POV (the first graph in the description), if we ignore the null results and just look at TLSv1.2 / (TLSv1.2 + TLSv1.3), in the ~year since this ticket was created: the TLSv1.2 percentage has dropped from ~3.76% to ~2.78%. We still have quite a ways to go before we reach a comfortable number even in that simplistic analysis.

Nux added a comment.May 28 2025, 1:06 AM

This only affect 3rd party tools like AWB, not Edge browser which is based on Chromium. Also, Windows 10 will be EOL later this year.

Not sure how this works for Wikipedia audiences, but I imagine schools in India—and frankly, in most countries—won't update any time soon. Same for many computers like laptops bought during pandemic for children.

I can say for sure that many libraries in Poland are still stuck on Windows 7. This is fresh stats from 2025:

obraz.png (271×585 px, 11 KB)

Browsers do support TLS 1.3 even on Windows 7, but if we're talking about systems, then EOL is actually not a good thing for us. I've seen Windows XP both with my own eyes and in stats long after it reached EOL.

BCornwall added a comment.May 28 2025, 5:21 PM

Fun little factoid: Claude is now the leading TLS1.2 user by a very large margin!

Screenshot at 2025-05-28 10-19-45.png (1×1 px, 199 KB)

BCornwall removed BCornwall as the assignee of this task.Jul 15 2025, 12:51 AM
Perryprog subscribed.Aug 22 2025, 7:23 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits