TLS 1.0 and 1.1 will be disabled in Edge, IE, Chrome, Firefox and Safari in 2020

Microsoft, Google, Apple, and Mozilla have announced they will disable Transport Layer Security (TLS) versions 1.0 and 1.1 in their respective browsers in early 2020. 

TLS 1.0 and 1.1 will no longer be enabled by default for each of the companies' browsers in the first half of 2020. TLS is the protocol used to encrypt and secure connections between sites and browsers. 

The joint disablement of TLS 1.0 and 1.1 aligns with the expected deprecation of TLS 1.0, which will turn 20 on 19 January 2019. The Internet Engineering Task Force (IETF) is likely to deprecate both versions later this year, according to Microsoft. 

“While we aren’t aware of significant vulnerabilities with our up-to-date implementations of TLS 1.0 and TLS 1.1, vulnerable third-party implementations do exist. Moving to newer versions helps ensure a more secure Web for everyone,” said Kyle Pflug, a senior program manager for Microsoft Edge.

"Complete support will be removed from Safari in updates to Apple iOS and macOS beginning in March 2020," Apple said.

Chrome will deprecate TLS 1.0 and TLS 1.1 in Chrome 72 and sites using these versions will then see deprecation warnings in the DevTools console in that release. 

"TLS 1.0 and 1.1 will be disabled altogether in Chrome 81. This will affect users on early release channels starting January 2020," Google said in its announcement

Mozilla said it will disabled the old TLS versions in Firefox in March 2020.   

TLS 1.0 and 1.1 were superseded by TLS version 1.2 in 2008 and that’s now been supplanted by TLS version 1.3, a major upgrade to the protocol that the IETF published in August.    

Read more: Microsoft patches 0-day Windows flaw under attack

As the IETF notes in its draft to deprecate TLS 1.0 and 1.1 these versions “lack support for current and recommended cipher suites, and various government and industry profiles of applications using TLS now mandate avoiding these old TLS versions.” 

One notable motivation for organizations getting rid of TLS 1.0 and 1.1 is the Payment Card Industry’s (PCI) PCI DSS standard, which doesn't consider TLS’s predecessor, the Secure Sockets Layer (SSL) protocol, or TLS 1.1 secure or compliant.      

Once IETF has formally deprecated these early versions of TLS, it will no longer address vulnerabilities in the protocol versions. Therefore Microsoft suggests organizations move off the versions as soon as is practical. 

Microsoft is developing support for TLS 1.3 in a future version of Edge but not IE 11. Chrome and Firefox already support TLS 1.3, while its status in Safari and Opera is in development.  

Read more: Windows 10 October 2018 Update refines ransomware protection

Citing SSL Labs data, Microsoft notes that 94 percent of sites already support TLS 1.2 and less than one percent of daily connections in Edge use TLS 1.0 or 1.1. 

“We are announcing our intent to disable these versions by default early, to allow the small portion of remaining sites sufficient time to upgrade to a newer version,” said Pflug. 

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
CSO WANTED
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags MicrosoftSSLTLSedge

More about AppleGoogleIETFInternet Engineering Task ForceMicrosoftMozillaTransport

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts