TLS 1.0 and 1.1 will be disabled in Edge, IE, Chrome, Firefox and Safari in 2020

  • Liam Tung (CSO Online)
  • 16 October, 2018 08:35

Microsoft, Google, Apple, and Mozilla have announced they will disable Transport Layer Security (TLS) versions 1.0 and 1.1 in their respective browsers in early 2020. 

TLS 1.0 and 1.1 will no longer be enabled by default for each of the companies' browsers in the first half of 2020. TLS is the protocol used to encrypt and secure connections between sites and browsers. 

The joint disablement of TLS 1.0 and 1.1 aligns with the expected deprecation of TLS 1.0, which will turn 20 on 19 January 2019. The Internet Engineering Task Force (IETF) is likely to deprecate both versions later this year, according to Microsoft. 

“While we aren’t aware of significant vulnerabilities with our up-to-date implementations of TLS 1.0 and TLS 1.1, vulnerable third-party implementations do exist. Moving to newer versions helps ensure a more secure Web for everyone,” said Kyle Pflug, a senior program manager for Microsoft Edge.

"Complete support will be removed from Safari in updates to Apple iOS and macOS beginning in March 2020," Apple said.

Chrome will deprecate TLS 1.0 and TLS 1.1 in Chrome 72 and sites using these versions will then see deprecation warnings in the DevTools console in that release. 

"TLS 1.0 and 1.1 will be disabled altogether in Chrome 81. This will affect users on early release channels starting January 2020," Google said in its announcement

Mozilla said it will disabled the old TLS versions in Firefox in March 2020.   

TLS 1.0 and 1.1 were superseded by TLS version 1.2 in 2008 and that’s now been supplanted by TLS version 1.3, a major upgrade to the protocol that the IETF published in August.    

As the IETF notes in its draft to deprecate TLS 1.0 and 1.1 these versions “lack support for current and recommended cipher suites, and various government and industry profiles of applications using TLS now mandate avoiding these old TLS versions.” 

One notable motivation for organizations getting rid of TLS 1.0 and 1.1 is the Payment Card Industry’s (PCI) PCI DSS standard, which doesn't consider TLS’s predecessor, the Secure Sockets Layer (SSL) protocol, or TLS 1.1 secure or compliant.      

Once IETF has formally deprecated these early versions of TLS, it will no longer address vulnerabilities in the protocol versions. Therefore Microsoft suggests organizations move off the versions as soon as is practical. 

Microsoft is developing support for TLS 1.3 in a future version of Edge but not IE 11. Chrome and Firefox already support TLS 1.3, while its status in Safari and Opera is in development.  

Citing SSL Labs data, Microsoft notes that 94 percent of sites already support TLS 1.2 and less than one percent of daily connections in Edge use TLS 1.0 or 1.1. 

“We are announcing our intent to disable these versions by default early, to allow the small portion of remaining sites sufficient time to upgrade to a newer version,” said Pflug.