Microsoft To Disable TLS 1.0 and TLS 1.1 Support in Edge and Internet Explorer

Microsoft today said it plans to disable support for Transport Layer Security (TLS) 1.0 and 1.1 in Edge and Internet Explorer browsers by the first half of 2020. From a report: "January 19th of next year marks the 20th anniversary of TLS 1.0, the inaugural version of the protocol that encrypts and authenticates secure connections across the web," said Kyle Pflug, Senior Program Manager for Microsoft Edge. "Two decades is a long time for a security technology to stand unmodified," he said. "While we aren't aware of significant vulnerabilities with our up-to-date implementations of TLS 1.0 and TLS 1.1 [...] moving to newer versions helps ensure a more secure Web for everyone."

The move comes as the Internet Engineering Task Force (IETF) -- the organization that develops and promotes Internet standards -- is hosting discussions to formally deprecated both TLS 1.0 and 1.1. Microsoft is currently working on adding support for the official version of the recently-approved TLS 1.3 standard. Edge already supports draft versions of TLS 1.3, but not yet the final TLS 1.3 version approved in March, this year. Microsoft engineers don't seem to be losing any sleep over their decision to remove both standards from Edge and IE. The company cites public stats from SSL Labs showing that 94 percent of the Internet's sites have already moved to using TLS 1.2, leaving very few sites on the older standard versions. "Less than one percent of daily connections in Microsoft Edge are using TLS 1.0 or 1.1," Pflug said, also citing internal stats. You can check public stats on the usage of TLS 1.0 and 1.1 here.

94%

[orev]

94% of billions is not "very few" sites remaining.

Re:

[DarkRookie2]

Thats only 6 left.
6 is a small number
/marketing drone

Re:

[jellomizer]

That with all the people still using edge.

Re:

[sexconker]

We've still got a bunch of TLS 1.0 stuff because vendors don't update shit, or their update path is strictly "buy the new version" (and even when we buy the new version, we have to schedule the installation/configuration, testing, and transition).

Re:

[arglebargle_xiv]

It's also 94% of public Internet web sites. There's about a gazillion non-public devices that have a web interface and that aren't going to be updated to a newer version of TLS, ever. I wonder what deprecating TLS 1.0 and 1.1 will do for those?

Re:

[jellomizer]

The problem is Microsoft Antiquated Update Process.
Most Linux systems, and OS X. Will determine the state of your system, and give you a comprehensive update patch.
Microsoft older system just gives you a list of all the incremental updates, where your system installs each one one by one. And combine with Microsoft inability/unwillingness to stop and restart services which has been updated, causes each update to require a reboot.

Re:

[Joe_Dragon]

Well seeing how deep linked IE is to rest of system it's hard to just update that also MAC OS X has the same BIG updates that windows has.

Re:Will it require to reboot Windows?

[LinuxIsGarbage]

"You mouse has moved. Windows 10 needs to reboot. [OK]"

I think Windows 10 reboots more frequently than Windows 95.

Windows 10 doesn't prompt:

Configuring new mouse position for Windows 10
55% complete

Don't turn off or try and use your computer, this will take a while
Your PC will restart several times

Edge YES, IE NO

[darkain]

Edge? Awesome. Yes, please do this.
Internet Explorere!? Oh hell no!!

Seriously, the only reason why IE is still around is due to supporting legacy systems, such as networked attached hardware (printers, routers, switches, access points, security cameras, and more). Not all of these devices are on the public internet, so security concerns in that regard may not be as high. But their web based interfaces generally can not be updated, so are stuck using older protocols. What is the point of even having IE around anymore, if its one and only task (supporting legacy enterprise systems) no longer functions? If that's the case, just remove IE entirely since it'll be made worthless.

Re:

[jellomizer]

I would dismantle IE anyways. If your business decided to buy a enterprise system that required IE, then it should suffer the outage for picking a poorly design product. I would also put the vendor on task to upgrade. Because if their business was around an IE Only tool even if it is 20 years old, and you havn't upgraded, you really shouldn't call yourself a tech company.

I am not hating on IE (While I have reasons to do so). But if you have a tool like a web browser where its jobs is to parse and displa

Re:

[Curupira]

EXACTLY.
Guess I'll have to download Netscape Communicator 4.x to browse those bitrotting sites.

Re:

[darkain]

I still have one piece of hardware that requires a WinXP VM, running IE6, with Java6... Its hell to administer, but I'm only in that maybe once a year, otherwise it is rock solid hardware.

Re:

[Cmdln Daco]

At my last job we had an Unholtz-Dickie shaker table whose controller was hosted on a Windows 2000 machine. The machine was only used to run the shaker table, and not connected to anything at all by network. We also had a newer U-D shaker table. It's controller was a Windows XP machine.

They both just worked.

Tektronix used to sell digital oscilloscopes that ran Windows 95. There are probably still plenty of them out there in use.

Problems for legacy OSes

[xack]

Internet Explorer on Windows XP still only supports TLS 1.0, and now even Firefox has left Windows XP the remaining 3% of people still using Windows XP are screwed. I expect even Windows 7 will be under fire when more and more TLS versions get disabled. This is all part of Microsoft’s scheme to get people to use Spydows 10.

Re:

[kiviQr]

If you still use XP you are screwed by definiiton. What kind of security do you expect from unsupported system?

Re:

[Cmdln Daco]

"If you still use XP you haven't given Microsoft their due amount of money in a long time and you should suffer for it"

Re:

[WaffleMonster]

Internet Explorer on Windows XP still only supports TLS 1.0

For what little its worth XP supports TLS 1.2 with an update.

Re:

[Bert64]

XP also had TLS 1.0 disabled by default, it was stuck with ssl2/ssl3 unless you explicitly enabled TLS.

Re:

[thegarbz]

This is all part of Microsoft’s scheme to get people to use Spydows 10.

Or maybe it's just a sensible move from a security point of view. I'm sure that anyone still running Windows XP doesn't give a shit about that though.

That nice and all

[Rosco P. Coltrane]

But I bet you anything they won't include an option to override unsafe TLS versions warning, and that sucks.

In some cases, there are good reasons to visit unsafe "sites" with expired certificates, that rely on TLS 1.0, or running older Java apps that use deprecated encryption algorithms. For instance, in my company, we have over 8,000 deployed servers with various versions of Dell DRAC [wikipedia.org] (versions 5, 6 and 7) that are still perfectly serviceable, but that have become a massive pain in the butt to access with modern web browsers and newer JREs: some browsers just won't allow you to "visit the page anyway" (i.e. Firefox) and newer Java versions require a bunch of really annoying privacy configurations and a slew of impossible-to-disable warning popups to let older apps runs - despite the damn DRAC apps running quite safely behind our perfectly secure corporate VPN. It's become so annoying we now distribute a dedicated Virtualbox VM with an outdated Linux distro just to be able to access older DRACs quickly.

In short, I wish developers stopped thinking they know what's good for you 100% of the time, and at least offered a configuration option to allow older, unsafe protocols to be used painlessly - even if the configuration option is difficult to set or hard to find, so long as it exists and it can be set once and for all. But they don't, because they they think they know better...

waterfox is needed for the old java based IPMI and

[Joe_Dragon]

waterfox is needed for the old java based IPMI and also need to set each IP in the java security bypass as well.

Re:

[thegarbz]

I'm not sure what you mean by this? I have an old java based IPMI and other than getting a security warning about unsigned applications I don't have any problem in IE10 with it. Is there something specific yours complains about?

Article updated to include all major browsers

[EvilSS]

Looks like Chrome, Safari, and Firefox are also planning to depreciate TLS 1.0 and 1.1 in the first half of 2020.

Article updated two hours after publication to include similar announcements made by Apple and Google. While Mozilla did not issue a blog post about the upcoming deprecation, a Mozilla spokesperson confirmed the company will deprecate TLS 1.0 and TLS 1.1 in 2020. The original version of this article only mentioned Microsoft plan to deprecate TLS 1.0 and TLS 1.1.

Re:

[EvilSS]

Deprecate. Thank you.

Looks like Chrome, Safari, and Firefox are also planning to disparage and belittle TLS 1.0 and 1.1 in the first half of 2020.?

Going to update MS TMG too?

[drafalski]

Per a recent article here, their own enterprise MITM software (TMG) maps intercepted traffic to TLS 1.0 or SSLv3 [arxiv.org]:

TLS versions and mapping.
Ten appliances support TLS versions 1.2, 1.1, and 1.0, among which three also support SSL 3.0. [...] Microsoft supports only TLS 1.0 and (more worryingly) SSLv3; as many web servers nowadays do not support these versions (specifically SSLv3), clients behind Microsoft will be unable to visit these websites (Over 25% of web servers do not support TL

Re:

[gravewax]

TMG is a long dead product, it was announced as being discountinued 5+ years ago and official left support 2+ years ago. So I doubt they would care about updating a dead product you should not even be using anymore.

What's the benefit of disabling it?

[WaffleMonster]

If there are no practical vulnerabilities and intentionally insecure negotiation bullshit has been exorcised from browsers (It has...right?!?) what is the harm in leaving it as an option so it can be selected as backup in event of unforeseen vulnerabilities in either specifications or implementations?

It's not like support for TLS 1.0 is being removed from schannel.

Arguments made about "age" in this context are inherently unfalsifiable and don't speak to technical merit.

"Two decades is a long time for a secu

Re: What's the benefit of disabling it?

[Anonymous Coward]

Or you can google why tls 1.0 is considered insecure. Lots of info on that.

Re:

[WaffleMonster]

Or you can google why tls 1.0 is considered insecure. Lots of info on that.

Good, then you should have no problem naming one.

Quoting TFA "While we aren't aware of significant vulnerabilities with our up-to-date implementations of TLS 1.0"

Apparently Microsoft has also neglected to "Google why TLS 1.0 is insecure" apparently they don't even know.

Re:

[EvilSS]

Apparently Microsoft has also neglected to "Google why TLS 1.0 is insecure" apparently they don't even know.

Well I guess, ironicly, Google also neglected to "Google why TLS 1.0 is insecure" because they are removing it as well.

Damn it

[megalomaniacs4u]

We disabled TLS 1.0 & 1.1 to kill off the people using Exploder and get them to use a decent browser... Please just kill of Internet Explorer already!

What about EAP-TLS?

[sabbede]

I had a lot of fun the time I killed TLS 1.0 in my AD, only to discover that doing so broke network authentication. So, instead of just disabling it in IE and Edge, how about patching everything so SChannel doesn't need a ton of registry changes to use TLS 1.2?