TLS 1.0 and 1.1 have been around for quite some time. TLS 1.0 was released in 1999, TLS 1.1 in 2006. They both should not be used anymore!
This article shows general industry guidelines, the usage of the protocol versions, and how different browser vendors handle the deprecation of TLS 1.0 and TLS 1.1. We also help you to remediate a website or application that still uses TLS 1.0 or 1.1.
TLS 1.0 & 1.1 General industry guidelines
The Payment Card Industry Data Security Standard (PCI DSS) prohibits the usage of TLS 1.0 since June 30th, 2018. And the German Federal Office for Information Security, BSI (Bundesamt für Sicherheit in der Informationstechnik), recommends not use TLS 1.1 because of its usage of the SHA-1 hash function, which is not guaranteed to be collision-free.
The successors are easily available. TLS 1.2 was introduced in 2008 and is widely adopted now. TLS 1.3 from the year 2018 is an uprising, and more and more TLS stacks, web servers and load balancers support its usage.
If this does not convince you to stop using the old versions, probably the following might: All major browsers announced to stop the support for TLS 1.0 and 1.1 in the first quarter of 2020.
TLS 1.0 & TLS 1.1 Usage
The estimates of used TLS 1.0 and 1.1 connections are between 0,5% and 1.11% of all connections. Chromium mentioned above, 0,5% of page loads use one of the protocols in October 2019. Firefox saw 1.11% of connections using TLS 1.0 for Firefox Beta 62 in September 2018. For the past month (March/April 2020) and the latest release (beta 75), Firefox still shows 0,43% of connections through TLS 1.0 and 0,2 % through TLS 1.1(Measurement Dashboard).
TLS 1.0 & 1.1 Support of main browsers – and how it changed over time
Google Chrome (and the Chrome-family browsers) already shows a huge notification that your website is insecure if a TLS 1.0 or 1.1 handshake is agreed upon:
All major browsers planned to drop their support for TLS versions 1.0 and 1.1 completely. However, most providers re-enabled the protocols due to the Coronavirus, citing “enabling access to sites sharing critical and important information during this time” (Mozilla).
Below is an overview of the announcements.
|Browser||TLS-related change history|
|Google Chrome||Google announced the future removal of TLS 1.0 and 1.1 in Chrome 72. The article states that the protocols are currently deprecated.
A warning in the browser was implemented with Chrome 79, according to ChromeStatus.
It also announced removing the protocols in Chrome 81 but later added a note that the removal would be delayed to Chrome version 84, planned to ship in July 2020.
View the Removal history on ChromeStatus.
Check out the Google Security Blog article on Transport Security.
|Mozilla Firefox||Mozilla announced on October 15th 2018, to remove TLS 1.0 and TLS 1.1 in March 2020.
On February 6th, they released an announcement on the specific warnings around the protocols.
On March 23rd, they added the note to re-enable the protocols.
|Microsoft Edge and Internet Explorer 11||On October 15th 2018, Microsoft announced removing the old TLS connections in Edge and IE for the first half of 2020.
On March 31st 2020, they added the note to disable the protocols in July 2020 (for the Chromium-based Edge version 84) and September 8th 2020 (for IE 11 and Microsoft Edge Legacy), respectively.
|Safari||Webkit published a guest post from Apple’s Secure Transports team on October 15th of 2018, to completely remove the support beginning March 2020.
So far, Apple has not released a statement to keep the protocol enabled. The release notes for the latest Safari release 13.1 show an added new feature to add a “not secure” warning for sites using TLS 1.1. and 1.0.
Where does this leave the cybersecurity community?
This is a difficult trade-off for browser providers. It seems unsafe that all major browser suppliers deferred to shut down the old protocols’ support amid a time that sees increased cybercrime activity. It would be preferable that essential pages that still use TLS 1.0 and 1.1 perform an upgrade to the newer protocol versions from a security perspective. To put things in perspective, these protocols have been around for more than 20 years. Allowing a few extra months of support with implemented warnings are a calculated risk and worth it for people at home in distress with possible life-threatening problems.
Take remediation action now
As a website or web application vendor, you should ensure that your visitors have a secure way to visit your page. To verify that you have disabled these old TLS versions, check your Crashtest Security Scan result. It shows you the following information if any of those is still enabled:
You do not yet use Crashtest Security?
Then register for our 30 days free trial and conduct a scan of your web application. The SSL/TLS test is included in the Quick Scan functionality. For more protection, run a full scan that tests for vulnerabilities like SQL Injection, Cross-Site-Scripting (XSS) and more!
If you found that your website or web application still supports TLS 1.0 or 1.1, have a look at our wiki page for secure TLS configuration or configuring trusted certificates or the PCI Migration Guidelines for the next steps.