Connect with us

Hi, what are you looking for?


Data Protection

Browser Makers Delay Removal of TLS 1.0 and 1.1 Support

Google, Microsoft and Mozilla are delaying plans to disable support for the Transport Layer Security (TLS) 1.0 and 1.1 protocols in Chrome, Edge, Internet Explorer, and Firefox.

Google, Microsoft and Mozilla are delaying plans to disable support for the Transport Layer Security (TLS) 1.0 and 1.1 protocols in Chrome, Edge, Internet Explorer, and Firefox.

TLS 1.0 is over two decades old, and TLS 1.1 was only meant to address some limitations in the former and prevent specific attacks. Both are known to include weaknesses, some addressed in TLS 1.2, which was released over a decade ago.

In 2018, TLS 1.3 was approved and published as RFC 8446, after four years of work. It is both faster and more secure compared to its predecessors, and many tech companies are advocating for its broad adoption.

In October 2018, major browser makers announced that support for the old and insecure TLS 1.0 and 1.1 protocol versions would be removed in March 2020, but such plans have been postponed due to the current COVID-19 pandemic.

Microsoft now says it is still on track to remove support for TLS 1.0 and 1.1 this year, but that the change will be made months later than initially announced.

“In light of current global circumstances, we will be postponing this planned change—originally scheduled for the first half of 2020,” the tech giant said.

At the moment, the company plans on disabling the older protocol iterations in the new Microsoft Edge (based on Chromium) in version 84, which is currently planned for July 2020.

Advertisement. Scroll to continue reading.

As for the supported versions of Internet Explorer 11 and Microsoft Edge Legacy (EdgeHTML-based), the current plan involves removing support for TLS 1.0 and TLS 1.1 on September 8, 2020.

Google will remove support for both protocol versions in the stable release of Chrome 83, which is set to arrive in mid-May — the company skipped Chrome 82 entirely due to the coronavirus crisis.

“Previously, we showed a deprecation warning in DevTools. In M-79, Chrome marked affected sites as ‘Not Secure’. In M-83, Chrome will show a full page interstitial warning on sites that do not support TLS 1.2 or higher,” the company says.

Mozilla, which disabled TLS 1.0 and 1.1 in Firefox 74, reverted the change without providing a new timeline for when support for these protocol versions would be removed.

“We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID19 information,” the browser maker noted in updated release notes for Firefox 74.

Although TLS 1.0 and 1.1 remain in use, site admins are advised to transition to TLS 1.2 or TLS 1.3 as soon as possible to ensure there are no disruptions when browsers remove support for the older protocols.

“While these protocols will remain available for customers to re-enable as needed, we recommend that all organizations move off of TLS 1.0 and TLS 1.1 as soon as is practical. Newer versions of the TLS protocol enable more modern cryptography and are broadly supported across modern browsers, such as the new Microsoft Edge,” Microsoft said.

Related: Major Browsers to Kill TLS 1.0, 1.1

Related: IETF Publishes TLS 1.3 as RFC 8446

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.