Η Microsoft announced yesterday that it will delay the deactivation of unsafe Transport Layer Security (TLS) 1.0 and 1.1 protocols on its web browsers because of the current global situation. Support for disabling by default will probably be in the second half of 2020, most likely by July.
“For the new Microsoft Edge (Chromium-based), TLS 1.0 and 1.1 will not be disabled by default before release Microsoft Edge 84 (currently planned for July 2020), "said Kyle Pflug, head of the Microsoft Edge Developer team.
“For all its supported versions Internet Explorer 11 and Microsoft Edge Legacy (based on EdgeHTML), TLS 1.0 and TLS 1.1 will be disabled by default on September 8, 2020;
The users will be able to restore TLS 1.0 and TLS 1.1 even after shutdown, but Microsoft recommends the switch to new, more secure protocols. The latest versions of TLS have more modern encryption and are widely supported by the modern browsers.
"Retirement" plans of the TLS protocols
Earlier this month, the Mozilla said that support for unsecured TLS will be re-enabled in its latest release Firefox, so that users can have access to government sites that provide information for COVID-19. These sites have not yet been upgraded to newer versions of TLS.
A few days earlier, Mozilla had removed support for TLS 1.0 and TLS 1.1 Firefox 74.0 released on March 10th.
The "retirement" of these unsecured protocols from the list of supported protocols had already been announced by the October 2018, from all major browser manufacturers (Microsoft, Google, Apple, Mozilla).
Microsoft had said then that these protocols would be disabled at some point during the first half of 2020.
Above the 97% of sites, who participated in her research Qualys SSL Labs, support unsecured TLS 1.2 or TLS 1.3 protocols. Therefore, it is important to implement new, more secure protocols to protect this huge number of sites.
According to usage statistics then shared by Microsoft, Google, Apple and Mozilla, the vast majority of users they no longer use these protocols.
On the other hand, the Netcraft reported in early March that unsecured TLS 1.0 and TLS 1.1 protocols are still used on more than 850.000 sites, exposing users to large risk.
“The use of TLS 1.0 in e-commerce sites as a measure of user data protection has been banned by the Payment Card Industry Data Security Standard, as of June 2018, so many sites have already switched to other protocols, ”explained Netcraft.