Microsoft To Disable TLS 1.0 and TLS 1.1 Support in Edge and Internet Explorer

Microsoft today said it plans to disable support for Transport Layer Security (TLS) 1.0 and 1.1 in Edge and Internet Explorer browsers by the first half of 2020. From a report: "January 19th of next year marks the 20th anniversary of TLS 1.0, the inaugural version of the protocol that encrypts and authenticates secure connections across the web," said Kyle Pflug, Senior Program Manager for Microsoft Edge. "Two decades is a long time for a security technology to stand unmodified," he said. "While we aren't aware of significant vulnerabilities with our up-to-date implementations of TLS 1.0 and TLS 1.1 [...] moving to newer versions helps ensure a more secure Web for everyone."

The move comes as the Internet Engineering Task Force (IETF) -- the organization that develops and promotes Internet standards -- is hosting discussions to formally deprecated both TLS 1.0 and 1.1. Microsoft is currently working on adding support for the official version of the recently-approved TLS 1.3 standard. Edge already supports draft versions of TLS 1.3, but not yet the final TLS 1.3 version approved in March, this year. Microsoft engineers don't seem to be losing any sleep over their decision to remove both standards from Edge and IE. The company cites public stats from SSL Labs showing that 94 percent of the Internet's sites have already moved to using TLS 1.2, leaving very few sites on the older standard versions. "Less than one percent of daily connections in Microsoft Edge are using TLS 1.0 or 1.1," Pflug said, also citing internal stats. You can check public stats on the usage of TLS 1.0 and 1.1 here.

Breakage

In 3.2.

Re:Breakage

In 3.2.

3.2 is also being disabled for the 3 people on earth who ever used it.
Soon only 3.3 will be left standing.

If it aint broke

then get your dirty fucking hands off of it, Microsoft

Re: If it aint broke

Actually everyone is doing it.

Apple, with WebKit & Safari
Google w/Chrome & Chromium
Microsoft with Edge
Mozilla with Firefox

Itâ(TM)s a coordinated deprecation across multiple vendors, not a solo Microsoft Acton.

hairy eyeball has new meanings?

some still calling this 'weather'? cease fire stand down.. just don't call it morgellons?

94%

[orev]

94% of billions is not "very few" sites remaining.

Re:94%

[DarkRookie2]

Thats only 6 left.
6 is a small number
/marketing drone

Re: 94%

Aye, but consider what portion of the remaining 6% are frequented; I have little idea as to what this would be, but it'd be fair to say that it's either 100% or less, then of these still frequented sites how many alternatives are there? Do they host information or functionality that can easily be found elsewhere? >1% of the Edge/Explorer user base is surly less than 6% of billions of sites, mayhap this is the number in which should be considered in the decision as to whether it is a good choice or not.

Re:94%

[jellomizer]

That with all the people still using edge.

Re:94%

[sexconker]

We've still got a bunch of TLS 1.0 stuff because vendors don't update shit, or their update path is strictly "buy the new version" (and even when we buy the new version, we have to schedule the installation/configuration, testing, and transition).

Re:94%

[arglebargle_xiv]

It's also 94% of public Internet web sites. There's about a gazillion non-public devices that have a web interface and that aren't going to be updated to a newer version of TLS, ever. I wonder what deprecating TLS 1.0 and 1.1 will do for those?

No TLS in FEDERAL PRISON

Sorry TRUMP TRAITORS

Will it require to reboot Windows?

"You mouse has moved. Windows 10 needs to reboot. [OK]"

I think Windows 10 reboots more frequently than Windows 95.

Re:Will it require to reboot Windows?

[jellomizer]

The problem is Microsoft Antiquated Update Process.
Most Linux systems, and OS X. Will determine the state of your system, and give you a comprehensive update patch.
Microsoft older system just gives you a list of all the incremental updates, where your system installs each one one by one. And combine with Microsoft inability/unwillingness to stop and restart services which has been updated, causes each update to require a reboot.

Re:Will it require to reboot Windows?

You mean like the cumulative monthly roll-ups that Microsoft switched to for Windows 7 and Windows 8.1 all the way back in 2016: https://www.pcworld.com/articl...

Re:Will it require to reboot Windows?

[Joe_Dragon]

Well seeing how deep linked IE is to rest of system it's hard to just update that also MAC OS X has the same BIG updates that windows has.

Re:Will it require to reboot Windows?

[LinuxIsGarbage]

"You mouse has moved. Windows 10 needs to reboot. [OK]"

I think Windows 10 reboots more frequently than Windows 95.

Windows 10 doesn't prompt:

Configuring new mouse position for Windows 10
55% complete

Don't turn off or try and use your computer, this will take a while
Your PC will restart several times

Edge YES, IE NO

[darkain]

Edge? Awesome. Yes, please do this.
Internet Explorere!? Oh hell no!!

Seriously, the only reason why IE is still around is due to supporting legacy systems, such as networked attached hardware (printers, routers, switches, access points, security cameras, and more). Not all of these devices are on the public internet, so security concerns in that regard may not be as high. But their web based interfaces generally can not be updated, so are stuck using older protocols. What is the point of even having IE around anymore, if its one and only task (supporting legacy enterprise systems) no longer functions? If that's the case, just remove IE entirely since it'll be made worthless.

Re:Edge YES, IE NO

True dat. But some idiot manager in MS has decided they can force IE users into Edge users, ignoring the fact it is easier to move into competitors who still have somewhat a PC style UI.

Re:Edge YES, IE NO

[jellomizer]

I would dismantle IE anyways. If your business decided to buy a enterprise system that required IE, then it should suffer the outage for picking a poorly design product. I would also put the vendor on task to upgrade. Because if their business was around an IE Only tool even if it is 20 years old, and you havn't upgraded, you really shouldn't call yourself a tech company.

I am not hating on IE (While I have reasons to do so). But if you have a tool like a web browser where its jobs is to parse and display an open standard. Then you should avoid any "special features" which would deter such product from its intended use.

It would be like having an ANSI terminal program which supported RIPScript. So you write your application that has a RIPScript border around your screen, with ANSI in the middle. Other then some appearence, you had added no value to your program, but limited its length of use.

Re:Edge YES, IE NO

If your business decided to buy a enterprise system that required IE, then it should suffer the outage for picking a poorly design product.

You know nothing about these systems yet you still feel compelled to pass judgment.

But if you have a tool like a web browser where its jobs is to parse and display an open standard. Then you should avoid any "special features" which would deter such product from its intended use.

LOL decades ago _ALL_ browsers were a fucking disaster. Today people bitching about IE11 and browser specific CSS have no idea the scope of the original problems.

It would be like having an ANSI terminal program which supported RIPScript. So you write your application that has a RIPScript border around your screen, with ANSI in the middle. Other then some appearence, you had added no value to your program, but limited its length of use.

I prefer NAPLPS. RIP was always shit no matter how well or poorly it was used.

Re:Edge YES, IE NO

Depends if they're also disabling SSL2. I doubt there's much, if any, hardware out there that doesn't support recent TLS and also doesn't support very ancient SSL.

But, MS are dammed if they do, dammed if they don't. I guarentee Google are doing the same thing in Chrome, and you're not having the big outcry there.

Besides, generally Microsoft uses the term 'deprecated' correctly (i.e., they don't mean "removed", they mean "use is discouraged and/or no longer suported".) In fact, ignoring the ZDNet and going back to the actual Microsoft source: "Today, we’re announcing our intent to disable Transport Layer Security (TLS) 1.0 and 1.1 by default in supported versions of Microsoft Edge and Internet Explorer 11 in the first half of 2020." (emphasis mine).

BY DEFAULT.

It sounds like enabling the protocol because you have some ancient printer to configure is only a quick trip to the Internet control panel.

(Although to be honest, this makes me think for a market for a proxy server that speaks TLS1.3 at one end, and speaks whatever legacy encryption to other devices, with an explicit per-domain-name approval process.)

I think it's not long before I.E. itself is deprecated. I believe it isn't installed by default on W10 any more.

Re:Edge YES, IE NO

[Curupira]

EXACTLY.
Guess I'll have to download Netscape Communicator 4.x to browse those bitrotting sites.

Re:Edge YES, IE NO

[darkain]

I still have one piece of hardware that requires a WinXP VM, running IE6, with Java6... Its hell to administer, but I'm only in that maybe once a year, otherwise it is rock solid hardware.

Re:Edge YES, IE NO

It was RIPscrip (no bloody 't').

Re:Edge YES, IE NO

[Cmdln+Daco]

At my last job we had an Unholtz-Dickie shaker table whose controller was hosted on a Windows 2000 machine. The machine was only used to run the shaker table, and not connected to anything at all by network. We also had a newer U-D shaker table. It's controller was a Windows XP machine.

They both just worked.

Tektronix used to sell digital oscilloscopes that ran Windows 95. There are probably still plenty of them out there in use.

Re:Edge YES, IE NO

>You know nothing about these systems yet you still feel compelled to pass judgment.

Hahaha yes if you're running an enterprise product that still needs IE4 or 6 or whatever then you have made a decision to accept eventual failure before you fix yourself. I am still passing judgement. Maybe your hands are tied but needing IE6 shows bad IT. I judge. I judge thee and I judge your services.

Re:Edge YES, IE NO

Hahaha yes if you're running an enterprise product that still needs IE4 or 6 or whatever then you have made a decision to accept eventual failure before you fix yourself. I am still passing judgement. Maybe your hands are tied but needing IE6 shows bad IT. I judge. I judge thee and I judge your services.

The criticism of jellomizer's remarks were based on "If your business decided to buy a enterprise system that required IE, then it should suffer the outage for picking a poorly design product. "

Jello used past tense (decided)
You use current tense (still needs)

Jello was referring to design of the enterprise system itself (decided to buy a enterprise system)
You are referring to IT staff for not making changes now in current tense (needing IE6 shows bad IT)

Hard to understand how the opinions of someone who has demonstrated such careless disregard for plain meaning of language would ever be taken seriously by anyone.

Re:Edge YES, IE NO

well obviously that hardware is not internet connected and neither should the machine that is managing it so why does it matter if they deprecate it. You should not be internet connected and you don't need to be updating your machine. If you do then you should look at upgrading your hardware as you are exposing your organisation to significant risks.,

Re:Edge YES, IE NO

such proxy servers exist, in fact just about every proxy server in existence is capable of it.

Re:Edge YES, IE NO

I think it's not long before I.E. itself is deprecated. I believe it isn't installed by default on W10 any more.

This already happened, IE 11 is the last version of IE and it looks like IE is missing the TLS1.3 boat.
Still waiting to see what server builds get TLS1.3, hopefully 2012R2 and 2016 ...

Regarding TLS1.3

Will there be a new Library-Version with TLS1.3 included before Windows 7 hits End-Of-Life?

Re:Regarding TLS1.3

Of course not, silly. Perfect milestone for planned obsolescence.

Re:Regarding TLS1.3

Of course not. Windows 7 updates will only remove features, as their only function is to force people to install Windows 10. Somehow it is legal for MS to do this, but on USA the laws are made to protect big corporations.

Breaks Library of Congress sites

Just sayin' . . .

Re:Breaks Library of Congress sites

Actually, some LOC websites work, some don't. Direct LCCN lookup will fail if you use TLS higher the TLS 1.0. You can set it in Firefox in about:config. Try direct LCCN access: LCCN 41022039. It only works with TLS 1.0.

Problems for legacy OSes

[xack]

Internet Explorer on Windows XP still only supports TLS 1.0, and now even Firefox has left Windows XP the remaining 3% of people still using Windows XP are screwed. I expect even Windows 7 will be under fire when more and more TLS versions get disabled. This is all part of Microsoft’s scheme to get people to use Spydows 10.

Re:Problems for legacy OSes

Lets be serious: windows xp users should be screwed at this point by a billion different security vulnerabilities. Its dead jim.

Re:Problems for legacy OSes

[kiviQr]

If you still use XP you are screwed by definiiton. What kind of security do you expect from unsupported system?

Re:Problems for legacy OSes

[WaffleMonster]

Internet Explorer on Windows XP still only supports TLS 1.0

For what little its worth XP supports TLS 1.2 with an update.

Re:Problems for legacy OSes

[Bert64]

XP also had TLS 1.0 disabled by default, it was stuck with ssl2/ssl3 unless you explicitly enabled TLS.

Re:Problems for legacy OSes

[Cmdln+Daco]

"If you still use XP you haven't given Microsoft their due amount of money in a long time and you should suffer for it"

Re:Problems for legacy OSes

This is all part of Microsoft’s scheme to get people to use Spydows 10.

Complaining that Windows is spyware yet I bet you still use Google as your search engine and Chrome as your browser of choice.... heard of Ad targeting much? How do you the no they target those ads?

Re:Problems for legacy OSes

[thegarbz]

This is all part of Microsoft’s scheme to get people to use Spydows 10.

Or maybe it's just a sensible move from a security point of view. I'm sure that anyone still running Windows XP doesn't give a shit about that though.

That nice and all

[Rosco+P.+Coltrane]

But I bet you anything they won't include an option to override unsafe TLS versions warning, and that sucks.

In some cases, there are good reasons to visit unsafe "sites" with expired certificates, that rely on TLS 1.0, or running older Java apps that use deprecated encryption algorithms. For instance, in my company, we have over 8,000 deployed servers with various versions of Dell DRAC (versions 5, 6 and 7) that are still perfectly serviceable, but that have become a massive pain in the butt to access with modern web browsers and newer JREs: some browsers just won't allow you to "visit the page anyway" (i.e. Firefox) and newer Java versions require a bunch of really annoying privacy configurations and a slew of impossible-to-disable warning popups to let older apps runs - despite the damn DRAC apps running quite safely behind our perfectly secure corporate VPN. It's become so annoying we now distribute a dedicated Virtualbox VM with an outdated Linux distro just to be able to access older DRACs quickly.

In short, I wish developers stopped thinking they know what's good for you 100% of the time, and at least offered a configuration option to allow older, unsafe protocols to be used painlessly - even if the configuration option is difficult to set or hard to find, so long as it exists and it can be set once and for all. But they don't, because they they think they know better...

Re:That nice and all

IE has/had configurable trustzones for this, didn't it?

Article updated to include all major browsers

[EvilSS]

Looks like Chrome, Safari, and Firefox are also planning to depreciate TLS 1.0 and 1.1 in the first half of 2020.

Article updated two hours after publication to include similar announcements made by Apple and Google. While Mozilla did not issue a blog post about the upcoming deprecation, a Mozilla spokesperson confirmed the company will deprecate TLS 1.0 and TLS 1.1 in 2020. The original version of this article only mentioned Microsoft plan to deprecate TLS 1.0 and TLS 1.1.

Re:Article updated to include all major browsers

Deprecate. Thank you.

Re:Article updated to include all major browsers

[EvilSS]

Deprecate. Thank you.

Looks like Chrome, Safari, and Firefox are also planning to disparage and belittle TLS 1.0 and 1.1 in the first half of 2020.?

Going to update MS TMG too?

[drafalski]

Per a recent article here, their own enterprise MITM software (TMG) maps intercepted traffic to TLS 1.0 or SSLv3:

TLS versions and mapping.
Ten appliances support TLS versions 1.2, 1.1, and 1.0, among which three also support SSL 3.0. [...] Microsoft supports only TLS 1.0 and (more worryingly) SSLv3; as many web servers nowadays do not support these versions (specifically SSLv3), clients behind Microsoft will be unable to visit these websites (Over 25% of web servers do not support TLS 1.1 & TLS 1.2. [12]).

I guess TMG will recommend Firefox or Chrome.

Re: Going to update MS TMG too?

Tmg was discontinued years ago. No idea why that article even includes it

Re:Going to update MS TMG too?

The paper you quoted is mostly trash.
You only need to read the section "Certificate Parameters Mapping" to understand that they have no clue what they are talking about w.r.t. EV certificates.

Re:Going to update MS TMG too?

[gravewax]

TMG is a long dead product, it was announced as being discountinued 5+ years ago and official left support 2+ years ago. So I doubt they would care about updating a dead product you should not even be using anymore.

What's the benefit of disabling it?

[WaffleMonster]

If there are no practical vulnerabilities and intentionally insecure negotiation bullshit has been exorcised from browsers (It has...right?!?) what is the harm in leaving it as an option so it can be selected as backup in event of unforeseen vulnerabilities in either specifications or implementations?

It's not like support for TLS 1.0 is being removed from schannel.

Arguments made about "age" in this context are inherently unfalsifiable and don't speak to technical merit.

"Two decades is a long time for a security technology to stand unmodified,"

Not only is this statement irrelevant it is provably false with numerous extensions and cipher suites making their way into production environments over the years. AES and by extension AES based cipher suites didn't even exist 20 years ago. It was added to TLS after the fact. Implementation of a relatively recent extension brought us "heartbleed".

Don't allow people to get away with unfalsifiable gibberish. Demand they make the case for change based on technical merit. There may well be a convincing reason to turn off TLS 1.0... state it, make the case for it on the merits.

Re: What's the benefit of disabling it?

Or you can google why tls 1.0 is considered insecure. Lots of info on that.

Re: What's the benefit of disabling it?

[WaffleMonster]

Or you can google why tls 1.0 is considered insecure. Lots of info on that.

Good, then you should have no problem naming one.

Quoting TFA "While we aren't aware of significant vulnerabilities with our up-to-date implementations of TLS 1.0"

Apparently Microsoft has also neglected to "Google why TLS 1.0 is insecure" apparently they don't even know.

Re: What's the benefit of disabling it?

[EvilSS]

Apparently Microsoft has also neglected to "Google why TLS 1.0 is insecure" apparently they don't even know.

Well I guess, ironicly, Google also neglected to "Google why TLS 1.0 is insecure" because they are removing it as well.

Just say NO to TLS 1.3

If we're going to go down this mass deprication route, at least replace it with something that is SECURE, not backdoored.

Thanks.

waterfox is needed for the old java based IPMI and

[Joe_Dragon]

waterfox is needed for the old java based IPMI and also need to set each IP in the java security bypass as well.

Damn it

[megalomaniacs4u]

We disabled TLS 1.0 & 1.1 to kill off the people using Exploder and get them to use a decent browser... Please just kill of Internet Explorer already!

Support it until EOL

Should support it until EOL for majority of sites. Older sites that won't use newer 2.0 most likely in poor countries with many still running older OS and out dated browsers. Not like every country is as modern and up to date as US, UK, etc.

Re:waterfox is needed for the old java based IPMI

[thegarbz]

I'm not sure what you mean by this? I have an old java based IPMI and other than getting a security warning about unsigned applications I don't have any problem in IE10 with it. Is there something specific yours complains about?

Defecate

They are literally defecating on us all.

No, thank you.

What about EAP-TLS?

[sabbede]

I had a lot of fun the time I killed TLS 1.0 in my AD, only to discover that doing so broke network authentication. So, instead of just disabling it in IE and Edge, how about patching everything so SChannel doesn't need a ton of registry changes to use TLS 1.2?