Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft To Disable TLS 1.0 and TLS 1.1 Support in Edge and Internet Explorer (zdnet.com)

Posted by msmash on from the good-riddance dept.

Microsoft today said it plans to disable support for Transport Layer Security (TLS) 1.0 and 1.1 in Edge and Internet Explorer browsers by the first half of 2020. From a report: "January 19th of next year marks the 20th anniversary of TLS 1.0, the inaugural version of the protocol that encrypts and authenticates secure connections across the web," said Kyle Pflug, Senior Program Manager for Microsoft Edge. "Two decades is a long time for a security technology to stand unmodified," he said. "While we aren't aware of significant vulnerabilities with our up-to-date implementations of TLS 1.0 and TLS 1.1 [...] moving to newer versions helps ensure a more secure Web for everyone."

The move comes as the Internet Engineering Task Force (IETF) -- the organization that develops and promotes Internet standards -- is hosting discussions to formally deprecated both TLS 1.0 and 1.1. Microsoft is currently working on adding support for the official version of the recently-approved TLS 1.3 standard. Edge already supports draft versions of TLS 1.3, but not yet the final TLS 1.3 version approved in March, this year. Microsoft engineers don't seem to be losing any sleep over their decision to remove both standards from Edge and IE. The company cites public stats from SSL Labs showing that 94 percent of the Internet's sites have already moved to using TLS 1.2, leaving very few sites on the older standard versions. "Less than one percent of daily connections in Microsoft Edge are using TLS 1.0 or 1.1," Pflug said, also citing internal stats. You can check public stats on the usage of TLS 1.0 and 1.1 here.

30 of 64 comments (clear)

  1. 94% by orev · · Score: 1

    94% of billions is not "very few" sites remaining.

    1. Re:94% by DarkRookie2 · · Score: 1

      Thats only 6 left.
      6 is a small number
      /marketing drone

      --
      http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
    2. Re:94% by jellomizer · · Score: 1

      That with all the people still using edge.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    3. Re:94% by sexconker · · Score: 2

      We've still got a bunch of TLS 1.0 stuff because vendors don't update shit, or their update path is strictly "buy the new version" (and even when we buy the new version, we have to schedule the installation/configuration, testing, and transition).

    4. Re:94% by arglebargle_xiv · · Score: 1

      It's also 94% of public Internet web sites. There's about a gazillion non-public devices that have a web interface and that aren't going to be updated to a newer version of TLS, ever. I wonder what deprecating TLS 1.0 and 1.1 will do for those?

  2. Edge YES, IE NO by darkain · · Score: 4, Insightful

    Edge? Awesome. Yes, please do this.
    Internet Explorere!? Oh hell no!!

    Seriously, the only reason why IE is still around is due to supporting legacy systems, such as networked attached hardware (printers, routers, switches, access points, security cameras, and more). Not all of these devices are on the public internet, so security concerns in that regard may not be as high. But their web based interfaces generally can not be updated, so are stuck using older protocols. What is the point of even having IE around anymore, if its one and only task (supporting legacy enterprise systems) no longer functions? If that's the case, just remove IE entirely since it'll be made worthless.

    1. Re:Edge YES, IE NO by Curupira · · Score: 1

      EXACTLY.
      Guess I'll have to download Netscape Communicator 4.x to browse those bitrotting sites.

    2. Re:Edge YES, IE NO by darkain · · Score: 1

      I still have one piece of hardware that requires a WinXP VM, running IE6, with Java6... Its hell to administer, but I'm only in that maybe once a year, otherwise it is rock solid hardware.

    3. Re:Edge YES, IE NO by Cmdln+Daco · · Score: 1

      At my last job we had an Unholtz-Dickie shaker table whose controller was hosted on a Windows 2000 machine. The machine was only used to run the shaker table, and not connected to anything at all by network. We also had a newer U-D shaker table. It's controller was a Windows XP machine.

      They both just worked.

      Tektronix used to sell digital oscilloscopes that ran Windows 95. There are probably still plenty of them out there in use.

  3. Problems for legacy OSes by xack · · Score: 2

    Internet Explorer on Windows XP still only supports TLS 1.0, and now even Firefox has left Windows XP the remaining 3% of people still using Windows XP are screwed. I expect even Windows 7 will be under fire when more and more TLS versions get disabled. This is all part of Microsoft’s scheme to get people to use Spydows 10.

    1. Re:Problems for legacy OSes by kiviQr · · Score: 1

      If you still use XP you are screwed by definiiton. What kind of security do you expect from unsupported system?

    2. Re:Problems for legacy OSes by WaffleMonster · · Score: 1

      Internet Explorer on Windows XP still only supports TLS 1.0

      For what little its worth XP supports TLS 1.2 with an update.

    3. Re:Problems for legacy OSes by Bert64 · · Score: 1

      XP also had TLS 1.0 disabled by default, it was stuck with ssl2/ssl3 unless you explicitly enabled TLS.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    4. Re:Problems for legacy OSes by Cmdln+Daco · · Score: 1

      "If you still use XP you haven't given Microsoft their due amount of money in a long time and you should suffer for it"

    5. Re:Problems for legacy OSes by thegarbz · · Score: 1

      This is all part of Microsoft’s scheme to get people to use Spydows 10.

      Or maybe it's just a sensible move from a security point of view. I'm sure that anyone still running Windows XP doesn't give a shit about that though.

  4. That nice and all by Rosco+P.+Coltrane · · Score: 4, Insightful

    But I bet you anything they won't include an option to override unsafe TLS versions warning, and that sucks.

    In some cases, there are good reasons to visit unsafe "sites" with expired certificates, that rely on TLS 1.0, or running older Java apps that use deprecated encryption algorithms. For instance, in my company, we have over 8,000 deployed servers with various versions of Dell DRAC (versions 5, 6 and 7) that are still perfectly serviceable, but that have become a massive pain in the butt to access with modern web browsers and newer JREs: some browsers just won't allow you to "visit the page anyway" (i.e. Firefox) and newer Java versions require a bunch of really annoying privacy configurations and a slew of impossible-to-disable warning popups to let older apps runs - despite the damn DRAC apps running quite safely behind our perfectly secure corporate VPN. It's become so annoying we now distribute a dedicated Virtualbox VM with an outdated Linux distro just to be able to access older DRACs quickly.

    In short, I wish developers stopped thinking they know what's good for you 100% of the time, and at least offered a configuration option to allow older, unsafe protocols to be used painlessly - even if the configuration option is difficult to set or hard to find, so long as it exists and it can be set once and for all. But they don't, because they they think they know better...

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  5. Article updated to include all major browsers by EvilSS · · Score: 2
    Looks like Chrome, Safari, and Firefox are also planning to depreciate TLS 1.0 and 1.1 in the first half of 2020.

    Article updated two hours after publication to include similar announcements made by Apple and Google. While Mozilla did not issue a blog post about the upcoming deprecation, a Mozilla spokesperson confirmed the company will deprecate TLS 1.0 and TLS 1.1 in 2020. The original version of this article only mentioned Microsoft plan to deprecate TLS 1.0 and TLS 1.1.

    --
    I browse on +1 so AC's need not respond, I won't see it.
    1. Re:Article updated to include all major browsers by EvilSS · · Score: 1

      Deprecate. Thank you.

      Looks like Chrome, Safari, and Firefox are also planning to disparage and belittle TLS 1.0 and 1.1 in the first half of 2020.?

      --
      I browse on +1 so AC's need not respond, I won't see it.
  6. Going to update MS TMG too? by drafalski · · Score: 1

    Per a recent article here, their own enterprise MITM software (TMG) maps intercepted traffic to TLS 1.0 or SSLv3:

    TLS versions and mapping.
    Ten appliances support TLS versions 1.2, 1.1, and 1.0, among which three also support SSL 3.0. [...] Microsoft supports only TLS 1.0 and (more worryingly) SSLv3; as many web servers nowadays do not support these versions (specifically SSLv3), clients behind Microsoft will be unable to visit these websites (Over 25% of web servers do not support TLS 1.1 & TLS 1.2. [12]).

    I guess TMG will recommend Firefox or Chrome.

    1. Re:Going to update MS TMG too? by gravewax · · Score: 1

      TMG is a long dead product, it was announced as being discountinued 5+ years ago and official left support 2+ years ago. So I doubt they would care about updating a dead product you should not even be using anymore.

  7. What's the benefit of disabling it? by WaffleMonster · · Score: 1

    If there are no practical vulnerabilities and intentionally insecure negotiation bullshit has been exorcised from browsers (It has...right?!?) what is the harm in leaving it as an option so it can be selected as backup in event of unforeseen vulnerabilities in either specifications or implementations?

    It's not like support for TLS 1.0 is being removed from schannel.

    Arguments made about "age" in this context are inherently unfalsifiable and don't speak to technical merit.

    "Two decades is a long time for a security technology to stand unmodified,"

    Not only is this statement irrelevant it is provably false with numerous extensions and cipher suites making their way into production environments over the years. AES and by extension AES based cipher suites didn't even exist 20 years ago. It was added to TLS after the fact. Implementation of a relatively recent extension brought us "heartbleed".

    Don't allow people to get away with unfalsifiable gibberish. Demand they make the case for change based on technical merit. There may well be a convincing reason to turn off TLS 1.0... state it, make the case for it on the merits.

    1. Re: What's the benefit of disabling it? by Anonymous Coward · · Score: 1

      Or you can google why tls 1.0 is considered insecure. Lots of info on that.

    2. Re: What's the benefit of disabling it? by WaffleMonster · · Score: 1

      Or you can google why tls 1.0 is considered insecure. Lots of info on that.

      Good, then you should have no problem naming one.

      Quoting TFA "While we aren't aware of significant vulnerabilities with our up-to-date implementations of TLS 1.0"

      Apparently Microsoft has also neglected to "Google why TLS 1.0 is insecure" apparently they don't even know.

    3. Re: What's the benefit of disabling it? by EvilSS · · Score: 1

      Apparently Microsoft has also neglected to "Google why TLS 1.0 is insecure" apparently they don't even know.

      Well I guess, ironicly, Google also neglected to "Google why TLS 1.0 is insecure" because they are removing it as well.

      --
      I browse on +1 so AC's need not respond, I won't see it.
  8. Re:Will it require to reboot Windows? by Joe_Dragon · · Score: 1

    Well seeing how deep linked IE is to rest of system it's hard to just update that also MAC OS X has the same BIG updates that windows has.

  9. waterfox is needed for the old java based IPMI and by Joe_Dragon · · Score: 1

    waterfox is needed for the old java based IPMI and also need to set each IP in the java security bypass as well.

  10. Re:Will it require to reboot Windows? by LinuxIsGarbage · · Score: 3, Funny

    "You mouse has moved. Windows 10 needs to reboot. [OK]"

    I think Windows 10 reboots more frequently than Windows 95.

    Windows 10 doesn't prompt:

    Configuring new mouse position for Windows 10
    55% complete

    Don't turn off or try and use your computer, this will take a while
    Your PC will restart several times

  11. Damn it by megalomaniacs4u · · Score: 1

    We disabled TLS 1.0 & 1.1 to kill off the people using Exploder and get them to use a decent browser... Please just kill of Internet Explorer already!

  12. Re:waterfox is needed for the old java based IPMI by thegarbz · · Score: 1

    I'm not sure what you mean by this? I have an old java based IPMI and other than getting a security warning about unsigned applications I don't have any problem in IE10 with it. Is there something specific yours complains about?

  13. What about EAP-TLS? by sabbede · · Score: 1

    I had a lot of fun the time I killed TLS 1.0 in my AD, only to discover that doing so broke network authentication. So, instead of just disabling it in IE and Edge, how about patching everything so SChannel doesn't need a ton of registry changes to use TLS 1.2?