Virtualization Technology News and Information
Browsers That Have Deprecated Protocols TLS1.1 & TLS1.0


Google, Apple, Microsoft, and Mozilla announced in 2018 that their browsers would no longer support TLS 1.0 and TLS 1.1 protocols from 2020. In early 2020, these companies started the process of disabling support for TLS 1.0 and TLS 1.1 in their browsers in a bid to make the internet more secure. The main reason - serious vulnerabilities and security risks were identified with the TLS 1.0 and TLS 1.1 protocols.

In this article, we will explore what these security risks are and what organizations can do to prevent them.

What is TLS 1.0 and TLS 1.1 Protocols?

Transport Layer Security (TLS) and Secure Socket Layer (SSL) are security protocols that have for decades provided encryption and security to make modern internet commerce a reality. TLS is the more secure, updated version of SSL that came into being in 1999. When a website/ web application is protected by the TLS protocol, visible signs such as https and/or padlock in the address bar, etc. appear. This indicates to the user that the connection is secure.

Four versions of the TLS protocols are in use currently - TLS 1.0, TLS 1.1, TLS 1.2 and the recently released fourth version - TLS 1.3. TLS 1.0 is the oldest form of the protocol that was introduced in 1999. TLS 1.1 was introduced in 2006. Both these versions were found to have some gaping security holes. That is why TLS 1.2 was introduced in 2008.

Why Are Browsers Disabling TLS 1.0 and TLS 1.1?

As discussed in the previous section, TLS 1.0 was the first TLS protocol to be released. It has been over 20 years since its release and that's an eternity in the IT and IT security landscape where much has changed. TLS 1.0 is outdated and vulnerable. TLS 1.1, despite being an upgraded version, had only minor improvements. These updates addressed weaknesses in the areas of padding error processing and selection of initialization vectors.

TLS 1.0 and TLS 1.1 rely on the cryptographic hash functions - SHA-1 and MD 5. Both these hash functions are broken and contain known vulnerabilities that can easily be exploited. When the integrity of the communication and the authentication of the TLS handshake depends on these broken hash functions, attackers could easily perform downgrade attacks and impersonation attacks.  

Both these protocols support weak cryptography that is incapable of providing sufficient protection to modern-day connections. TLS 1.0 and TLS 1.1 do not allow the selection of stronger hash functions. They require the implementation of older, outdated cipher suites that further increase the attack surface and make the application vulnerable to misconfigurations.

Given how old these protocols are, attackers have found ways to exploit the prevalent vulnerabilities in TLS 1.0 and TLS 1.1 including BEAST, POODLE, LUCKY 13, SWEET 32, Heartbleed and CRIME, among others. These vulnerabilities were exploited for several notable attacks and data breaches over the years. They enable attackers to decrypt HTTPS and access users' plaintext web traffic.

Implications of Using the Deprecated TLS Protocols

TLS 1.2 and TLS 1.3 are both considered superior and more secure protocols that support strong cryptography. Despite the availability of stronger versions, a sizable proportion of websites and web applications continue to support the outdated protocols. Given the scenario, the removal of client-side support for such protocols is an effective way to ensure users are not affected.

PCI-DSS was the first to disable TLS 1.0 in 2018 and this spurred browsers into taking action. Websites need to disable TLS 1.0 to remain PCI compliant. Non-compliance attracts monthly fines to the tune of USD 100,000.

1.     As a first step in disabling TLS 1.0 and TLS 1.1, browsers showed a ‘NOT SECURE' warning in the address bar and the lock symbol will also suggest that the connection is not secure. Continued use of the deprecated TLS protocols will lead to full page warnings when users try to connect to such websites. The organization's reputation takes a big hit and user trust and confidence are affected.

Data suggests that over 850,000 websites use HTTPS but with the burden of TLS 1.0 and TLS 1.1 security risks. All these websites (which includes banks, financial institutions, e-commerce companies, media, government agencies and so on) will be affected.

Measures that Organizations Must Take

In the wake of major browsers deprecating TLS 1.0 and TLS 1.1, the organization must

  • Enable secure TLS 1.2 and TLS 1.3 protocols.
  • Scan to identify the outdated protocols and disable them. outdated protocols.
  • Disable SHA-1 and MD 5 hash functions.
  • Use SHA-2 and secure, recommended cipher suites.
  • Thoroughly test the newly upgraded protocols to prevent misconfigurations.

The Way Forward

Upgrading the TLS protocol is time-consuming and arduous. Several applications, software and components still use older protocols. This makes it challenging for websites to replace these outdated parts without causing service disruptions. However, disabling TLS 1.0 and TLS 1.1 is critical from a data security, cost, and business continuity perspective.  

Enhance your TLS protocol with Entrust from Indusface to enable more modern and secure cryptography solutions supported across modern browsers.


Published Friday, November 19, 2021 7:40 AM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2021>