Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

How to Block TLS 1.0 and TLS 1.1 in Microsoft Edge and Google Chrome

In October 2018, Microsoft announced that it intended to disable Transport Layer Security (TLS) 1.0 and 1.1 in Microsoft Edge and Internet Explorer 11 in the first half of 2020. Along with similar announcements from Apple, Google, and Mozilla, the idea was to provide users with more performant and secure connections.

Microsoft said that most sites wouldn’t be impacted by the change. Legacy Edge and Internet Explorer 11 both support TLS 1.2. And the new Chromium-based Edge additionally supports TLS 1.3. If you head to Qualys SSL Labs site, you’ll see that as of March 2020, 97.1% of sites surveyed support TLS 1.2. It’s best practice to use TLS 1.2 as a minimum, and TLS 1.3 if your webserver supports it.

Image #1 Expand

How to Block TLS 1.0 and TLS 1.1 Protocols in Microsoft Edge and Google Chrome (Image Credit: Russell Smith)

The Internet Engineering Task Force (IETF) says TLS 1.0 and 1.1 shouldn’t be used. TLS 1.2 with SHA-1 as a signature should also not be used. Neither TLS 1.0 or 1.1 let peers select a stronger hash for signatures in the ServerKeyExchange or CertificateVerify messages than SHA-1. So, the only choice is to upgrade to a newer version of the protocol.

Microsoft postpones support for dropping legacy TLS in its browsers

In an announcement at the end of March, Microsoft said that it would delay disabling legacy TLS protocols by default in all its supported browsers. Originally planned for the first half of 2020, Microsoft will now disable legacy TLS in Chromium-based Edge with the release of version 84.

For the new Microsoft Edge (based on Chromium), TLS 1.0 and 1.1 are currently planned to be disabled by default no sooner than Microsoft Edge version 84 (currently planned for July 2020).

Internet Explorer 11 and legacy Microsoft Edge users will potentially retain default TLS 1.0 and 1.1 support for a bit longer:

For all supported versions of Internet Explorer 11 and Microsoft Edge Legacy (EdgeHTML-based), TLS 1.0 and TLS 1.1 will be disabled by default as of September 8, 2020.

Microsoft does however note that TLS 1.0 and 1.1 will remain available to reenable should the need arise. Although it strongly advices against using either legacy protocol.

Identify or blocking sites using TLS 1.0 or TLS 1.1 in Microsoft Edge and Google Chrome

If you decide that you’d like to block legacy TLS protocols sooner, the new Chromium version of Microsoft Edge and Google Chrome let users set flags to enable experimental features or advanced functionality. Both browsers contain a flag to enforce deprecation of TLS 1.0. and 1.1 (legacy-tls-enforced), and a flag to warn users if a site uses legacy TLS (show-legacy-tls-warnings).

To access flags in Microsoft Edge, type edge://flags into the address bar at the top of the browser window and press ENTER. In Google Chrome, type chrome://flags into the address bar and hit ENTER.

Image # Expand

Use the search box to find the flags you want to set. Flags can be set to Default, Enabled, or Disabled.

Image # Expand

Once you’re done, close the flags tab.

Microsoft Edge Group Policy

Microsoft Edge has a Group Policy setting that lets you set the minimum version of TLS supported. By default, it is currently TLS 1.0. Enabling the SSLVersionMin policy and setting the value to tls1.2 blocks use of TLS 1.0 and TLS 1.1. Microsoft Edge version 77 or later is required to use the SSLVersionMin Group Policy setting.

Office 365 legacy TLS support to end in June

Finally, while Microsoft had been pushing to end legacy TLS support in Office 365 on a much tighter schedule than its browsers, it eventually backed off from the original timeline. In Preparing for TLS 1.2 in Office 365 and Office 365 GCC, Microsoft says:

As of June 2020, Office 365 will begin deprecating TLS 1.0 and 1.1 in worldwide environments for commercial customers and in GCC environments for GCC customers. This means that starting in June 2020, any commercial and GCC clients, devices or services that connect to Office 365 by using TLS 1.0 and 1.1 will not succeed.

TLS 1.0 and 1.1 are already unsupported in Office 365, although haven’t been switched off. That will now happen in June 2020. Microsoft says that the following client operating systems and browsers don’t support TLS 1.2 and must be upgraded:

Android 4.3 and earlier versions
Firefox version 5.0 and earlier versions
Internet Explorer 8-10 on Windows 7 and earlier versions
Internet Explorer 10 on Windows Phone 8
Safari 6.0.4/OS X10.8.4 and earlier versions

Check out Microsoft’s blog post for more details on which Office 365 applications and services are affected by legacy TLS protocol deprecation.

by Russell Smith
Apr 13, 2020

Editorial Director at Petri IT Knowledgebase. Russell has more than 20 years' experience working in IT. From small business to large government IT infrastructure projects. Russell started his writing career for Windows IT Pro magazine in the early...

What is a Roaming User Profile on Windows?

Sep 1, 2023
Oct 24, 2023
How to Add Microsoft Store Apps to Intune

May 5, 2023
Microsoft Releases May 2023 Patch Tuesday Updates for Windows 11 and Windows 10

May 9, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.