Microsoft has blinked once again and delayed disabling TLS 1.0 and 1.1 by default in its browsers until the latter part of 2020.
The move is in recognition of the fact that in the light of current events, administrators have their hands a little full dealing with a surge of remote working and a team likely not running at full capacity.
TLS 1.0 and TLS 1.1 will soon be disabled by default in all supported Microsoft browsers, starting with Microsoft Edge version 84.— Microsoft Edge Dev (@MSEdgeDev) March 31, 2020
Learn more on the Microsoft Edge blog: https://t.co/GDvAGofuGK
Originally slated to happen in the early part of 2020, the switch-off in Edge will come at some point around July, with version 84 of the Chromium-based browser. Internet Explorer 11, which Microsoft fervently wishes users would move on from, and Edge Legacy, the one everybody downloaded Chrome with, will see TLS 1.0 and 1.1 disabled by default from 8 September.
Transport Layer Security (TLS) 1.0 is over 20 years old and is very much a hangover from a simpler time. The cryptographic protocol is aimed at providing secure connections, but has long been the victim of miscreants and ne'er-do-wells. Microsoft, Google, Apple and Mozilla committed to at least disabling support for the technology by default (in favour of later versions) from this March, but events have somewhat overtaken things.
Moz, for example, gave the protocols the boot in favour of TLS 1.2 and 1.3 in February. It has since swiftly back-pedalled and re-enabled the older versions in Firefox 74 and 75 beta "to better enable access to sites sharing critical and important information during this time".
Microsoft has form when it comes to attempting to kill off elderly, insecure protocols. It has famously been trying to persuade its users to, for heaven's sake, stop using SMB1 for years in the face of pesky appliances and ageing products that continue to rely on the technology. A similar issue persists with TLS and that old bit of kit or dusty site that just insists on 1.0.
Microsoft's delay will mean slightly less pressure on web servers to be upgraded to support TLS 1.2 and above (and the vast majority already have been updated) but the respite, however welcome by under-pressure administrators, will be short-lived. ®