TLS 1.0 and TLS 1.1 (removed)

This removal has been delayed in Stable until Chrome 84. TLS 1.0 and 1.1 were deprecated in Chrome 72 with a planned removal in Chrome 81 (in early 2020). Other browsers are also removing support for TLS 1.0 and 1.1 at this time. Previously, we showed a deprecation warning in DevTools. In M-79, Chrome marked affected sites as "Not Secure". In M-84, Chrome will show a full page interstitial warning on sites that do not support TLS 1.2 or higher.

Motivation

TLS 1.2 was published ten years ago to address weaknesses in TLS 1.0 and 1.1 and has enjoyed wide adoption since then. These old versions of TLS rely on MD5 and SHA-1, both now broken, and contain other flaws. TLS 1.0 is no longer PCI-DSS compliant and the TLS working group has adopted a document to deprecate TLS 1.0 and TLS 1.1.

Documentation

• https://security.googleblog.com/2018/10/modernizing-transport-security.html
• https://blog.chromium.org/2019/10/chrome-ui-for-deprecating-legacy-tls.html

Specification

Working draft or equivalent

Status in Chromium

Blink components: Internals>Network>SSL

Removed (tracking bug) in:

• Chrome for desktop release 84
• Chrome for Android release 84

Consensus & Standardization

• Firefox: Positive
• Edge: Positive
• Safari: Positive
• Web Developers: No signals

Owners

• davidben@chromium.org
• cthomp@chromium.org

Comments

The existing enterprise policy SSLVersionMin can be used to override the security indicator downgrade (Chrome 79+) and interstitial warning (Chrome 84+) until May 2021.

Search tags

Last updated on 2020-10-25