Microsoft has announced that it will be dropping support for TLS 1.0 and 1.1 on its upcoming operating systems, including future Windows 11 builds and Windows 12. The company said that these protocols are outdated and not secure, and that it will only support TLS 1.2 and above on its new platforms.
TLS, or Transport Layer Security, is a cryptographic protocol that enables secure communication over the internet. It is used to encrypt data and authenticate the parties involved in a connection. However, TLS 1.0 and 1.1, which were released in 1999 and 2006 respectively, have been found to have several vulnerabilities and weaknesses that can be exploited by attackers.
Microsoft said that it has been working with the industry to phase out these protocols for several years, and that most of its services and products already require TLS 1.2 or higher.
The company also said that it will continue to support TLS 1.0 and 1.1 on its existing operating systems, such as Windows 10 and Windows Server, until their end of support dates. Jessica Krynitsky, a Program Manager at Microsoft, explains the company's reasoning:
“Over the past several years, internet standards and regulatory bodies have deprecated or disallowed TLS versions 1.0 and 1.1, due to a variety of security issues. We have been tracking TLS protocol usage for several years and believe TLS 1.0 and TLS 1.1 usage data are low enough to act. To increase the security posture of Windows customers and encourage modern protocol adoption, TLS versions 1.0 and 1.1 will soon be disabled by default in the operating system, starting with Windows 11 Insider Preview builds in September 2023 and future Windows OS releases.”
Improving Security Across Future Windows Platforms
However, for its next-generation operating system Windows 12 and future builds of Windows 11, Microsoft said that it will not include TLS 1.0 and 1.1 at all. The company has previously removed support on its Edge browser. This means that any applications or websites that rely on these protocols will not work on these platforms unless they upgrade to TLS 1.2 or higher.
Microsoft said that this decision is part of its commitment to provide the best security and performance for its customers, and that it encourages developers and users to adopt the latest standards and technologies. The company also said that it will provide guidance and tools to help with the transition to TLS 1.2 or higher.
Microsoft's announcement follows similar moves by other major tech companies, such as Google, Apple, Mozilla, and Facebook, which have already stopped supporting TLS 1.0 and 1.1 on their browsers and platforms. According to SSL Labs, a website that tests the security of web servers, only about 2% of the top one million websites still use TLS 1.0 or 1.1 as of July 2023.