Will Chrome fully remove TLS 1.0?

As of Chrome 84, support for TLS 1.0/1.1 has been "removed" although you can still bypass the warning:

Chrome showing obsolete SSL version warning

In the error message it states:

The connection used to load this site used TLS 1.0 or TLS 1.1, which are deprecated and will be disabled in the future. Once disabled, users will be prevented from loading this site. The server should enable TLS 1.2 or later.

Are there any plans for Chrome to fully remove support where you cannot bypass the warning? It says "users will be prevented from loading this site" but I can still load the site if I click the Proceed button.

Searching for sources I did not find anything, everything gave me the Chrome 84/Edge 84 version as TLS being "removed".

1

1 Answer

UPDATE 12/04/2020: The Chrome TLS 1.0 and 1.1 deprecation feature status now reads:

Comments The existing enterprise policy SSLVersionMin can be used to override the security indicator downgrade (Chrome 79+) and interstitial warning (Chrome 84+) until May 2021.

The move to deprecate TLS 1.0 and 1.1 started back in 2018 as stated in this blog post Modernizing Transport Security:

In line with these industry standards, Google Chrome will deprecate TLS 1.0 and TLS 1.1 in Chrome 72. Sites using these versions will begin to see deprecation warnings in the DevTools console in that release. TLS 1.0 and 1.1 will be disabled altogether in Chrome 81. This will affect users on early release channels starting January 2020. Apple, Microsoft, and Mozilla have made similar announcements.

Also in TLS 1.0 and TLS 1.1 (deprecated):

Deprecate TLS 1.0 and 1.1, targeting removal in Chrome 81 (early 2020). During the deprecation period, sites using those protocols will show a warning in DevTools. After the deprecation period, in 2020, they will fail to connect if they have not upgraded to TLS 1.2 by then.

Removal was targeted for version 81 (see here)

Our initial implementation of our removal is with a full page interstitial warning. Our current plan is that the implementation we use will eventually change to a hard net error.

The SSLVersionMin policy will work as it currently does (i.e., if you set SSLVersionMin to 'tls1.2', you will continue to get the hard net error). If you set SSLVersionMin to 'tls1' this will also disable the interstitial warning. This also disables the currently active passive warnings (the "Not Secure" chip that has been in place since January).

With version 84 however, they have not yet announced when the flag will be removed as they continue warning users by showing interstitials:

Due to the risk of breakage we are gradually rolling out the interstitial warning for TLS 1.0/1.1 in M-84.

And:

We are rolling them out using field trials. This will not require further releases or updates to Chrome. Soon roughly all Chrome installs that are updated to version 84 will enforce the removal of support for TLS 1.0/1.1 by showing a full page error interstitial for connection that use legacy TLS versions.

Dec 4 2020 update:

Support for the enterprise bypass of the TLS 1.0/1.1 removal will be removed in May 2021.

You can read the whole thread here.

3

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like