Microsoft has set the official retirement date for the insecure Transport Layer Security (TLS) 1.0 and 1.1 protocols in Office 365 starting with October 15, 2020, after temporarily halting deprecation enforcement for commercial customers due to COVID-19.
“As companies have pivoted their supply chains and countries have started to re-open we have re-established a retirement date for TLS 1.0 and 1.1 in Office 365 to be October 15, 2020,” the company said in the MC218794 Microsoft 365 admin center announcement on Friday.
“As previously communicated [..], we are moving all of our online services to Transport Layer Security (TLS) 1.2+ to provide best-in-class encryption, and to ensure our service is more secure by default.”
The TLS 1.0/1.1 retirement was first announced in December 2017 and, as explained by Microsoft, the effect of this change for end-users is expected to be minimal.
TLS 1.0/1.1 retirement guidance
IT administrators can use the official KB4057306 documentation to prepare for TLS 1.2 in Office 365 and Office 365 GCC.
They can also download this Office 365 TLS deprecation report to quickly identify the users and devices that connect to Exchange servers via TLS 1.0/1.1.
At the moment, users of the following clients are advised to update to the latest versions as they are known to be unable to use TLS 1.2:
• Firefox version 5.0 and earlier versions
• Internet Explorer 8-10 on Windows 7 and earlier versions
• Internet Explorer 10 on Windows Phone 8
• Safari 6.0.4/OS X10.8.4 and earlier versions
Microsoft also provides a whitepaper with guidance on how to identify and remove TLS 1.0 dependencies in software built on top of Microsoft operating systems as a starting point for a migration plan to a TLS 1.2+ environment.
As part of any TLS 1.0/1.1 deprecation plan, Microsoft recommends including the following:
• Network endpoint scanning and traffic analysis to identify operating systems using TLS 1.0/1.1 or older protocols.
• Full regression testing through your entire application stack with TLS 1.0/1.1 and all older security protocols disabled.
• Migration of legacy operating systems and development libraries/frameworks to versions capable of negotiating TLS 1.2.
• Compatibility testing across operating systems used by your business to identify any TLS 1.2 support issues.
• Coordination with your own business partners and customers to notify them of your move to deprecate TLS 1.0/1.1.
• Understanding which clients may be broken by disabling TLS 1.0/1.1.
Microsoft has already begun deprecating insecure TLS for any clients, devices, or services connecting to Office 365 through TLS 1.0 or 1.1 DoD or GCC High instances as of January 2020.
The two protocols will also become unsupported for commercial Office 365 customers, with the company recommending “that all client-server and browser-server combinations use TLS 1.2 (or a later version) in order to maintain connection to Office 365 services.”
Web browser TLS retirement
In September 2019, Microsoft announced that Windows Server 2019 enables admins to block weak TLS versions from being used with individual certificates via a new “Disable Legacy TLS” feature to make it easier to migrate to TLS 1.2+.
The company also said in March that the TLS 1.0/1.1 retirement in Microsoft browsers would be postponed until July for Chromium-based Edge and September 8 for supported versions of Internet Explorer 11 and Microsoft Edge Legacy.
Although users will still be able to re-enable TLS 1.0/1.1 in their browsers after being disabled by default, Microsoft advises against it as newer TLS versions come with more modern cryptography and are more broadly supported by modern web browsers.
With over 97,5% of all sites surveyed by Qualys SSL Labs featuring TLS 1.2 or TLS 1.3 support, the browser vendors’ decision to disable TLS 1.0/1.1 in favor of newer protocols is a rational move as they can provide a more secure path going forward.
Netcraft also said in March that the insecure TLS 1.0/1.1 protocols are still in use on over 850,000 websites, exposing their visitors to a wide range of cryptographic attacks (1, 2) that could allow threat actors to decrypt their web traffic.