View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Software
July 20, 2020

Microsoft to Enforce TLS 1.0 Deprecation from October, Lifting COVID-19 Pause

"Highly recommended to conduct an inventory of operating systems"

By CBR Staff Writer

Microsoft has lifted a “pause” on plans to enforce migration to TLS 1.2 and above for Office 365. Businesses now have until October 15, 2020 to ready their (or customers’) IT estates for the shift — or face unexpected failure to receive emails and more.

Redmond’s plans to enforce deprecation of TLS 1.0 and TLS 1.1 were first announced in late 2017 and were due to be enforced from June 2020. The move was then delayed for commercial customers due to the outbreak of the pandemic.

Customers may need to conduct code analysis to find/fix hardcoded instances of TLS 1.0 (or instances of older TLS/SSL versions) and/or network endpoint scanning and traffic analysis to identify operating systems using TLS 1.0 or older protocols.

“As supply chains have adjusted and certain countries open back up, we are resetting the TLS enforcement to start Oct 15, 2020”, Microsoft said in an email to customers, noting that the move “may require updates to certain combinations of client servers and browser servers” to prevent connection issues to its services.

Office 365 TLS 1.0 Deprecation Enforcement

TLS is a security protocol designed to facilitate privacy and data security for communications over the Internet. Microsoft is keen to avoid the potential for “future protocol downgrade attacks and other TLS vulnerabilities” and is discontinuing support for 1.0 and 1.1 in Microsoft Office 365 and Office 365 GCC as a result.

A quick way to determine what TLS version will be requested by various clients when connecting to online services is by referring to the Handshake Simulation at Qualys SSL Labs, which covers client OS/browser combinations across manufacturers.

“If not already complete, it is highly recommended to conduct an inventory of operating systems used by your enterprise, customers and partners (the latter two via outreach/communication or at least HTTP User-Agent string collection)”, notes Redmond in a whitepaper on working around the deprecation.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

“This inventory can be further supplemented by traffic analysis at your enterprise network edge.  In such a situation, traffic analysis will yield the TLS versions successfully negotiated by customers/partners connecting to your services, but the traffic itself will remain encrypted.”

Clients known to be unable to support TLS 1.2 include

  • Android 4.3 and earlier versions
  • Firefox version 5.0 and earlier versions
  • Internet Explorer 8-10 on Windows 7 and earlier versions
  • Internet Explorer 10 on Windows Phone 8
  • Safari 6.0.4/OS X10.8.4 and earlier versions

Businesses are urged to ensure upgrades to any of the above to ensure they are ready for the shift, or they will encounter connection issues. Full regression testing through your entire application stack with TLS 1.0 disabled would also be wise.

The end of the reprieve on migration is the latest sign that vendors see things returning to normal. Businesses that have welcomed new flexibility on licensing and more from their providers may also want to start reviewing next steps.

See also: Software isn’t Static – Preparing for Audits after COVID-19

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.