Office 365: Microsoft finally retires ageing TLS 1.0 and 1.1

Microsoft Office 365 will no longer support legacy HTTPS protocols TLS 1.0 and 1.1 in Office 365 from October 15.

Office 365 gets Reply-All protection to prevent server crashes

Microsoft has set October 15, 2020 as the date it will enforce the deprecation of the legacy Transport Layer Security (TLS) web protocols TLS 1.0 and 1.1 in Office 365. 

While Microsoft said its TLS 1.0 implementation has no known security vulnerabilities, because of the potential for future protocol downgrade attacks and other TLS vulnerabilities, it is discontinuing support: TLS 1.0 is over 20 years old now.

The new date for Office 365 and the legacy protocols comes after Microsoft and other major browser vendors deferred plans to disable the TLS 1.0 and 1.1 due to the first wave of the COVID-19 coronavirus outbreak in early 2020. 

SEE: Office 365: A guide for tech and business leaders (free PDF) (TechRepublic download)

"We temporarily halted deprecation enforcement of TLS 1.0 and 1.1 for commercial customers due to covid-19, but as supply chains have adjusted and certain countries open back up, we are resetting the TLS enforcement to start Oct 15, 2020," Microsoft says of its TLS 1.0 and 1.0 deprecation plan for Office 365. 

Microsoft and other vendors have urged customers to adopt TLS 1.2 in preparation for future downgrade attacks that exploit backward compatibility for older protocols. But the COVID-19 pandemic of 2020 changed the major browser makers' plans to retire TLS 1.0 and 1.1 in early 2020 under a plan announced in 2018.  

Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari were all set to display errors from March or April on sites that use those versions of the TLS protocol to protect HTTPS connections to websites. 

Mozilla temporarily reenabled support for TLS 1.0 and 1.1 in March after deprecating it to ensure people could still access government websites during lockdowns. 

Then Microsoft in late March deferred disabling the legacy HTTPS protocols until Microsoft Edge 84, which it released last week. Google also deferred the removal of TLS 1.0 and 1.1 until Chrome 84, also released last week.  

With Chrome and Chromium-based Edge now disabling the legacy TLS protocols, Microsoft thinks its time to enforce their deprecation in Office 365. 

SEE: Microsoft 365 Family and Personal subscriptions now available for purchase

Microsoft notes that the effect of the change is expected to be "minimal", given the protocol's deprecation has been known since 2017 and that the Office client can use TLS 1.2. 

"We recommend that all client-server and browser-server combinations use TLS 1.2 (or a later version) in order to maintain connection to Office 365 services. You might have to update certain client-server and browser-server combinations," Microsoft says in a document explaining how to prepare for TLS 1.2 in Office 365.