Should I disable TLS 1.0 on my servers?

TLS 1.0 when properly configured has no known security vulnerabilities. Newer protocols are better designed and better address the potential for new vulnerabilities. So that's why

I wouldn't personally recommend disabling TLS 1.0, primarily because IE 7-10 don't support TLS 1.1 out of the box. In January 2020, IE10 has gone EOL, so I expect it's likely now a good idea to disable TLS 1.0 since there's likely little/no traffic from such an old browser. If you look carefully at the support matrix at: https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers you'll see that TLS 1.1 is disabled by default on everything but IE 11.

Most people have a significant amount of traffic on these browsers, and your website suddenly not working would pose a significant business impact. Many people here will advocate a single minded approach of "Security above all else", and tell you to strongly advocate for disabling TLS 1.0. I'm of the belief that security needs to be balanced with business needs, and it's the job of the security professional to understand both the security side, and the impact of changes. As of 2020, the general principle here still applies, but the tradeoffs have moved towards disabling TLS1.0 in most circumstances. There may still be some special circumstances of old, embedded devices where you might be able to justify keeping TLS1.0 enabled.

In 2020, there's little reason to keep TLS1.0 around, at least for browsers as the client. You obviously need to test the impact of this on the stock browser config, and understand how much business you may or may not lose from this change.


I also recommend disabling TLS 1.0 if possible and supporting the most modern cryptography and cipher suites your web servers can handle.

  • TLS 1.0 is vulnerable in many implementations to a couple well-known attacks such as BEAST and POODLE. There's also some crypto issues in TLS 1.0, such as cryptograhpic initialization vectors (IV's) being predictable in some implementations as well. This is replaced in TLS 1.2 to protect against cipher block chaining (CBC) attacks.

  • Yes, as a best practice you want to support modern cryptography on all sites you publish over HTTPS, even if they aren't handling credit card or other personal information. You also want to disable cryptographic standards that are considered obsolete, deprecated and/or have known attacks against them. Furthermore, some browsers will start to alert if you're using TLS 1.0 (e.g. Chrome and its "obsolete cryptography" warning), so this best practice is being highly encouraged by the browsers, and is prominently viewable by the user.

  • Disabling TLS1.0 may certainly cause issues for some users with outdated browsers. However, they'd have to be significantly out of date..meaning not updated since 2013-2014 depending on the browser. The issue may be the most significant with Internet Explorer, which for a while disabled TLS. A full compatibility chart is available on Wikipedia. Comparing this matrix to your logs for HTTP_USER_AGENT headers should tell you how many visitors you'd expect to potentially have issues.