Learn · Topic explainer
TLS versions explained: 1.0, 1.1, 1.2, 1.3 and what to disable
TLS (Transport Layer Security) is what makes HTTPS the H. There have been four published versions: TLS 1.0 (1999), TLS 1.1 (2006), TLS 1.2 (2008), and TLS 1.3 (2018). The first two are formally deprecated by the IETF. Most modern infrastructure should run TLS 1.3 with TLS 1.2 enabled as a fallback, and disable everything older. This explainer covers what's actually different between versions, why TLS 1.3 is a meaningful step beyond 1.2, and the specific compliance frameworks (PCI, HIPAA) that require disabling legacy versions.
Why TLS 1.0 and 1.1 are deprecated
TLS 1.0 and 1.1 carry well-documented protocol weaknesses: BEAST (a CBC-mode flaw exploited at the protocol level), padding-oracle attacks (POODLE, Lucky 13), and mandatory weak cipher suites tied to deprecated cryptographic primitives like SHA-1 and RC4. RFC 8996 (March 2021) formally deprecates both versions. Browser support was removed by all major vendors between 2020 and 2021. Disable TLS 1.0/1.1 at your TLS terminator (load balancer, CDN, or web server) — there are essentially zero legitimate clients that still need them in 2024+.
TLS 1.2: the modern baseline
TLS 1.2 introduced AEAD (authenticated encryption with associated data) cipher suites — AES-GCM, ChaCha20-Poly1305 — that combine encryption and integrity in one operation, eliminating an entire class of CBC-mode bugs. It also added support for SHA-256 and stronger hash functions. TLS 1.2 with a modern cipher list is still secure today; it's the floor, not the ceiling. Most CDNs and load balancers ship TLS 1.2 enabled by default with sensible cipher suites. The risk is leaving older suites enabled (CBC, RC4, SHA-1) inside an otherwise modern config.
TLS 1.3: faster and smaller attack surface
TLS 1.3 is a substantial cleanup. It removes weak cipher suites by design — only AEAD suites are allowed, no CBC, no static RSA, no SHA-1. The handshake is faster: 1-RTT by default (one round-trip vs. 1.2's two), with optional 0-RTT for repeat connections. Forward secrecy is mandatory (TLS 1.2 made it optional, which led to many sites running without it). And the encrypted handshake hides more metadata from passive observers. TLS 1.3 has been a default in major browsers and CDNs since 2018–2020.
Forward secrecy and why it matters
Forward secrecy (sometimes called perfect forward secrecy, PFS) means each session uses an ephemeral key derived during the handshake. Even if an attacker records all your encrypted traffic and later steals your server's private key, they cannot decrypt the recorded sessions. TLS 1.2 supports it via ECDHE cipher suites; TLS 1.3 mandates it. If your TLS config still allows non-ECDHE cipher suites, recorded traffic from those connections is decryptable in the future given the private key. Disable static-RSA suites and require ECDHE.
Compliance: who requires what
PCI DSS 4.0 requires TLS 1.2 or higher for any card-data handling. HIPAA's HHS guidance recommends TLS 1.2+ and prohibits SSL/TLS 1.0. NIST SP 800-52r2 mandates TLS 1.2 minimum and recommends TLS 1.3 for federal systems. The FedRAMP baseline requires TLS 1.2. In practice, every modern compliance framework either requires TLS 1.2+ or strongly recommends TLS 1.3. The takeaway: "disable TLS 1.0 and 1.1" is no longer a stretch goal — it's table stakes for any regulated workload.
Related Scorifya checks
Try the focused tools
Single-purpose checkers that test exactly what this topic covers.
See how your site scores
Run a free Scorifya scan on any URL you're allowed to test. The score breaks down across TLS, security headers, exposure, cookies, and DNS — exactly the areas this explainer covers.