TLS
TLS 1.0 and 1.1: turn them off. Here's why and how.
Published 2026-04-18 · Last updated 2026-04-18 · Vantyris editorial
If your web server still accepts TLS 1.0 or 1.1, it's offering connection security from 1999 and 2006 respectively. Every modern browser refuses to use them. Leaving them enabled doesn't help anyone; it just lowers your security grade and gives compliance auditors a reason to fail you. The fix is one line in your host's SSL config.
What this means for your business
- TLS 1.0 (1999) and TLS 1.1 (2006) have known cryptographic weaknesses. Chrome, Firefox, Edge, and Safari all removed support for them in 2020-2021. Any visitor reaching your site through a modern browser is already negotiating TLS 1.2 or 1.3.
- If you leave TLS 1.0/1.1 enabled, the only clients still using them are very old systems (Windows XP IE, Android 4) and security testers running compliance checks. PCI DSS, HIPAA, and most other frameworks explicitly require disabling them.
- TLS 1.3, released in 2018, is the current standard. It's faster (one fewer round trip during the handshake) and removes weak cipher suites that 1.2 still allowed.
How to fix
In your web host's SSL settings, set the minimum TLS version to 1.2. If your host doesn't expose this directly, your CDN (Cloudflare's free tier) does.
- Find the TLS minimum-version setting. Cloudflare: SSL/TLS → Edge Certificates → Minimum TLS Version → set to 1.2. Most hosting panels (cPanel, Plesk, Hostinger) have a similar dropdown labelled 'Minimum TLS Version' or 'SSL/TLS Protocols'.
- Disable 1.0 and 1.1. Uncheck or remove those options. Confirm 1.2 and 1.3 remain enabled.
- Test the change. Use ssllabs.com/ssltest or run a Vantyris scan. You should see TLS 1.2 and 1.3 supported, 1.0 and 1.1 absent.
Owner: Your web host or CDN administrator. · Time: 5 minutes.
Common gotchas
- Don't disable 1.2 'just to be safe' and leave only 1.3. Some legitimate enterprise clients still use 1.2 (older mail servers, some payment integrations). 1.2 is fine; 1.0 and 1.1 are not.
- If your host doesn't let you change this, move the site behind Cloudflare's free tier and set it there. Cloudflare handles TLS termination and gives you the full control panel.
How to verify the fix
ssllabs.com/ssltest will show 'Protocols: TLS 1.2, TLS 1.3' and nothing older. Your overall grade should rise to A or A+.
Cyber Essentials alignment
This finding informs the following UK NCSC Cyber Essentials control areas:
- A2. Secure configuration — devices and services hardened against the inherent default vulnerabilities.
- A3. Security update management — software supported, updated, and patched within 14 days for high-/critical-risk vulnerabilities.
Vantyris is not a CE certifying body. The mapping above is informational.
Common follow-up questions
Will disabling old TLS break customers on old browsers?
Almost certainly not. Chrome, Firefox, Edge, and Safari all dropped TLS 1.0/1.1 by 2021. The only clients affected are Internet Explorer on Windows XP and Android 4 devices, which collectively account for under 0.1% of modern web traffic.
Do I need to enable TLS 1.3 specifically?
Yes, ideally. It's faster than 1.2 and has stronger defaults. Most modern hosts default to 1.3 enabled; if yours doesn't, request it via support.
What's the difference between TLS and SSL?
TLS is the modern protocol; SSL was its predecessor. The terms get used interchangeably (we still say 'SSL certificate'), but the actual protocol negotiated is TLS.
References
- RFC 8446 — TLS 1.3 IETF RFC
- NCSC: TLS guidance NCSC
- Mozilla SSL Configuration Generator Vendor
Related explainers
- HTTPS for small business: how to enable it in 15 minutes.
- HSTS: the security header that locks HTTPS on for good.
Want Vantyris to scan your domain for this and 80 other findings?
Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.
Vantyris editorial team · methodology v1.0.0