Learn · Topic explainer
TLS versions explained: 1.0, 1.1, 1.2, 1.3 and what to disable
TLS (Transport Layer Security) is what makes HTTPS the H. There have been four published versions: TLS 1.0 (1999), TLS 1.1 (2006), TLS 1.2 (2008), and TLS 1.3 (2018). The first two are formally deprecated by the IETF. Most modern infrastructure should run TLS 1.3 with TLS 1.2 enabled as a fallback, and disable everything older. This explainer covers what's actually different between versions, why TLS 1.3 is a meaningful step beyond 1.2, and the specific compliance frameworks (PCI, HIPAA) that require disabling legacy versions.
Quick answer
The latest version of TLS is TLS 1.3, published in August 2018 (RFC 8446). The current secure baseline is TLS 1.2 (2008). TLS 1.0 (1999) and TLS 1.1 (2006) are formally deprecated and should be disabled. The recommended configuration is TLS 1.3 with TLS 1.2 enabled as a fallback.
Why TLS 1.0 and 1.1 are deprecated
TLS 1.0 and 1.1 carry well-documented protocol weaknesses: BEAST (a CBC-mode flaw exploited at the protocol level), padding-oracle attacks (POODLE, Lucky 13), and mandatory weak cipher suites tied to deprecated cryptographic primitives like SHA-1 and RC4. RFC 8996 (March 2021) formally deprecates both versions. Browser support was removed by all major vendors between 2020 and 2021. Disable TLS 1.0/1.1 at your TLS terminator (load balancer, CDN, or web server) — there are essentially zero legitimate clients that still need them in 2024+.
TLS 1.2: the modern baseline
TLS 1.2 introduced AEAD (authenticated encryption with associated data) cipher suites — AES-GCM, ChaCha20-Poly1305 — that combine encryption and integrity in one operation, eliminating an entire class of CBC-mode bugs. It also added support for SHA-256 and stronger hash functions. TLS 1.2 with a modern cipher list is still secure today; it's the floor, not the ceiling. Most CDNs and load balancers ship TLS 1.2 enabled by default with sensible cipher suites. The risk is leaving older suites enabled (CBC, RC4, SHA-1) inside an otherwise modern config.
TLS 1.3: faster and smaller attack surface
TLS 1.3 is a substantial cleanup. It removes weak cipher suites by design — only AEAD suites are allowed, no CBC, no static RSA, no SHA-1. The handshake is faster: 1-RTT by default (one round-trip vs. 1.2's two), with optional 0-RTT for repeat connections. Forward secrecy is mandatory (TLS 1.2 made it optional, which led to many sites running without it). And the encrypted handshake hides more metadata from passive observers. TLS 1.3 has been a default in major browsers and CDNs since 2018–2020.
Forward secrecy and why it matters
Forward secrecy (sometimes called perfect forward secrecy, PFS) means each session uses an ephemeral key derived during the handshake. Even if an attacker records all your encrypted traffic and later steals your server's private key, they cannot decrypt the recorded sessions. TLS 1.2 supports it via ECDHE cipher suites; TLS 1.3 mandates it. If your TLS config still allows non-ECDHE cipher suites, recorded traffic from those connections is decryptable in the future given the private key. Disable static-RSA suites and require ECDHE.
Compliance: who requires what
PCI DSS 4.0 requires TLS 1.2 or higher for any card-data handling. HIPAA's HHS guidance recommends TLS 1.2+ and prohibits SSL/TLS 1.0. NIST SP 800-52r2 mandates TLS 1.2 minimum and recommends TLS 1.3 for federal systems. The FedRAMP baseline requires TLS 1.2. In practice, every modern compliance framework either requires TLS 1.2+ or strongly recommends TLS 1.3. The takeaway: "disable TLS 1.0 and 1.1" is no longer a stretch goal — it's table stakes for any regulated workload.
TLS versions at a glance
| Version | Released | Status | What's notable |
|---|---|---|---|
| TLS 1.0 | 1999 | Deprecated (RFC 8996) | BEAST and weak CBC ciphers. Disable. |
| TLS 1.1 | 2006 | Deprecated (RFC 8996) | No meaningful gain over 1.0. Disable. |
| TLS 1.2 | 2008 | Secure baseline | AEAD ciphers (AES-GCM, ChaCha20). Still widely required. |
| TLS 1.3 | 2018 | Current, recommended | 1-RTT handshake, mandatory forward secrecy, weak ciphers removed. |
Frequently asked questions
- What is the latest version of TLS?
- TLS 1.3 is the latest version, published in August 2018 as RFC 8446. It is the recommended protocol for new deployments, with TLS 1.2 kept enabled as a fallback for older clients.
- When was TLS 1.3 released?
- TLS 1.3 was finalized in August 2018 (RFC 8446). Major browsers and CDNs rolled out support between 2018 and 2020, so it is broadly available today.
- What is the difference between TLS 1.2 and TLS 1.3?
- TLS 1.3 removes legacy cipher suites by design (no CBC, no static RSA, no SHA-1), completes the handshake in a single round trip instead of two, and makes forward secrecy mandatory. TLS 1.2 is still secure with a modern cipher list, but TLS 1.3 is faster and has a smaller attack surface.
- Is TLS 1.2 still secure in 2026?
- Yes. TLS 1.2 with modern AEAD cipher suites (AES-GCM or ChaCha20-Poly1305) and ECDHE for forward secrecy remains secure and is required by PCI DSS, HIPAA guidance, and NIST. It is the floor, not the ceiling: enable TLS 1.3 alongside it.
- Should I disable TLS 1.0 and TLS 1.1?
- Yes. Both were formally deprecated by RFC 8996 in 2021 and removed from all major browsers. They carry protocol-level weaknesses (BEAST, POODLE) and mandatory weak ciphers. Disable them at your TLS terminator and keep only TLS 1.2 and 1.3.
Related Scorifya checks
Try the focused tools
Single-purpose checkers that test exactly what this topic covers.
See how your site scores
Run a free Scorifya scan on any URL you're allowed to test. The score breaks down across TLS, security headers, exposure, cookies, and DNS, exactly the areas this explainer covers.