TLS 1.0 and 1.1 are dead in browsers and annoyingly alive in infrastructure.
That split is the whole story.
If you look at the web through the browser’s eyes, the migration mostly looks finished. If you look at the server and appliance long tail, it looks like one of those technologies that will continue rattling around the internet years after everyone agreed it should be gone. Deprecation is a policy event. Removal is a cleanup project. Those are not synchronized.
The Browser Story Is Over
RFC 8996 formally deprecated TLS 1.0 and TLS 1.1 in 2021. Browser vendors had already been marching in that direction. Chrome, Firefox, Safari, and Edge all removed meaningful support long ago. A TLS 1.0-only site doesn’t get a nostalgic handshake. It gets an error page.
That part is settled. From the user’s perspective, old TLS is gone.
The Server Story Isn’t
Qualys SSL Pulse — which scans roughly 150,000 popular HTTPS sites — has tracked the decline of TLS 1.0 and 1.1 support over years. The trend is downward, but the tail is long. As recently as mid-2025, a non-trivial percentage of surveyed sites still had TLS 1.0 or 1.1 enabled on the server side, even though no modern browser would negotiate those versions.
The numbers are better for popular sites. The long tail of the internet — the smaller servers, the forgotten infrastructure, the appliances nobody updates — is where old TLS hides.
These servers aren’t serving web pages to browsers anymore. They’re serving APIs to legacy clients, handling machine-to-machine communication with hardcoded protocol versions, or sitting behind load balancers that haven’t been reconfigured since 2018.
Why They Persist
Payment terminals. POS devices and payment processing hardware often have firmware that speaks TLS 1.0 and nothing newer. Updating firmware on thousands of distributed devices is a capital expense that gets deferred year after year. PCI DSS officially required disabling TLS 1.0 by June 2018, but exemptions and slow rollouts mean some stragglers remain.
Embedded and industrial systems. SCADA controllers, medical devices, building management systems — hardware with 10-20 year lifecycles and no OTA update mechanism. The TLS library was baked in at manufacturing time. Replacing the library means replacing the device.
“It works, don’t touch it.” The single most common reason. A server has been running for years. Nobody knows exactly what connects to it. Disabling TLS 1.0 might break an unknown client. The risk of breaking something outweighs the perceived risk of leaving it enabled. So it stays.
Forgotten servers. Virtual machines spun up years ago, still running, still reachable, maintained by nobody. They have old TLS enabled because that was the default when they were configured. Nobody has logged into them since.
Compliance that mandates specific versions. Some regulatory environments specify protocol versions in their requirements. If a 2015 compliance document says “use TLS 1.0 or higher,” lazy interpretation means 1.0 stays enabled alongside newer versions.
The Risk of Leaving It Enabled
TLS 1.0 has known vulnerabilities. BEAST (2011) exploits CBC mode cipher suites in TLS 1.0 to decrypt data. POODLE (2014) was primarily an SSL 3.0 attack but related weaknesses affect TLS 1.0 implementations. Neither supports modern cipher suites like AES-GCM or ChaCha20-Poly1305. Neither supports forward secrecy reliably.
TLS 1.1 fixed some of BEAST’s issues but still lacks modern cipher support and is missing features that TLS 1.2 and 1.3 provide.
Even if no modern client negotiates these versions, having them enabled on a server increases attack surface. A downgrade attack — where an attacker manipulates the handshake to force a weaker protocol — becomes possible when old versions are available. TLS 1.3 eliminated most downgrade attack vectors, but servers that also offer 1.0/1.1 alongside 1.3 leave a window.
The counterargument is usually: “but our clients all negotiate 1.2 or 1.3 anyway.” True. Until the one time an attacker forces otherwise.
The Gap Between Deprecation and Removal
Browsers moved fast. A few major releases and old TLS was gone from the client side. The decision was centralized — a few browser vendors control the entire ecosystem.
Servers move glacially. There are millions of independent server operators, each making their own configuration decisions (or not making them, which is worse). There’s no central authority that can disable TLS 1.0 across all servers. It happens one configuration file at a time, when someone remembers, if they have access.
This asymmetry — fast client deprecation, slow server removal — means old TLS will be detectable on the internet for years after it stopped being usable by mainstream browsers. The protocol is deprecated. The cleanup will take a decade.
What You Should Do
If your server still offers TLS 1.0 or 1.1, disable it today. Check your config:
For nginx: ssl_protocols TLSv1.2 TLSv1.3;
For Apache: SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
No legitimate modern client needs TLS 1.0 or 1.1. If something breaks when you disable it, that something was already a security liability. Finding it now is better than finding it during an incident.
The standard deprecated it. The browsers rejected it. The only thing keeping TLS 1.0 alive is inertia. And inertia is not a security strategy.