Tweaking Internet Explorer to only use TLS 1.2

For security purposes, it's best to stay away from Internet Explorer. But if you do run it, follow these steps to ensure it uses TLS 1.2.

Tweaking Internet Explorer to only use TLS 1.2

I rarely write about Internet Explorer. In part, its because I don't use it, but also it's on the assumption that no one who reads a Defensive Computing blog uses it either. Nonetheless, I included it in this series on limiting web browsers to TLS 1.2 because, frankly, it does such a good job of it.

To recap, there are six versions of the security protocol that underlies secure websites, those transmitted with HTTPS rather than HTTP. The two oldest versions, SSL 2 and SSL 3, have not been considered secure for a very long time and are no longer used by websites or web browsers. The next three versions, known as TLS 1.0 and TLS 1.1 and TLS 1.2, are the topic at hand. There is an even newer version, TLS 1.3, but it is still in draft status and hardly used anywhere.

The majority of web browsers that I have reviewed support TLS 1.0, 1.1 and 1.2 by default. But the two older versions (1.0 and 1.1) are not as secure as version 1.2, so its good Defensive Computing to limit your web browser to just version 1.2. This is one of a series of blogs on doing just that.

Internet Explorer 11 is much easier to tweak than either Firefox (see Restricting Firefox to TLS version 1.2 makes browsing safer and Verifying and testing that Firefox is restricted to TLS 1.2) or Chrome (an upcoming topic). Out of the box, IE 11 conforms to the current standard, which is that it supports TLS 1.0, 1.1 and 1.2. This should be true on any up-to-date copy of Windows 7, 8.1 or 10.

ie.config.tls.ssl Michael Horowitz/IDG

Configuring Internet Explorer v11 to only support TLS 1.2

The nice thing about Internet Explorer is that the configuration options for supported TLS versions are right where they should be. As shown above, they can be found with: Tools -> Internet Options -> Advanced tab. Among the advanced options, they are at the very bottom.

Changing these options is even easier than finding them. There is a simple, obvious, checkbox for each version of SSL and TLS that you would like to include or exclude. Compare this to Firefox, where you had to know the secret handshake to remove support for TLS 1.0 and 1.1.

After limiting IE 11 to just TLS1.2, the Qualys SSL Client Test should confirm that the tweaking actually works.

ie.tls.error Michael Horowitz/IDG

Internet Explorer 11 error message when it can't load a TLS 1.1 page

Live testing for TLS 1.1 support, using the tester page offered by baddssl.com, results in the error shown above. The results should be the same at the TLS 1.0 tester page

Microsoft did a reasonably good job with their error message. For the benefit of search engines, it says

This page can’t be displayed. Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://tls-v1-1.badssl.com:1011 again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.

Of course, there is that strange fiction that people using Windows have a site administrator.

The gray "Change settings" button is similar to the "Restore default settings" button that Firefox offered. In each case, the browser correctly detects the problem and lets you re-configure it so the problem does not recur. But from a Defensive Computing perspective, it's the website that's the problem, not the browser. Any site that does not support TLS 1.2 is not to be trusted. 

Since this being a Defensive Computing blog, I feel obligated to steer readers away from Internet Explorer. That said, IE users can be safer if they disable ActiveX. So, while tweaking Internet Explorer, consider also clicking on Tools, and then ActiveX filtering. In this case, "filtering" means blocking. Checking this option blocks all ActiveX based software.

Looking ahead, we are spoiled by Firefox and Internet Explorer. Not all browsers let you limit them to TLS 1.2. Safari, I'm looking at you.

FEEDBACK
Get in touch with me privately by email at my full name at Gmail or publicly on twitter at @defensivecomput.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon