Microsoft enables Transport Layer Security (TLS) 1.3 by default in the Windows 10 Insider Preview builds, says that it will be enabled for all Windows 10 PC/laptops/servers in future
Byebye Transport Layer Security (TLS) 1.2 and welcome to TLS 1.3. After ruling the encryption arena for nearly 12 years after it was introduced in 2008, the world may finally be saying goodbye to TLS 1.2. Microsoft has announced that the Transport Layer Security (TLS) 1.3 protocol is now enabled by default in Windows 10 Insider Preview builds. The Redmond based company also said that the TLS 1.3 will be rolled out to all Windows 10 systems eventually. And what Microsoft does with Windows operating system becomes the defacto regimen for the industry.
For the uninitiated, the Transport Layer Security (TLS) is a cryptographic protocol that handles all the encryption of websites. TLS 1.2 is used in web browsers, email, instant messaging, and even voice over IP (VoIP). Most websites like ours can use TLS to secure all communications between their servers and web browsers.
Whats Transport Layer Security 1.3
TLS 1.3 protocol was approved and published in 2018. It defers with TLS 1.2 in many ways like support for the old MD5 and SHA-224 cryptographic hash functions have been dropped in the TLS 1.3. It also provides heightened communication security over the Internet compared to TLS 1.2.
Security researchers have over the years discovered many flaws in the TLS 1.2 and earlier versions. Many companies like Cloudflare, Google, Microsoft, Mozilla, etc. are already adopting TLS 1.3.
Major differences between TLS 1.2 vs TLS 1.3
There are many differences between TLS 1.2 and TLS 1.3 and are enumerated below:
- Separating key agreement and authentication algorithms from the cipher suites
- Removing support for weak and less-used named elliptic curves
- Removing support for MD5 and SHA-224 cryptographic hash functions
- Requiring digital signatures even when a previous configuration is used
- Integrating HKDF and the semi-ephemeral DH proposal
- Replacing resumption with PSK and tickets
- Supporting 1-RTT handshakes and initial support for 0-RTT
- Mandating perfect forward secrecy, by means of using ephemeral keys during the (EC)DH key agreement
- Dropping support for many insecure or obsolete features including compression, renegotiation, non-AEAD ciphers, non-PFS key exchange (among which are static RSA and static DH key exchanges),
- custom DHE groups, EC point format negotiation, Change Cipher Spec Protocol, Hello message UNIX time, and the length field AD input to AEAD ciphers
- Prohibiting SSL or RC4 negotiation for backward compatibility
Integrating the use of session hash
- Deprecating use of the record layer version number and freezing the number for improved backward compatibility
- Moving some security-related algorithm details from an appendix to the specification and relegating ClientKeyShare to an appendix
- Adding the ChaCha20 stream cipher with the Poly1305 message authentication code
- Adding the Ed25519 and Ed448 digital signature algorithms
- Adding the x25519 and x448 key exchange protocols
- Adds support for sending multiple OCSP responses
- Encrypts all handshake messages after the ServerHello
“TLS 1.3 is the latest version of the internet’s most deployed security protocol, which encrypts data to provide a secure communication channel between two endpoints. TLS 1.3 eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the handshake as possible,” Microsoft states in its announcement.
Microsoft said that it will add TLS 1.3 support to .NET in version 5.0. The cipher suites supported in the Windows TLS stack are
- TLS_AES_256_GCM_SHA384, and
The TLS 1.3 protocol will be enabled by default in Microsoft’s IIS/HTTP.SYS, and Microsoft Edge Legacy. While Microsoft will be retiring Internet Explorer in the near future, it will allow existing users to enable TLS 1.3 by heading to Internet options > Advanced settings.
Chromium-based Microsoft Edge users can configure TLS 1.3 by heading over to the Edge://flags window in the browser.