Windows 10 Insider Preview test builds to have TLS 1.3 enabled by default, as Microsoft begins broad Windows 10 rollout of more secure encryption protocol
Microsoft has said it plans to enable the TLS 1.3 security protocol by default in Windows 10 Insider Preview test builds, beginning with Build 20170, as part of a broader rollout to Windows 10 systems.
The move is a significant step in deploying TLS 1.3, which deprecates TLS 1.2 and includes tighter security features.
TLS, or Transport Layer Security, is the world’s most deployed security protocol, encrypting data to provide secure communications between two endpoints.
Versions of the protocol are used in applications such as web browsing, email, instant messaging and Voice over IP.
TLS 1.3 tightens security by eliminating obsolete cryptographic algorithms, enhancing security when using older versions and encrypting as much as possible of the handshake, the negotiation that sets up a session.
The new protocol uses only three cipher suites, reducing complexity while improving security and interoperability.
It also uses a minimal set of cleartext protocol bits on the wire, which helps facilitate the deployment of future TLS versions and makes less user information visible over the network, Microsoft said.
Previous TLS versions exposed clients’ identity during client authentication unless it was accomplished via renegotiation, but the latest version keeps client authentication confidential.
“The protocol enables encryption earlier in the handshake, providing better confidentiality and preventing interference from poorly designed middle boxes,” said programme manager Sunny Zankharia and principal software engineer Andrei Popov, of Microsoft’s enterprise and OS security group, in a blog post.
“TLS 1.3 encrypts the client certificate, so client identity remains private and renegotiation is not required for secure client authentication.”
They said Microsoft recommends developers to begin testing TLS 1.3 in their applications and services right away.
The Microsoft Edge Legacy and Internet Explorer browsers can be configured to enable TLS 1.3 via the Advanced Settings menu, Microsoft said.
Chromium-based Microsoft Edge does not use the Windows TLS stack and is configured independently using the Edge://flags dialogue.
TLS 1.3 support is to be added to .Net beginning with version 5.0, the company said.
It noted that the three cipher suites supported in the Windows TLS stack are TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384 and TLS_CHACHA20_POLY1305_SHA256.
Microsoft, Google, Apple and Mozilla said in October 2018 they would retire the deprecated TLS 1.0 and TLS 1.1 protocols in the first half of 2020.
However, the transition has been delayed to the second half of the year due to the novel coronavirus pandemic.