Microsoft announced this week that the Transport Layer Security (TLS) 1.3 protocol is now enabled by default in the builds of Windows 10 Insider Preview, and will be rolling out to all Windows 10 systems.
The new version of the traffic encryption protocol was approved and released in 2018, offering improved communication protection compared to its predecessors, with the goal of preventing the eavesdropping and exploitation even by network-controlled attackers.
With TLS 1.0 and TLS 1.1 deemed vulnerable, exposing communications to a number of threats, including BEAST, CRIME and POODLE, technology firms such as Cloudflare, Google , Microsoft, Mozilla and others have long called for the removal of older protocols and the widespread implementation of TLS 1.3.
“TLS 1.3 is the latest version of the most widely deployed security protocol on the Internet which encrypts data to provide a safe channel of communication between two endpoints. TLS 1.3 replaces outdated cryptographic algorithms, improves security over older versions and tries to encrypt as much of the handshake as possible, “points out Microsoft.
The business, which in version 5.0 will add TLS 1.3 support to .NET, also encourages developers to start checking their applications and services to ensure protocol compatibility. The Windows TLS stack supports the cipher suites TLS AES 128 GCM SHA256, TLS AES 256 GCM SHA384, and TLS CHACHA20 POLY1305 SHA256.
The protocol strengthens confidentiality by including encryption in the handshake earlier, and avoids interference. This also encrypts the client certificate, maintaining anonymity and preventing renegotiation for secure authentication of clients.
According to the tech giant, TLS 1.3 is enabled in IIS / HTTP.SYS by default and Microsoft Edge Legacy and Internet Explorer allow users to enable TLS 1.3 by heading to Internet Options > Advanced Settings. At the other side, the Chromium-based Microsoft Edge struggles to exploit the Windows TLS stack and can be enabled using the Edge:/flags dialog.
“Security Support Provider Interface (SSPI) callers can use TLS 1.3 by passing the new SCH CREDENTIALS crypto-agile structure when calling AcquireCredentialsHandle, which will enable the default TLS 1.3. SSPI callers using TLS 1.3 must ensure that their code handles SEC I RENEGOTIATE correctly, “notes Microsoft, too.
