Transport Layer Security (TLS) 1.3 is now enabled by default on Windows 10 Insider Preview builds, starting with Build 20170, the first step in a broader rollout to Windows 10 systems. TLS 1.3 is the latest version of the internet’s most deployed security protocol, which encrypts data to provide a secure communication channel between two endpoints. TLS 1.3 eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the handshake as possible.
Security and performance enhancements in TLS 1.3
TLS 1.3 now uses just 3 cipher suites, all with perfect forward secrecy (PFS), authenticated encryption and additional data (AEAD), and modern algorithms. This addresses challenges with the IANA TLS registry defining hundreds of cipher suite code points, which often resulted in uncertain security properties or broken interoperability.
The new TLS version also improves privacy by using a minimal set of cleartext protocol bits on the wire, which helps prevent protocol ossification and will facilitate the deployment of future TLS versions. In addition, in TLS 1.3, content length hiding is enabled by a minimal set of cleartext protocol bits. This means that less user information is visible on the network.
In previous TLS versions, client authentication exposed client identity on the network unless it was accomplished via renegotiation, which entailed extra round trips and CPU costs. In TLS 1.3, client authentication is always confidential.
Integrating your application or service with TLS 1.3 protocol
We highly recommend for developers to start testing TLS 1.3 in their applications and services. The streamlined list of supported cipher suites reduces complexity and guarantees certain security properties, such as forward secrecy (FS). These are the supported cipher suites in Windows TLS stack (Note: TLS_CHACHA20_POLY1305_SHA256 is disabled by default):
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
The protocol enables encryption earlier in the handshake, providing better confidentiality andpreventinginterferencefrom poorly designed middle boxes.TLS 1.3 encrypts the client certificate, so client identity remains private and renegotiation is not required for secure client authentication.
Enabling TLS 1.3
TLS 1.3 is enabled by default in IIS/HTTP.SYS. Microsoft Edge Legacy and Internet Explorer can be configured to enable TLS 1.3 via the Internet options > Advanced settings. (Note: The browser needs to be restarted after TLS 1.3 is enabled.)
The Chromium-based Microsoft Edge does not use the Windows TLS stack and is configured independently using the Edge://flags dialog.
Security support provider interface (SSPI) callers can use TLS 1.3 by passing the new crypto-agile SCH_CREDENTIALS structure when calling AcquireCredentialsHandle, which will enable TLS 1.3 by default. SSPI callers using TLS 1.3 need to make sure their code correctly handles SEC_I_RENEGOTIATE.
TLS 1.3 support will also be added to .NET beginning with version 5.0.
For more information about TLS 1.3, refer to the Microsoft TLS 1.3 support reference.
Sunny Zankharia
Program Manager, Enterprise and OS Security
Andrei Popov
Principal Software Engineer, Enterprise and OS Security
FAQs
🟢 Agencies shall support TLS 1.3 by January 1, 2024. After this date, servers shall support TLS 1.3 for both government-only and citizen or business-facing applications. In general, servers that support TLS 1.3 should be configured to use TLS 1.2 as well.
How to enable TLS 1.3 on Windows? ›
Troubleshooting Tip: how to enable TLS 1.3 in Windows 10
- Open the 'Run' Windows by inputting 'Win + R' and type 'regedit' to execute 'Registry editor'.
- Browse to 'Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' and double-click on 'Enabled'.
Steps to enable TLS 1.3 in the Microsoft Edge browser:
Open Internet Options from the Start menu. Go to Advanced Tabà Security and enable the Use TLS 1.3 (experimental) protocol. Click Apply and then OK.
What is TLS 1.3 from Microsoft? ›
TLS 1.3 is designed with better security and faster connections in mind. Older Windows versions weren't made for it, so adding it might not be as secure because it may not fit perfectly into the system's network setup.
Should I use TLS 1.3 only? ›
Many of the major vulnerabilities in TLS 1.2 had to do with older cryptographic algorithms that were still supported. TLS 1.3 drops support for these vulnerable cryptographic algorithms, and as a result it is less vulnerable to cyber attacks.
Is TLS 1.3 recommended? ›
In conclusion, while TLS 1.3 is the latest and most secure version of the TLS protocol, it is not always the best choice for all use cases. TLS 1.2 remains a reliable and widely used option that offers good compatibility, performance, interoperability, and ease of implementation.
How to check if TLS 1.3 is enabled? ›
Enable TLS 1.3:
- Find the following path in the left panel of the Registry Editor: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
- Double-click on [Enabled].
- In the [Value data] field, change the value to [1] and click [OK].
Enable TLS 1.3 for Specific Application
If you want to enable it only for specific applications like IIS, RDP, PowerShell, etc, you can use the following registry keys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client : for client applications.
How do I change the TLS version in Windows? ›
Press Windows key + R to open a Run box, type control and press Enter. Find Internet Properties and open the dialogue. On the Advanced tab, scroll down to the Security section and select TLS 1.2 and TLS 1.3. The other protocols (SSL 3.0, TLS 1.0 and TLS 1.1) should not be selected.
How do I enforce TLS 1.3 in chrome? ›
Enabling TLS 1.3 in Chrome
Type “chrome://flags/” in the address bar. Type “TLS” in the search box. Set TLS to Default or Enabled. Relaunch the browser.
MS Edge
- From Start Menu > Open 'Internet Options' Options > Advanced tab.
- Scroll down to the Security category, manually check the option box for Use TLS 1.2 and un-check the option box for Use TLS 1.1 and Use TLS 1.0.
- Click OK.
- Close your browser and restart MS Edge.
- In the Windows menu search box, type Internet options.
- Under Best match, click Internet Options.
- In the Internet Properties window, on the Advanced tab, scroll down to the Security section.
- Check the User TLS 1.2 checkbox.
- Click OK.
- Close your browser and restart Microsoft Edge browser.
Microsoft 365 supports TLS version 1.2 (TLS 1.2). Some of the services continue to support TLS version 1.3 (TLS 1.3). Be aware that TLS versions deprecate, and that deprecated versions should not be used where newer versions are available. If your legacy services do not require TLS 1.0 or 1.1 you should disable them.
Is Microsoft disabling TLS? ›
The internet standards and regulatory bodies have deprecated or disallowed TLS versions 1.0 and 1.1 due to several security issues. Starting with Windows 11 Insiders Preview and Windows Server Insiders Preview releases in 2024, they will be disabled by default.
What is the transport layer security TLS? ›
Transport Layer Security (TLS) encrypts data sent over the Internet to ensure that eavesdroppers and hackers are unable to see what you transmit which is particularly useful for private and sensitive information such as passwords, credit card numbers, and personal correspondence.
Is TLS 1.3 supported by all browsers? ›
TLS 1.3 on Chrome is fully supported on 70-114, partially supported on None of the versions, and not supported on 4-69 Chrome versions. TLS 1.3 on Safari is fully supported on 14.1-16.4, partially supported on 12.1-13, and not supported on 3.2-12 Safari versions.
When was TLS 1.3 approved? ›
Since its initial definition in January 1999, Transport Layer Security has gone through a series of updates. The most recent, TLS 1.3, was released in August 2018.
Where is TLS 1.3 supported? ›
TLS protocol version support
For more information, see TLS 1.0 and TLS 1.1 deprecation in Windows. TLS 1.3 is supported starting in Windows 11 and Windows Server 2022. Enabling TLS 1.3 on earlier versions of Windows is not a safe system configuration.
What is the minimum TLS version to support? ›
The required minimum TLS version for the storage account must be set to 1.2 to proceed with account creation or configuration.
Transport Layer Security (TLS) 1.3 is now enabled by default on Windows 10 Insider Preview builds, starting with Build 20170, the first step in a broader rollout to Windows 10 systems. TLS 1.3 is the latest version of the internet’s most deployed security protocol, which encrypts data to provide a secure communication channel between two endpoints. TLS 1.3 eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the handshake as possible.
