Connect with us

Hi, what are you looking for?


Data Protection

Microsoft Enables TLS 1.3 by Default in Windows 10 Insider Preview

Microsoft this week announced that the Transport Layer Security (TLS) 1.3 protocol is now enabled by default in Windows 10 Insider Preview builds, and that it will be rolled out to all Windows 10 systems.

Microsoft this week announced that the Transport Layer Security (TLS) 1.3 protocol is now enabled by default in Windows 10 Insider Preview builds, and that it will be rolled out to all Windows 10 systems.

The latest version of the traffic encryption protocol was approved and published in 2018, providing improved communication security compared to its predecessors, aiming to prevent eavesdropping and tampering even by attackers in control of the network.

With TLS 1.0 and TLS 1.1 considered insecure, exposing communications to a variety of attacks, including BEAST, CRIME and POODLE, tech companies such as Cloudflare, Google, Microsoft, Mozilla, and others have long been pushing for the retirement of older protocols and the broad adoption of TLS 1.3.

“TLS 1.3 is the latest version of the internet’s most deployed security protocol, which encrypts data to provide a secure communication channel between two endpoints. TLS 1.3 eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the handshake as possible,” Microsoft points out.

The company, which will add TLS 1.3 support to .NET in version 5.0, also urges developers to begin testing their applications and services, to ensure they provide support for the protocol. The cipher suites supported in the Windows TLS stack are TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, and TLS_CHACHA20_POLY1305_SHA256.

By providing encryption earlier in the handshake, the protocol improves confidentiality and prevents interference. It also encrypts the client certificate, to ensure privacy and eliminate renegotiation for secure client authentication.

TLS 1.3, the tech giant says, is enabled by default in IIS/HTTP.SYS, and Microsoft Edge Legacy and Internet Explorer allow users to enable TLS 1.3 by heading to Internet options > Advanced settings. The Chromium-based Microsoft Edge, on the other hand, does not leverage the Windows TLS stack and it can be configured using the Edge://flags dialog.

“Security support provider interface (SSPI) callers can use TLS 1.3 by passing the new crypto-agile SCH_CREDENTIALS structure when calling AcquireCredentialsHandle, which will enable TLS 1.3 by default. SSPI callers using TLS 1.3 need to make sure their code correctly handles SEC_I_RENEGOTIATE,” Microsoft also notes.

Advertisement. Scroll to continue reading.

Related: Microsoft to Retire TLS 1.0/1.1 in Office 365 Starting October 15

Related: Major Browsers to Kill TLS 1.0, 1.1

Related: IETF Publishes TLS 1.3 as RFC 8446

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...