News

Microsoft Updates Its TLS 1.3 Support Plans in Windows, Office 365 and .NET

• By Kurt Mackie
• 08/20/2020

Microsoft has turned on Transport Layer Security (TLS) 1.3 in Windows client operating systems by default in its Windows Insider Program preview releases, the company explained on Thursday.

TLS 1.3 is the latest version of a security protocol that's typically used to secure data communications between endpoints, typically between Web browsers and Web servers via the HTTPS protocol. TLS 1.2 has been available and is considered good to use, but the computer industry, including Microsoft, has been working to deprecate the use of the earlier TLS 1.0 and 1.1 versions to avoid possible attacks associated with those downgraded protocols.

Windows Insider Program testers are getting TLS 1.3 turned on by default starting with build 20170 of Windows 10. TLS 1.3 is expected to provide better protection on the client authentication side by preventing interference and adding encryption to the client certificate, the announcement explained:

The protocol enables encryption earlier in the handshake, providing better confidentiality and preventing interference from poorly designed middle boxes. TLS 1.3 encrypts the client certificate, so client identity remains private and renegotiation is not required for secure client authentication.

TLS 1.0 and 1.1 Deprecation in Browsers
Many browser makers have already deprecated the use of TLS 1.0 and 1.1 in their products, and just support TLS 1.3. Microsoft in April had announced plans to end support for those older protocols in its "legacy" Microsoft Edge and Internet Explorer browsers, which was supposed to take effect in the second half of this year. Such milestone goals have tended to slip, though, and they did slip again.

An Aug. 14 updated Microsoft announcement now indicates the deprecation of TLS 1.0 and 1.1 for those browsers will occur in "spring of 2021 at the earliest":

Update as of 8/14/2020: The plan to disable TLS 1.0/1.1 by default is being updated for Internet Explorer and Microsoft Edge Legacy. TLS 1.0 and TLS 1.1 will not be disabled by default for either browser until Spring of 2021 at the earliest. Organizations that wish to disable TLS 1.0 and TLS 1.1 before that time may do so using Group Policy.

In contrast, the Chromium-based Microsoft Edge browser already supports TLS 1.3, according to this January Microsoft developer blog post on the topic. TLS 1.3 is also supported in the Google Chrome and Mozilla Firefox browsers.

TLS 1.0 and 1.1 Deprecation in Office 365
Deprecation of the TLS 1.0 and 1.1 protocols with Office 365 services was supposed to have occurred on Oct. 31. 2018. However, deprecation actually kicked in back in January 2020 for government subscribers, per this Microsoft document.

Deprecation of TLS 1.0 and 1.1 in Office 365 for commercial subscriptions is yet to come. It's expected to begin on Oct. 15, 2020, per the document.

Other TLS Milestones
Windows 10 began supporting TLS 1.3 with version 1903, which was released in May of last year, according to Microsoft's January dev blog.

SQL Server just supports TLS 1.2 right now, but "TLS 1.3 support is in the roadmap," the dev blog explained.

The Microsoft Defender Advanced Threat Protection service deprecated the use of TLS 1.0 and 1.1 back in March.

Microsoft is planning to add TLS 1.3 support to the .NET framework with the arrival of .NET 5.0, which is expected to reach general availability in November of this year. However, developers should "rely on the underlying OS to provide the TLS version" because the OS will default to the strongest available TLS protocol, Microsoft's dev blog explained. It added that "starting with .NET Framework 4.7, the default configuration is to use the OS TLS version."