Microsoft reminded users that insecure Transport Layer Security (TLS) 1.0 and 1.1 protocols will be disabled soon in future Windows releases.
The TLS secure communication protocol is crafted to safeguard users against eavesdropping, tampering, and message forgery while exchanging and accessing information over the Internet through client/server applications.
Following extensive discussions and the development of 28 protocol drafts, the Internet Engineering Task Force (IETF) approved in March 2018 the next major version of the TLS protocol, TLS 1.3.
“This change applies only to future new Windows operating systems, both client and server editions. Windows versions that have already been released will not be affected by this change,” Microsoft reminded customers on Friday.
“Windows 11 Insider Preview builds starting in September 2023 will have TLS versions 1.0 and 1.1 disabled by default. There is an option to re-enable TLS 1.0 or TLS 1.1 for users who need to maintain compatibility.”
The transition is expected to have minimal impact on Windows home users, with limited anticipated issues. However, enterprise admins are advised to conduct tests to identify and subsequently update or replace any affected apps.
Applications that encounter issues or fail after outdated TLS versions are disabled will be tagged using Event 36871 in the Windows Event Log.
Although the option to re-enable insecure TLS via Windows Registry will still be available, it should only be done as a last-ditch effort until incompatible apps can be updated or replaced.
It’s also important to note that Microsoft warned that support for these TLS versions may face complete removal.
Moving away from outdated traffic encryption protocols
This follows a joint statement from Microsoft, Google, Apple, and Mozilla in October 2018, when they announced plans to start phasing out insecure TLS protocols, with the process set to begin during the first half of 2020.
By August 2020, Microsoft had toggled on TLS 1.3 by default in Windows 10 Insider builds.
The NSA also provided guidance in January 2021 on identifying and replacing outdated TLS protocol versions and configurations with modern and secure alternatives.
“Obsolete configurations provide adversaries access to sensitive operational traffic using a variety of techniques, such as passive decryption and modification of traffic through man-in-the-middle attacks,” the NSA said.
“Attackers can exploit outdated transport layer security (TLS) protocol configurations to gain access to sensitive data with very few skills required.”