SOLVED

TLS 1.3

%3CLINGO-SUB%20id%3D%22lingo-sub-410501%22%20slang%3D%22en-US%22%3ETLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-410501%22%20slang%3D%22en-US%22%3E%3CP%3ETLS%201.3%20is%20a%20very%20needed%20feature%20for%20those%20in%20corporate%20environments%20for%20our%20public%20facing%20websites.%20The%20speed%20advantages%20are%20immense%20in%20larger%20sites%20with%20no%20caching%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-412917%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-412917%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.ssllabs.com%2Fssltest%2FviewMyClient.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.ssllabs.com%2Fssltest%2FviewMyClient.html%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20looks%20like%20TLS%201.3%20is%20supported%20on%20my%20configuration%20using%20Edge%20Canary%20and%20Dev%20with%20Windows%2010%201809.%26nbsp%3B%20Are%20you%20seeing%20otherwise%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-418425%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-418425%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F316490%22%20target%3D%22_blank%22%3E%40danmurphy%3C%2FA%3E%26nbsp%3BAs%20with%20Chrome%2C%20TLS%2F1.3%20is%20supported%20in%20all%20versions%20of%20Chromium-based%20Edge%20(and%20will%20be%20supported%20on%20all%20platforms).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-420842%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-420842%22%20slang%3D%22en-US%22%3ESorry%20I%20wasn't%20able%20to%20get%20to%20this%20yesterday%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F316490%22%20target%3D%22_blank%22%3E%40danmurphy%3C%2FA%3E.%20As%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F316933%22%20target%3D%22_blank%22%3E%40joel0m%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F317619%22%20target%3D%22_blank%22%3E%40ericlaw%3C%2FA%3E%20have%20discovered%2C%20all%20preview%20channels%20of%20Edge%20already%20support%20TLS1.3.%20Are%20you%20seeing%20sites%20that%20are%20should%20be%20using%20TLS1.3%20and%20are%20not%20with%20the%20Edge%20browser%3F%20If%20so%2C%20please%20let%20me%20know%20so%20that%20we%20can%20investigate.%3CBR%20%2F%3EElliot%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-420904%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-420904%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239638%22%20target%3D%22_blank%22%3E%40Elliot%20Kirk%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F316933%22%20target%3D%22_blank%22%3E%40joel0m%3C%2FA%3E%3CSPAN%3E%26nbsp%3Band%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F317619%22%20target%3D%22_blank%22%3E%40ericlaw%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20replies.%20I%20checked%20some%20sites%20last%20night%20which%20didn't%20work.%20Reinstalled%20tonight%20and%20it%20is%20now%20working%20the%20same%20as%20my%20Chrome.%20SSL%20Labs%20site%20reports%20TLS%201.2%20in%20use%20with%20experimental%201.3%20as%20expected%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENot%20entirely%20sure%20why%20it%20didnt%20work%20yesterday%2C%20though%20maybe%20because%20I%20also%20have%20Windows%20insider%20too%20perhaps%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-421040%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-421040%22%20slang%3D%22en-US%22%3EYeah%20will%20do.%20I'll%20try%20replicating%20it%20again%20tomorrow%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-421006%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-421006%22%20slang%3D%22en-US%22%3EThanks.%20If%20you%20see%20any%20weirdness%20like%20this%20again%2C%20please%20send%20a%20smiley%20(top%20right%20of%20the%20browser)%20as%20that%20will%20collect%20some%20light%20telemetry%20and%20will%20help%20us%20better%20diagnose%20any%20potential%20problems.%20%3CBR%20%2F%3EElliot%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-556419%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-556419%22%20slang%3D%22en-US%22%3EIsn't%20the%20issue%20here%20that%20Windows%20Server%20IIS%20doesn't%20support%20TLS1.3...%3CBR%20%2F%3EDoes%20Microsoft%20have%20an%20ETA%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-558757%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-558757%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F339734%22%20target%3D%22_blank%22%3E%40Avaza%3C%2FA%3E%26nbsp%3BIt's%20unlikely%20that%20the%20original%20poster's%20issue%20was%20with%20IIS%20(as%20Chrome%20would%20exhibit%20matching%20behavior%20and%20apparently%20it%20started%20working%20as%20expected%20later).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20terms%20of%20Windows%20Server's%20roadmap%20for%20TLS%2F1.3%20support%20in%20IIS%2C%20you'll%20probably%20get%20a%20better%20informed%20answer%20over%20in%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-IIS%2Fct-p%2FMicrosoft-IIS%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-IIS%2Fct-p%2FMicrosoft-IIS%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-694780%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-694780%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F316490%22%20target%3D%22_blank%22%3E%40danmurphy%3C%2FA%3E%26nbsp%3BNo%2C%20TLS%201.3%20is%20not%20a%20'badly%20needed%20feature'%20and%20the%20speed%20benefits%20are%20not%20'immense%2C'%26nbsp%3B%20unless%20you%20are%20TLS%20servers%20on%20old%20consumer%20level%20hardware%20that%20lack%20AES%20accelerators.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMicrosoft%20is%20not%20like%20garbage%20developers%20-%20I%20mean%20open%20source%20developers%20that%20race%20to%20implement%20something%20for%20the%20personal%20gratification%20rather%20than%20for%20the%20quality%20of%20the%20product.%20MS%2C%20RSA%20and%20Cisco%20have%20the%20only%20TLS%201.0%20implementations%20without%20active%20exploits%20because%20of%20it%20where%20nearly%20all%20other%20implementations%20do.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20addition%2C%20TLS%201.3%20was%20only%20ratified%20a%20few%20months%20ago.%20All%20efforts%20so%20far%20are%20based%20on%20code%20written%20before%20the%20standard%20was%20ratified%20and%20have%20extreme%20likelihood%20of%20containing%20legacy%20code%20that%20will%20provide%20a%20vector%20for%20exploit.%20In%20addition%2C%20these%20open%20source%20projects%20have%20also%20carelessly%20introduced%20exploits%20into%20TLS%201.3%20that%20do%20not%20exist%20in%201.2%2C%20and%20simply%20having%201.3%20enabled%20enables%20downgrade%20attacks%20against%20weaker%20protocols%20that%20can%20be%20completely%20broken.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWait%20for%20a%20correct%20implementation.%20Most%20(other%20than%20the%20ones%20where%20the%20protocol%20was%20fundamentally%20broken)%20of%20the%20famous%20SSL%20and%20TLS%20exploits%20have%20been%20created%20by%20bad%20open%20source%20solutions%20that%20incorrectly%20implemented%20SSL%2FTLS.%20You%20will%20see%20no%20difference%20in%20performance%2C%20other%20than%20perhaps%20at%20low%20power%20client%20devices.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-694782%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-694782%22%20slang%3D%22en-US%22%3EMicrosoft%20released%20TLS%201.2%20within%20about%206%20months%20of%20its%20ratification.%3CBR%20%2F%3EIt's%20been%20longer%20than%20that%20for%20TLS%201.3%20and%20no%20word%20yet%20on%20future%20support.%3CBR%20%2F%3E%3CBR%20%2F%3ETls%201.3%20is%20designed%20to%20bring%20significant%20speed%20%26amp%3B%20security%20improvements.%20Reducing%20the%20number%20of%20round%20trips%20required%20is%20a%20massive%20improvement%2C%20especially%20for%20global%20customers%20who%20have%20longer%20latencies.%3CBR%20%2F%3E%3CBR%20%2F%3EIIS%20is%20falling%20behind.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-694784%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-694784%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F339734%22%20target%3D%22_blank%22%3E%40Avaza%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20No%20MS%20did%20not%20release%20support%20for%20TLS%201.2%20within%206%20months.%20TLS%201.2%20was%20ratified%20in%20August%20of%202008.%20NT%206.1%20RTMed%20at%20the%20end%20of%20July%202009.%20That%20is%20nearly%20a%20year.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20It%20doesn't%20matter.%20TLS%201.3%20is%20not%20the%20same%20thing%20as%20TLS%201.2.%20TLS%201.3%20is%20a%20radical%20update%20to%20the%20protocol%2C%20so%20much%20so%20that%20it%20was%20nearly%20named%20TLS%202.0.%20Correctly%20implementing%20it%20will%20take%20time.%20If%20you%20are%20fine%20with%20settling%20for%20exploit-ridden%2C%20incorrect%20implementations%20of%201.3%20currently%20available%2C%20then%20you%20cannot%20claim%20to%20care%20about%20anything%20you%20claim%20to%20care%20about%20in%20the%20implementation.%20TLS%201.2%20is%20also%20not%20yet%20exploitable%20and%20is%20better%20than%20every%20incorrect%20implementation%20of%201.3%20out%20there.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20Mathematical%20differences%20in%20speed%20are%20not%20measurable%20differences%20in%20speed.%20It%20doesn't%20matter%20how%20much%20you%20insist%20there%20will%20be%20a%20measurable%20difference%20between%201.3%20and%201.2%2C%20it%20wont%20be%20there.%20Your%20part%20about%20latency%20is%20correct%2C%20but%20in%20order%20for%20latency%20to%20come%20into%20play%20in%20speed%20-%20which%20would%20manifest%20only%20through%20avoiding%20some%20packet%20loss%20-%20you%20will%20have%20to%20be%20into%20latencies%20of%20600-700%20milliseconds%20with%20high%20jitter%2C%20or%20800-900%20milliseconds%20or%20higher%20with%20consistent%20latency.%20In%20other%20words%2C%20EXTREME%20low%20end%20satellite%20service%20or%20extraordinarily%20busy%20site%20to%20site%20microwave%20links.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E4.%20IIS%20is%20an%20HTTP%20server%2C%20not%20a%20TLS%20server.%20The%20two%20have%20absolutely%20NOTHING%20to%20do%20with%20each%20other.%20Windows%20keeping%20an%20incorrect%20implementation%20of%20TLS%20out%20of%20the%20operating%20system%20which%20opens%20up%20exploits%20that%20never%20existed%20before%2C%20in%20place%20of%20a%20TLS%201.2%20that%20currently%20cannot%20be%20exploited%20is%20foolhardy%20at%20best.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-694794%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-694794%22%20slang%3D%22en-US%22%3E1)%20TLS1.2%20was%20announced%20and%20available%20to%20insiders%20to%20use%20within%206%20months.%3CBR%20%2F%3E%3CBR%20%2F%3E2)%20Responsible%20maintenance%20of%20a%20community%20that%20use%20your%20product%20should%20include%20announcing%20timelines%20for%20major%20updates%20like%20this..%3CBR%20%2F%3E%3CBR%20%2F%3E3)%20the%20speed%20difference%2C%20as%20per%20plenty%20of%20real%20life%20benchmarks%20from%20the%20companies%20using%20it%20in%20production%20today%20is%20not%20insignificant.%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20makes%20as%2050%25%20improvement%20in%20setup%20time%20for%20a%20TLS%20connection%20because%20only%202%20instead%20of%203%20total%20roundtrips%20are%20needed.%20The%20TLS%20component%20is%20halved.%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20customers%20in%20Australia%20connecting%20to%20a%20US%20Server%2C%20that%20typically%20means%20about%20200ms%20cut%20off%20the%20TTFB.%3CBR%20%2F%3EAnd%20200ms%20latency%20is%20common.%20The%20global%20average%20RTT%20latency%20seen%20by%20users%20of%20Slack%20is%20reported%20as%20200ms%20after%20they%20implemented%20their%20all-traffic%20cdn.%3CBR%20%2F%3E%3CBR%20%2F%3EAnother%20advantage%20of%20is%20that%20in%20a%20sense%2C%20it%20remembers!%20On%20sites%20you%20have%20previously%20visited%2C%20you%20can%20now%20send%20data%20on%20the%20first%20message%20to%20the%20server.%20This%20is%20called%20a%20%E2%80%9Czero%20round%20trip.%E2%80%9D%20(0-RTT).%20And%20yes%2C%20this%20also%20results%20in%20improved%20load%20time%20times%3CBR%20%2F%3E%3CBR%20%2F%3E4)%20all%20software%20has%20vulnerabilities.%20%26amp%3B%20patches.%3CBR%20%2F%3ENo%20one's%20suggesting%20cutting%20corners.%3CBR%20%2F%3EMicrosoft's%20silence%20is%20either%20due%20to%20poor%20communication%20or%20because%20this%20isn't%20a%20priority.%3CBR%20%2F%3EIf%20it's%20low%20priority%20it%20also%20won't%20the%20better%20developers%20assigned%2C%20and%20also%20will%20be%20a%20lower%20quality%20implementation.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-694795%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-694795%22%20slang%3D%22en-US%22%3E1)%20TLS1.2%20was%20announced%20and%20available%20to%20insiders%20to%20use%20%26amp%3B%20test%20at%20approx%206%20months.%3CBR%20%2F%3E%3CBR%20%2F%3E2)%20Responsible%20maintenance%20of%20a%20community%20that%20use%20your%20product%20should%20include%20announcing%20timelines%20for%20major%20updates%20like%20this..%3CBR%20%2F%3E%3CBR%20%2F%3E3)%20the%20speed%20difference%2C%20as%20per%20plenty%20of%20real%20life%20benchmarks%20from%20the%20companies%20using%20it%20in%20production%20today%20is%20not%20insignificant.%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20makes%20as%2050%25%20improvement%20in%20setup%20time%20for%20a%20TLS%20connection%20because%20only%202%20instead%20of%203%20total%20roundtrips%20are%20needed.%20The%20TLS%20component%20is%20halved.%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20customers%20in%20Australia%20connecting%20to%20a%20US%20Server%2C%20that%20typically%20means%20about%20200ms%20cut%20off%20the%20TTFB.%3CBR%20%2F%3EAnd%20200ms%20latency%20is%20common.%20The%20global%20average%20RTT%20latency%20seen%20by%20users%20of%20Slack%20is%20reported%20as%20200ms%20after%20they%20implemented%20their%20all-traffic%20cdn.%3CBR%20%2F%3E%3CBR%20%2F%3EAnother%20advantage%20of%20is%20that%20in%20a%20sense%2C%20it%20remembers!%20On%20sites%20you%20have%20previously%20visited%2C%20you%20can%20now%20send%20data%20on%20the%20first%20message%20to%20the%20server.%20This%20is%20called%20a%20%E2%80%9Czero%20round%20trip.%E2%80%9D%20(0-RTT).%20And%20yes%2C%20this%20also%20results%20in%20improved%20load%20time%20times%3CBR%20%2F%3E%3CBR%20%2F%3E4)%20all%20software%20has%20vulnerabilities.%20%26amp%3B%20patches.%3CBR%20%2F%3ENo%20one's%20suggesting%20cutting%20corners.%3CBR%20%2F%3EMicrosoft's%20silence%20is%20either%20due%20to%20poor%20communication%20or%20because%20this%20isn't%20a%20priority.%3CBR%20%2F%3EIf%20it's%20low%20priority%20it%20also%20won't%20the%20better%20developers%20assigned%2C%20and%20also%20will%20be%20a%20lower%20quality%20implementation.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-694803%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-694803%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F339734%22%20target%3D%22_blank%22%3E%40Avaza%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F361147%22%20target%3D%22_blank%22%3E%40Unoki%3C%2FA%3E%26nbsp%3BNot%20sure%20whats%20gotten%20into%20you%20both%20but%20as%20you%20can%20see%20in%20the%20first%20few%20replies%2C%20TLS%201.3%20is%20already%20implemented%20successfully%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-694804%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-694804%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F339734%22%20target%3D%22_blank%22%3E%40Avaza%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20The%20windows%20insider%20program%20didn't%20exist%20until%20Windows%2010.%20If%20you%20meant%20the%20beta%20program%2C%20well%20that%20is%20completely%20irrelevant.%20Until%20Windows%2010%2C%20Betas%20were%20exclusively%20used%20for%20pre-validation%20of%20applications%2C%20drivers%2C%20etc%2C%20and%20all%20were%20pretty%20much%20universally%20extremely%20unstable%20and%20unusable.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20No%2C%20it%20doesn't.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20No%20it%20isn't.%20Mathematically%20faster%20and%20something%20that%20is%20perceivably%20faster%20aren't%20the%20same%20thing.%20You%20seem%20to%20be%20exclusively%20focusing%20on%20web%20pages%20and%20other%20client%20apps%2C%20but%20no%20person%20is%20ever%20going%20to%20notice%20a%20difference%20of%20200%20milliseconds%20when%20the%20client%20applications%20takes%20thousands%20of%20milliseconds%20to%20render%20a%20page%2C%20or%20establish%20a%20SIP%20connection%20to%20the%20server.%20You%20aren't%20saving%20200%20milliseconds%20between%20australia%20and%20the%20united%20states%20either.%20I%20have%20a%20training%20web%20application%20that%20is%20hosted%20in%20Australia%20behind%20a%20cloud%20load%20balancer%20and%20typically%20only%20see%20latency%20of%20about%205-600%20milliseconds%20in%20the%20health%20check%20which%20includes%20the%20~300%20or%20so%20milliseconds%20of%20establishing%20each%20session%2C%20which%20would%20only%20be%20incurred%20once%20in%20real%20use.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20ecommerce%20sites%20and%20content%20delivery%20networks%20these%20small%20gains%20could%20definitely%20measurably%20impact%20their%20business%2C%20but%20both%20of%20these%20segments%20are%20usually%20slow%20to%20implement%20new%20technology%2C%20because%201%2C%20both%20of%20them%20have%20to%20work%20all%20the%20time%20without%20exception%2C%20and%202%2C%20ecommerce%20has%20to%20be%20secure%20without%20exception%20and%20content%20delivery%20networks%20may%20have%20to%20be%20very%20strictly%20secure%20as%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E4.%20Implementing%20TLS%20is%20not%20even%20close%20to%20being%20the%20same%20thing%20as%20writing%20a%20patch%20for%20an%20application%2C%20and%20no%20exploit%20discovered%20within%20less%20than%20a%20year%20of%20the%20protocol's%20ratification%20due%20to%20incorrect%20implementation%20is%20even%20nominally%20acceptable.%20Virtually%20every%20TLS%201.3%20client%20and%20server%20introduced%20multiple%20exploits%20enabling%20attack%20vectors%20at%20both%20ends%2C%20that%20allowed%20easy%20and%20difficult%20to%20detect%20downgrade%20attacks%2C%20abd%20if%20enabled%20allowed%20for%20easy%20downgrade%20to%20SSL%203.0%20or%20TLS%201.0%20-%20which%20more%20than%20likely%20was%20another%20incorrect%20TLS%20implementation%20containing%20exploits.%20Cutting%20corners%20is%20exactly%20what%20you%20are%20suggesting.%20Every%20single%20current%20implementation%20of%20TLS%201.3%20cut%20corners%20and%20exposed%20every%20single%20one%20of%20it's%20users.%20In%20less%20than%20a%20year.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-694805%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-694805%22%20slang%3D%22en-US%22%3E%3CP%3ENo%2C%20it%20hasn't%20been.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.nccgroup.trust%2Fus%2Fabout-us%2Fnewsroom-and-events%2Fblog%2F2019%2Ffebruary%2Fdowngrade-attack-on-tls-1.3-and-vulnerabilities-in-major-tls-libraries%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.nccgroup.trust%2Fus%2Fabout-us%2Fnewsroom-and-events%2Fblog%2F2019%2Ffebruary%2Fdowngrade-attack-on-tls-1.3-and-vulnerabilities-in-major-tls-libraries%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-696470%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-696470%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F361147%22%20target%3D%22_blank%22%3E%40Unoki%3C%2FA%3E%26nbsp%3BTLS%2F1.3%20has%20been%20available%20in%20the%20new%20Edge%20since%20its%20first%20Canary%20release.%20Discussions%20of%20IIS%20and%20Windows%20more%20broadly%20are%20not%20in%20scope%20for%20this%20forum%3B%20you%20can%20find%20other%20communities%20where%20such%20conversations%20are%20more%20appropriate.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-750160%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-750160%22%20slang%3D%22en-US%22%3EAny%20guidance%20you%20can%20provide%20on%20how%20to%20restrict%20the%20lowest%20level%20of%20TLS%20in%20this%20new%20Edgium%3F%20browser%3F%20I%20have%20set%20the%20minimums%20in%20the%20Internet%20Advanced%20settings%20but%20the%20Qualys%20Labs%20site%20still%20shows%20TLS%201.0%20and%201.1%20as%20Yes.%20Both%20flags%20in%20Insider%20Edge%20for%20TLS%201.3%20are%20set%20to%20Default.%3CBR%20%2F%3EThanks.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-750311%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-750311%22%20slang%3D%22en-US%22%3EYou%20can%20use%20policy%2C%20see%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%20%3CA%20href%3D%22https%3A%2F%2Fwww.chromium.org%2Fadministrators%2Fpolicy-list-3%23SSLVersionMin%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.chromium.org%2Fadministrators%2Fpolicy-list-3%23SSLVersionMin%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EOr%20you%20can%20use%20a%20command%20line%20flag%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%20msedge.exe%20--ssl-version-min%3Dtls1.3%20%3CBR%20%2F%3E%3CBR%20%2F%3EHaving%20said%20that%2C%20the%20Qualys%20SSLLabs.com%20site%20requires%20TLS1.2%20at%20this%20time.%20%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-750510%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-750510%22%20slang%3D%22en-US%22%3E%3CP%3EHmm%2C%20I%20added%20the%20policy%20key%20and%20restarted%20all%20browser%20session%20SSL%20test%20%3D%20no%20change%2C%20TLS%201%20to%201.3%20as%20yes.%3CBR%20%2F%3EI%20used%20command%20line%20msedge.exe%20--ssl-version-min%3Dtls1.2%20and%20it%20%3CSTRIKE%3Estill%20tests%20with%201.0%20as%20yes%3C%2FSTRIKE%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3EEDITED%3C%2FSTRONG%3E%20It%20took%20a%20full%20computer%20restart%20and%20then%20this%20worked.%3CBR%20%2F%3EOpened%20InPrivate%20tab%20still%20tests%20as%20yes%20for%201.0.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRIKE%3EI%20have%20successfully%20set%20policy%20key%20for%20regular%20Chrome%20(%5CHKEY_LOCAL_MACHINE%5CSOFTWARE%5CPolicies%5CGoogle%5CChrome%5CSSLVersionMin)%20and%20it%20was%20detected%20and%20works%20as%20expected.%3C%2FSTRIKE%3E%3C%2FP%3E%3CP%3EI'll%20just%20have%20to%20create%20a%20shortcut%20using%20%22msedge.exe%20--ssl-version-min%3Dtls1.2%22%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRIKE%3EAny%20other%20suggestions%3F%3C%2FSTRIKE%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-752580%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-752580%22%20slang%3D%22en-US%22%3ERestarting%20your%20computer%20should%20have%20no%20impact%3B%20the%20most%20likely%20explanation%20is%20that%20you%20had%20a%20zombie'd%20msedge.exe%20somewhere%20in%20the%20background%20which%20prevented%20the%20flag%20from%20taking%20effect.%20Visiting%20edge%3A%2F%2Fversion%2F%20will%20show%20the%20command%20line%20of%20the%20current%20instance%20which%20will%20help%20confirm.%3CBR%20%2F%3E%3CBR%20%2F%3ESimilarly%2C%20I'm%20not%20able%20to%20reproduce%20your%20finding%20for%20InPrivate%20mode%3B%20when%20I%20launch%20with%20the%20command%20line%20flag%2C%20it's%20respected%20as%20expected%20while%20InPrivate.%3CBR%20%2F%3E%3CBR%20%2F%3EHow%20specifically%20did%20you%20%22add%20the%20policy%20key%22%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-752645%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-752645%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F317619%22%20target%3D%22_blank%22%3E%40ericlaw%3C%2FA%3E%26nbsp%3BCan%20we%20had%20a%20way%20(in%20entreprise)%20like%20they%20do%20in%20firefox%20to%20reject%20tls%201.0%20and%201.1%20and%20other%20weak%20cipher%20suite%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-752679%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-752679%22%20slang%3D%22en-US%22%3EThe%20SSLVersionMin%20policy%20allows%20enterprises%20to%20set%20a%20minimum%20TLS%20version.%3CBR%20%2F%3E%3CBR%20%2F%3ECiphersuites%20can%20be%20controlled%20via%20the%20cipher-suite-denylist%20command%20line%20argument%20(Chrome%20uses%20%22cipher-suite-blacklist%22)%20as%20follows%3A%3CBR%20%2F%3E%3CBR%20%2F%3Emsedge.exe%20--ssl-version-min%3Dtls1.2%20--cipher-suite-denylist%3D0x000a%20%3CA%20href%3D%22https%3A%2F%2Fssllabs.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fssllabs.com%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20doesn't%20appear%20to%20be%20available%20via%20policy%20in%20Chromium%20today%2C%20see%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fbugs.chromium.org%2Fp%2Fchromium%2Fissues%2Fdetail%3Fid%3D931204%23c5%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fbugs.chromium.org%2Fp%2Fchromium%2Fissues%2Fdetail%3Fid%3D931204%23c5%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fbugs.chromium.org%2Fp%2Fchromium%2Fissues%2Fdetail%3Fid%3D930508%23c15%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fbugs.chromium.org%2Fp%2Fchromium%2Fissues%2Fdetail%3Fid%3D930508%23c15%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E...but%20it's%20something%20that%20the%20Edge%20team%20might%20look%20at%20if%20there%20were%20significant%20demand.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-752687%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-752687%22%20slang%3D%22en-US%22%3E%3CP%3Ei%20was%20trying%20--cipher-suite-blacklist%20i%20doesn't%20know%20it%20was%20denylist%20now%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eedit%3A%20thanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-752856%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-752856%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F317619%22%20target%3D%22_blank%22%3E%40ericlaw%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOpened%20the%20URL%20you%20gave%20and%20read%20that.%3C%2FP%3E%3CP%3EWin%20key%20%2B%20R%20key%2C%20Entered%20regedit%20clicked%20OK.%3CBR%20%2F%3Enavigated%20to%3CBR%20%2F%3EComputer%5CHKEY_LOCAL_MACHINE%5CSOFTWARE%5CPolicies%3CBR%20%2F%3EAdd%20New%20Key%20Chromium%3CBR%20%2F%3EThen%20in%20that%20key%20add%20a%20String%20value%20named%20SSLVersionMin%3CBR%20%2F%3Eset%20the%20value%20of%20that%20to%20tls1.2%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F123185iCA4FCCE275D66D90%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22msEdge_Chromium_Doesn't.jpg%22%20title%3D%22msEdge_Chromium_Doesn't.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20the%20same%20process%20I%20followed%20to%20get%20the%20Chrome%20browser%20shown%20below%20to%20work.%20Except%20it%20is%20in%20the%20Chrome%20Key%20under%20Google.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F123186i9BC7FF0819B8413B%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22ChromeWorks.jpg%22%20title%3D%22ChromeWorks.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20supposed%20to%20be%20a%20another%20Parent%20key%20in%20between%20named%20something%20like%20MSEdge%20%3F%20ie.%20Computer%5CHKEY_LOCAL_MACHINE%5CSOFTWARE%5CPolicies%5CMSEdge%5CChromium%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-752859%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-752859%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftextslashplain.com%2F2019%2F05%2F01%2Fedge-76-vs-edge-18-vs-chrome%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftextslashplain.com%2F2019%2F05%2F01%2Fedge-76-vs-edge-18-vs-chrome%2F%3C%2FA%3E%3CBR%20%2F%3E---------%3CBR%20%2F%3EGroup%20Policy%20and%20Command%20Line%20Arguments%3CBR%20%2F%3EBy-default%2C%20Edge%2076%20shares%20almost%20all%20of%20the%20same%20Group%20Policies%20and%20command%20line%20arguments%20as%20Chrome%2076.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%E2%80%99re%20using%20the%20registry%20to%20set%20a%20policy%20for%20Edge%2C%20put%20it%20under%20the%3CBR%20%2F%3E%3CBR%20%2F%3EHKEY_CURRENT_USER%5CSoftware%5CPolicies%5CMicrosoft%5CEdge%3CBR%20%2F%3E%E2%80%A6node%20instead%20of%20under%20the%3CBR%20%2F%3E%3CBR%20%2F%3EHKEY_CURRENT_USER%5CSoftware%5CPolicies%5CGoogle%5CChrome%3CBR%20%2F%3Enode.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-752879%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%201.3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-752879%22%20slang%3D%22en-US%22%3EThanks!%3CBR%20%2F%3EThat%20was%20the%20missing%20piece.%20I%20was%20doing%20a%20strict%20enforcement%20of%20the%20document%20text%20you%20gave%20in%20the%20URL%20since%20I%20couldn't%20infer%20what%20keys%20the%20exe%20is%20reading%20when%20it%20launches.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20am%20using%20Version%2077.0.211.3%20(Official%20build)%20dev%20(64-bit)%3CBR%20%2F%3E%3CBR%20%2F%3EAfter%20you%20specified%20the%20other%20details%20I%20was%20able%20to%20add%20in%20the%20Microsoft%20key%20and%20the%20SSL%20test%20is%20working.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20other%20Google%20key%20for%20Chrome%20has%20to%20stay.%20We%20install%20multiple%20browsers%20on%20our%20workstations%20due%20to%20various%20client%20requirements.%3CBR%20%2F%3E%3CBR%20%2F%3E%3Athumbs_up%3A%3C%2Fimg%3E%3C%2FLINGO-BODY%3E
danmurphy
Occasional Contributor

TLS 1.3 is a very needed feature for those in corporate environments for our public facing websites. The speed advantages are immense in larger sites with no caching

27 Replies

https://www.ssllabs.com/ssltest/viewMyClient.html

 

It looks like TLS 1.3 is supported on my configuration using Edge Canary and Dev with Windows 10 1809.  Are you seeing otherwise?

Solution

@danmurphy As with Chrome, TLS/1.3 is supported in all versions of Chromium-based Edge (and will be supported on all platforms).

 

Sorry I wasn't able to get to this yesterday, @danmurphy. As @joel0m and @ericlaw have discovered, all preview channels of Edge already support TLS1.3. Are you seeing sites that are should be using TLS1.3 and are not with the Edge browser? If so, please let me know so that we can investigate.
Elliot

@Elliot Kirk@joel0m and @ericlaw

 

Thanks for your replies. I checked some sites last night which didn't work. Reinstalled tonight and it is now working the same as my Chrome. SSL Labs site reports TLS 1.2 in use with experimental 1.3 as expected

 

Not entirely sure why it didnt work yesterday, though maybe because I also have Windows insider too perhaps?

Thanks. If you see any weirdness like this again, please send a smiley (top right of the browser) as that will collect some light telemetry and will help us better diagnose any potential problems.
Elliot
Yeah will do. I'll try replicating it again tomorrow :)
Isn't the issue here that Windows Server IIS doesn't support TLS1.3...
Does Microsoft have an ETA?

@Avaza It's unlikely that the original poster's issue was with IIS (as Chrome would exhibit matching behavior and apparently it started working as expected later).

 

In terms of Windows Server's roadmap for TLS/1.3 support in IIS, you'll probably get a better informed answer over in https://techcommunity.microsoft.com/t5/Microsoft-IIS/ct-p/Microsoft-IIS

@danmurphy No, TLS 1.3 is not a 'badly needed feature' and the speed benefits are not 'immense,'  unless you are TLS servers on old consumer level hardware that lack AES accelerators.

 

Microsoft is not like garbage developers - I mean open source developers that race to implement something for the personal gratification rather than for the quality of the product. MS, RSA and Cisco have the only TLS 1.0 implementations without active exploits because of it where nearly all other implementations do.

 

In addition, TLS 1.3 was only ratified a few months ago. All efforts so far are based on code written before the standard was ratified and have extreme likelihood of containing legacy code that will provide a vector for exploit. In addition, these open source projects have also carelessly introduced exploits into TLS 1.3 that do not exist in 1.2, and simply having 1.3 enabled enables downgrade attacks against weaker protocols that can be completely broken.

 

Wait for a correct implementation. Most (other than the ones where the protocol was fundamentally broken) of the famous SSL and TLS exploits have been created by bad open source solutions that incorrectly implemented SSL/TLS. You will see no difference in performance, other than perhaps at low power client devices.

Microsoft released TLS 1.2 within about 6 months of its ratification.
It's been longer than that for TLS 1.3 and no word yet on future support.

Tls 1.3 is designed to bring significant speed & security improvements. Reducing the number of round trips required is a massive improvement, especially for global customers who have longer latencies.

IIS is falling behind.

@Avaza 

 

1. No MS did not release support for TLS 1.2 within 6 months. TLS 1.2 was ratified in August of 2008. NT 6.1 RTMed at the end of July 2009. That is nearly a year.

 

2. It doesn't matter. TLS 1.3 is not the same thing as TLS 1.2. TLS 1.3 is a radical update to the protocol, so much so that it was nearly named TLS 2.0. Correctly implementing it will take time. If you are fine with settling for exploit-ridden, incorrect implementations of 1.3 currently available, then you cannot claim to care about anything you claim to care about in the implementation. TLS 1.2 is also not yet exploitable and is better than every incorrect implementation of 1.3 out there.

 

3. Mathematical differences in speed are not measurable differences in speed. It doesn't matter how much you insist there will be a measurable difference between 1.3 and 1.2, it wont be there. Your part about latency is correct, but in order for latency to come into play in speed - which would manifest only through avoiding some packet loss - you will have to be into latencies of 600-700 milliseconds with high jitter, or 800-900 milliseconds or higher with consistent latency. In other words, EXTREME low end satellite service or extraordinarily busy site to site microwave links.

 

4. IIS is an HTTP server, not a TLS server. The two have absolutely NOTHING to do with each other. Windows keeping an incorrect implementation of TLS out of the operating system which opens up exploits that never existed before, in place of a TLS 1.2 that currently cannot be exploited is foolhardy at best.

1) TLS1.2 was announced and available to insiders to use within 6 months.

2) Responsible maintenance of a community that use your product should include announcing timelines for major updates like this..

3) the speed difference, as per plenty of real life benchmarks from the companies using it in production today is not insignificant.

It makes as 50% improvement in setup time for a TLS connection because only 2 instead of 3 total roundtrips are needed. The TLS component is halved.

For customers in Australia connecting to a US Server, that typically means about 200ms cut off the TTFB.
And 200ms latency is common. The global average RTT latency seen by users of Slack is reported as 200ms after they implemented their all-traffic cdn.

Another advantage of is that in a sense, it remembers! On sites you have previously visited, you can now send data on the first message to the server. This is called a “zero round trip.” (0-RTT). And yes, this also results in improved load time times

4) all software has vulnerabilities. & patches.
No one's suggesting cutting corners.
Microsoft's silence is either due to poor communication or because this isn't a priority.
If it's low priority it also won't the better developers assigned, and also will be a lower quality implementation.
1) TLS1.2 was announced and available to insiders to use & test at approx 6 months.

2) Responsible maintenance of a community that use your product should include announcing timelines for major updates like this..

3) the speed difference, as per plenty of real life benchmarks from the companies using it in production today is not insignificant.

It makes as 50% improvement in setup time for a TLS connection because only 2 instead of 3 total roundtrips are needed. The TLS component is halved.

For customers in Australia connecting to a US Server, that typically means about 200ms cut off the TTFB.
And 200ms latency is common. The global average RTT latency seen by users of Slack is reported as 200ms after they implemented their all-traffic cdn.

Another advantage of is that in a sense, it remembers! On sites you have previously visited, you can now send data on the first message to the server. This is called a “zero round trip.” (0-RTT). And yes, this also results in improved load time times

4) all software has vulnerabilities. & patches.
No one's suggesting cutting corners.
Microsoft's silence is either due to poor communication or because this isn't a priority.
If it's low priority it also won't the better developers assigned, and also will be a lower quality implementation.

@Avaza @Unoki Not sure whats gotten into you both but as you can see in the first few replies, TLS 1.3 is already implemented successfully

@Avaza 

 

1. The windows insider program didn't exist until Windows 10. If you meant the beta program, well that is completely irrelevant. Until Windows 10, Betas were exclusively used for pre-validation of applications, drivers, etc, and all were pretty much universally extremely unstable and unusable.

 

2. No, it doesn't.

 

3. No it isn't. Mathematically faster and something that is perceivably faster aren't the same thing. You seem to be exclusively focusing on web pages and other client apps, but no person is ever going to notice a difference of 200 milliseconds when the client applications takes thousands of milliseconds to render a page, or establish a SIP connection to the server. You aren't saving 200 milliseconds between australia and the united states either. I have a training web application that is hosted in Australia behind a cloud load balancer and typically only see latency of about 5-600 milliseconds in the health check which includes the ~300 or so milliseconds of establishing each session, which would only be incurred once in real use.

 

In ecommerce sites and content delivery networks these small gains could definitely measurably impact their business, but both of these segments are usually slow to implement new technology, because 1, both of them have to work all the time without exception, and 2, ecommerce has to be secure without exception and content delivery networks may have to be very strictly secure as well.

 

4. Implementing TLS is not even close to being the same thing as writing a patch for an application, and no exploit discovered within less than a year of the protocol's ratification due to incorrect implementation is even nominally acceptable. Virtually every TLS 1.3 client and server introduced multiple exploits enabling attack vectors at both ends, that allowed easy and difficult to detect downgrade attacks, abd if enabled allowed for easy downgrade to SSL 3.0 or TLS 1.0 - which more than likely was another incorrect TLS implementation containing exploits. Cutting corners is exactly what you are suggesting. Every single current implementation of TLS 1.3 cut corners and exposed every single one of it's users. In less than a year.

 

@Unoki TLS/1.3 has been available in the new Edge since its first Canary release. Discussions of IIS and Windows more broadly are not in scope for this forum; you can find other communities where such conversations are more appropriate. 

Any guidance you can provide on how to restrict the lowest level of TLS in this new Edgium? browser? I have set the minimums in the Internet Advanced settings but the Qualys Labs site still shows TLS 1.0 and 1.1 as Yes. Both flags in Insider Edge for TLS 1.3 are set to Default.
Thanks.
You can use policy, see:

https://www.chromium.org/administrators/policy-list-3#SSLVersionMin

Or you can use a command line flag:

msedge.exe --ssl-version-min=tls1.3

Having said that, the Qualys SSLLabs.com site requires TLS1.2 at this time.

Hmm, I added the policy key and restarted all browser session SSL test = no change, TLS 1 to 1.3 as yes.
I used command line msedge.exe --ssl-version-min=tls1.2 and it still tests with 1.0 as yes

EDITED It took a full computer restart and then this worked.
Opened InPrivate tab still tests as yes for 1.0. 

I have successfully set policy key for regular Chrome (\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\SSLVersionMin) and it was detected and works as expected.

I'll just have to create a shortcut using "msedge.exe --ssl-version-min=tls1.2"

Any other suggestions?

Restarting your computer should have no impact; the most likely explanation is that you had a zombie'd msedge.exe somewhere in the background which prevented the flag from taking effect. Visiting edge://version/ will show the command line of the current instance which will help confirm.

Similarly, I'm not able to reproduce your finding for InPrivate mode; when I launch with the command line flag, it's respected as expected while InPrivate.

How specifically did you "add the policy key"?

@ericlaw Can we had a way (in entreprise) like they do in firefox to reject tls 1.0 and 1.1 and other weak cipher suite ?

The SSLVersionMin policy allows enterprises to set a minimum TLS version.

Ciphersuites can be controlled via the cipher-suite-denylist command line argument (Chrome uses "cipher-suite-blacklist") as follows:

msedge.exe --ssl-version-min=tls1.2 --cipher-suite-denylist=0x000a https://ssllabs.com

This doesn't appear to be available via policy in Chromium today, see:
https://bugs.chromium.org/p/chromium/issues/detail?id=931204#c5
https://bugs.chromium.org/p/chromium/issues/detail?id=930508#c15

...but it's something that the Edge team might look at if there were significant demand.

i was trying --cipher-suite-blacklist i doesn't know it was denylist now

 

edit: thanks

@ericlaw 

Opened the URL you gave and read that.

Win key + R key, Entered regedit clicked OK.
navigated to
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies
Add New Key Chromium
Then in that key add a String value named SSLVersionMin
set the value of that to tls1.2

msEdge_Chromium_Doesn't.jpg

 

This is the same process I followed to get the Chrome browser shown below to work. Except it is in the Chrome Key under Google.

ChromeWorks.jpg

 

 

Is there supposed to be a another Parent key in between named something like MSEdge ? ie. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\MSEdge\Chromium ?

https://textslashplain.com/2019/05/01/edge-76-vs-edge-18-vs-chrome/
---------
Group Policy and Command Line Arguments
By-default, Edge 76 shares almost all of the same Group Policies and command line arguments as Chrome 76.

If you’re using the registry to set a policy for Edge, put it under the

HKEY_CURRENT_USER\Software\Policies\Microsoft\Edge
…node instead of under the

HKEY_CURRENT_USER\Software\Policies\Google\Chrome
node.
Highlighted
Thanks!
That was the missing piece. I was doing a strict enforcement of the document text you gave in the URL since I couldn't infer what keys the exe is reading when it launches.

I am using Version 77.0.211.3 (Official build) dev (64-bit)

After you specified the other details I was able to add in the Microsoft key and the SSL test is working.

The other Google key for Chrome has to stay. We install multiple browsers on our workstations due to various client requirements.

:thumbs_up:
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
30 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies