Last modified: April 3, 2022
TLS version 1.0 is not safe anymore and should be disabled. To justify, let’s just name thethreebiggest attacks that managed to exploit the various TLS 1.0 vulnerabilities discovered within 2011 and 2014:BEAST,HeartbleedandPOODLE.
This issue doesn’t affect Windows 10 users. But, always install the OS updates through the official channels. However, if you’re still using Windows 7 or Windows 8, you might have to perform some manual tasks in order to get rid of that outdated TLS version.
We can fix this by telling your OS to never use TLS 1.0 anymore, and stick with TLS 1.1 and 1.2 by default. Here’s a small guide explaining how you can do that.
Install the KB3140245 Security Patch
The first thing to do is to download and install the Windows KB3140245.
You can do that using Windows Update, since it’s available as an optional update, or manually download it from the official website (here). Mind the appropriate product version for your OS.
This will equip your OS with TLS versions 1.1 and 1.2.
Update your Windows Registry file to TLS 1.2
You need to patch your Windows Registry file, so that your OS will actually use the new TLS protocol versions (1.2, and 1.1 as a fallback) instead of the outdated and vulnerable 1.0 one.
Microsoft-released patch file was revoked. As a result, this can no longer be done automatically. You need to do it manually by editing the registry file usingregedit.
Before proceeding further, we advise you to backup your Registry.
Step 1. Setting the default TLS protocols to TLS 1.1 and 1.2
To begin, press WinKey+R, type regedit and then press enter.
After that, navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
and add New (Edit-New or right-click on WinHttp) DWORD value and name it: DefaultSecureProtocols
Afterwards, double-click on it and enter this hexadecimal value: 00000A00
Do the same procedure for:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
Subsequently, you should end up with entries as shown in the picture below:
You have now configured your system to use TLS 1.1 and 1.2. The problematic TLS 1.0 is now disabled.
In order to re-enable TLS 1.0, use the value 00000A80 for DefaultSecureProtocols entries.
(This is not recommended. However, some sites might still require it)
Step 2. Enable TLS 1.1 and 1.2 at the SChannel component level
Firstly, we need to create subkey called Client in each of the following two keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\
Secondly, navigate to appropriate key and create a subkey (Edit-New-Key) called Client
Now we will have keys as shown below and in them we will add another DWORD key called DisabledByDefault
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\ClientHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
Lastly, set the key value to: 0
You should now have the entries as per image below:
Visitthis official Microsoft page in order to learn more about the entire topic.
Find other security suggestions on our Blog page.
Conclusion
Windows 10 users don’t require this fix. Disabling TLS 1.0 will patch security vulnerabilities in Windows 7 and Windows 8. We don’t advise re-enabling TLS 1.0.
If you have any other concerns that need addressing, contact our Support team directly.
