TCP Fast Open -- Disabled in Microsoft Edge
In today’s Ask the Admin, I will explain how TCP Fast Open (TFO) helps to speed up browsing in Microsoft Edge and why it has been turned off by default in the latest cumulative update for Windows 10 Creators Update.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
Support for TFO has been in Windows 10 since last year’s Anniversary Update but was only enabled in Edge on the release of the Creators Update in April. TFO is a new protocol option that allows data to be sent using Transport Layer Security (TLS) in the initial TCP handshake. It speeds up successive connections to the same server.
TFO stores a cookie on the client once the initial handshake has completed. If a subsequent connection is made from the client, the cookie is sent to the server. This allows further handshakes to be performed more efficiently. TFO results in a Round Trip Time (RTT) of 1. It has a bit of help from TCP False Start, as opposed to 3-RTT for standard TLS 1.2 connections. Not only is a low RTT important for reducing latency, it also means power savings for mobile devices.
The initial release of the Creators Update enabled TFO in Edge for the first time but Microsoft disabled TFO in Edge in a recent cumulative update. Microsoft cited that it caused issues for some customers but that users could manually re-enable TFO in an about:flags setting in Edge. The problem Microsoft faces is that some older firewalls and routers drop SYN packets with large headers. This results in the decision to disable the feature.
TLS 1.3 and 0-RTT
It might seem like a setback for Microsoft but the next revision of TLS aims for 0-RTT. TLS 1.3 was enabled in Google Chrome in February 2017 but it was later pulled due to some issues with endpoint security software. TLS 1.3 has not been fully ratified. Microsoft has stated that it is committed to delivering TLS 1.3. This will happen when some of the final security issues have been ironed out.
In the meantime, while I generally do not recommend straying from default settings, I have not experienced any issues in Edge with TFO enabled. Your experience might differ. TFO certainly does seem to make TLS-enabled sites snappier.
In this article, I explained how TFO can be enabled in Microsoft Edge to speed up browsing sites that use TLS. I also looked at TLS 1.3, which aims to reduce RTT to 0.