Secure Web access depends on the TLS protocol, better known to many by its older name of SSL. Its name stands for Transport Layer Security. The latest version, TLS 1.3, has reached the status of “Proposed Standard,” which is virtually final.
TLS is a strong protocol, but version 1.2 has been around for ten years. Computing power has kept growing since then, and some algorithms have turned out to be weak. The new version eliminates those algorithms, adds some new ones, and includes technical changes that few people outside the cryptography field understand.
Quicker, more secure handshakes
One area which is easier to explain and will have a clear benefit is the handshake between the two parties making a secure connection. TLS 1.2 requires two round trips of data to complete the handshake, but 1.3 requires only one. It remembers sites it has already negotiated connections with, requiring no round trips at all. This will speed up the initial setup of secure connections.
All handshake messages after the initial “ServerHello” message are now encrypted, making the process a bit safer.
Version negotiation is a tricky issue. If only browsers that support TLS 1.3 could access websites that use it, a lot of people with older browsers would suddenly be unable to reach them. The client and server have to negotiate a version and algorithm that they both support. Implementations of TLS 1.2 had a problem where a third party could trick them into falling back on a very old, insecure encryption algorithm. This was the basis of the POODLE attack of 2014.
TLS 1.3 does version negotiation but avoids this weakness. It can recognize man-in-the-middle attacks on the handshake, and the weakest protocols are no longer an option.
A big advance in TLS 1.3 is mandatory forward secrecy. Put in simple terms, it means that each session uses its own secret key, so that possession of that key won’t let anyone decrypt traffic in later sessions. Some options in TLS 1.2 don’t provide forward secrecy.
Surprisingly, this feature generated some controversy. Some IT departments use the lack of forward secrecy in 1.2 to monitor traffic within their own networks. This is useful for reasons that have nothing to do with snooping. It lets them gather more information on network traffic and identify routing problems.
Those administrators are willing to give up some security for the sake of better traffic monitoring, but TLS 1.3 doesn’t give them that option. They have the choice of staying with version 1.2, which isn’t likely to be deprecated for many years to come.
Browser and server support
Support for TLS 1.3 is widely available and growing. The OpenSSL library, used by many servers, supports it starting with version 1.1.1. Mozilla/s mod_nss library has supported it for some time, making changes to keep up with new drafts of the specification.
Browser support at this time includes Firefox, Chrome (including Android), and Opera. The latest versions of MacOS and iOS include support for it, but it has to be enabled by rather obscure methods. Microsoft Edge will undoubtedly support it, but there’s no specific announcement yet. Version 1.3 has just recently been finalized, and software developers want to be very sure there aren’t bugs in their implementations. Compatibility with older versions is also critical, so that upgraded servers can still talk with older browsers.
Other software, such as mail clients, uses TLS, and they will also upgrade over time.
Because it’s downward compatible, there’s no obstacle to adopting TLS 1.3 today wherever it’s available. More websites and browsers will start using it over time, and the transition will normally be unnoticeable. The only difference will be better performance and higher security.
Our managed services will let you keep up with all the latest improvements in Internet technology. Contact us to learn more.