Here’s everything you need to know about TLS 1.3

It took about more than eight years since the last encryption protocol update, a new version TLS 1.3 published as of August 2018.

TLS 1.3 has countless advantages over its predecessors, which is faster and more secure including a handshake and rebuild cipher suites.

Technically, SSL 1.0 never officially released, 2.0 and 3.0 had a short life (not entirely dead). As a result, SSL got replaced with TLS 1.0. There were many differences between SSL and TLS. Later, TLS 1.0 was replaced with 1.1, which was later succeeded by TLS 1.2. Now final TLS 1.3 was released. TLS 1.3 has gone through the seventh iteration so far from the SSL/TLS protocol.

Let us now learn everything about TLS 1.3 which has brought about changes to security and web performance, free to refer to any sections which interest you.

What is TLS 1.3?

TLS stands for Transport Layer Security and is the successor to SSL (Secure Sockets Layer). TLS provides secure communication between web browsers and servers. The connection itself is secure because symmetric cryptography is used to encrypt the transmitted data. In other words, TLS is a standard protocol that allows clients and servers to communicate securely over the internet.

Transportation Layer Security (TLS) 1.3 protocol provides unparalleled privacy and performance compared to its previous versions of TLS and non-secure HTTP. Cloudflare engineers contributed towards the development of the newest TLS protocol.

History of TLS 1.3

TLS 1.3 released after a decade of TLS version 1.2 and it took about 28 drafts to finally get define by IEFT(Internet Engineering Task Force). There were many problems involved such as middleboxes, commercial elements that undermine the standard in the interest of traffic inspection. Also, the vetting process goes on endlessly because of the many stakeholders involved.

tls_1.3_drafts_rfc8446

(image source: https://datatracker.ietf.org/doc/rfc8446/?include_text=1 )

The first draft of version TLS 1.3 released on April 17, 2014, to the last draft released in August 2018. All the drafts continuously reviewed and tested by vendors such as Google, Cloudflare, Mozilla and many more. They tested the protocol by adding it to their supported list of protocols and reported issues encountered during testing.  For instance, in February 2017, a proxy issue arose that forced Google to stop TLS 1.3 support for a while.

Advantage of TLS 1.3 over TLS 1.2

1)  Speed Benefit

TLS 1.3 much faster than its predecessor because the time taken for a handshake reduced. In TLS 1.3, it takes one round-trip from both sides to complete a handshake. TLS 1.3 reduced the round trip than TLS 1.2, since the number of negotiations cut-down to 2 against 4.

TLS 1.3

Image Source: Fasterize

Whereas in TLS 1.2, it takes two round-trips and the number of negotiations it requires is four. It makes it slower in terms of network performance than TLS 1.3.

The shorter TLS handshake has made the connection to the site much faster- with less latency, which improves the enterprise network performance.

‘Zero Round Trip Time Resumption’ (0-RTT) will make TLS 1.3 faster as it allows for near-instantaneous session resumption for visitors who have recently visited the website. Such speed change is pretty much noticeable on the mobile networks and at scale.

0-rtt-vs-1-rtt

In TLS 1.3, to resume a connection pre-shared key is used whereas  TLS 1.2 uses a couple of ways to resume i.e. session IDs and session tickets. The client and the server generate session keys to use during a connection, once the connection is been established, they can use a similar function to generate “Resumption Master Key” which facilitates 0-RTT.

This resumption master key is to encrypt application data for the server along with the session ticket when the client and the server want to resume a session. Afterward, the server validates it and the session gets resumes.

2) Cipher Suites Simplified

As we are aware that half of the negotiation has been eliminated from the handshake, which has resulted in a decrease in the size of the cipher too.

TLS 1.2 and its predecessors use Cipher Suites which included 4 ciphers: They are as followed:

TLS 1.2 Cipher Suits

The TLS1.3 supports cipher suites that do not include key exchange and signature algorithms.

The biggest drawback in TLS 1.2 is multiple cipher combinations giving nightmare for the parties participating in the handshaking, lagged in providing guidance in choosing cipher suite for better security.

The TLS version 1.3 has five different cipher suites that can be used which are as follows:

  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_GCM_SHA256
  • TLS_AES_128_CCM_8_SHA256
  • TLS_AES_128_CCM_SHA256

3) Security Improvement

The problem with the TLS 1.2 has been that no properly configured done and gave open ways for website attacks. Release of  TLS version 1.3 helped in removing all the insecure features such as:

  • SHA-1
  • RC4
  • DES
  • 3DES
  • AES-CBC
  • MD5
  • Arbitrary Diffie-Hellman groups – CVE-2016-0701
  • Export-strength ciphers- responsible for Freak and LogJam

The administrators and developers may find the TLS version 1.3 as a preferred protocol as it is more simplifies and will help in less misconfiguring the protocol.

People have started trusting the TLS 1.3 more than its predecessors

Google is raising the security bar, by displaying warning messages on the screen for the users to move from 1.2 and below to TLS 1.3, for both the browsers and the servers.

Conclusion:

TLS 1.3 protocol was released well over a year, but the adoption rate is meager. Some people are still clinging to the old and unsecured protocols. But, SSL Certificate is now mandatory and the awareness about the cybersecurity is increasing – Google’s strengthening its security policies.

Keeping this in mind up-gradation to TLS version 1.3 could become a norm in the next 2 to 3 years. As we are clear TLS version 1.3 is more secure, lighter and faster which will help the organization to secure itself and its customers.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Have any Questions

If you have any questions, feel free to call us toll-free

Toll-Free Call: +91 +91-22-42978097

info@https.in

  • Payments We Accept