The Internet Engineering Task Force (IETF) —the organization that approves proposed Internet standards and protocols— has formally approved TLS 1.3 as the next major version of the Transport Layer Security (TLS) protocol.
The decision comes after four years of discussions and 28 protocol drafts, with the 28th being selected as the final version.
TLS 1.3 is now expected to become the standard method in which a client and server establish an encrypted communications channel across the Internet —aka HTTPS connections.
TLS 1.3 brings better crypto, less latency
The protocol has several advantages over its previous version —TLS 1.2. The biggest feature is that TLS 1.3 ditches older encryption and hashing algorithms (such as MD5 and SHA-224) for newer and harder to crack alternatives (such as ChaCha20, Poly1305, Ed25519, x25519, and x448).
Second, TLS 1.3 is also much faster at negotiating the initial handshake between the client and the server, reducing the connection latency that many companies cited when justifying not supporting HTTPS over HTTP.
Third, TLS 1.3 will also support features like TLS False Start and Zero Round Trip Time (0-RTT) also help cut down the time needed to establish encryption handshakes with hosts to which the client has talked before.
Fourth, TLS 1.3 is also superior to previous TLS versions because it comes with protection against downgrade attacks that prevent an attacker from tricking a server into using an older version of the protocol, susceptible to known vulnerabilities.
IETF avoids efforts to insert backdoor
All in all, TLS 1.3 is a serious boost to Internet security, being considered nigh impossible to crack, at least with today's resources.
IETF members voted the protocol unanimously, even after members of the financial sector asked for the introduction of a backdoor in the protocol's structure, so financial institutions could decrypt TLS 1.3 traffic inside internal networks.
The proposal was laughed off by experts, who pointed out that the backdoor would effectively make TLS 1.3 useless in the first place.
The middlebox problem
Browsers like Chrome, Edge, Firefox, and Pale Moon have already rolled out support for earlier versions of the TLS 1.3 draft, and are now expected to update this support to the official standard.
While browsers will be the quickest ones to implement TLS 1.3, the major problem relies with older Internet middlebox equipment that will need to receive firmware updates to support the new protocol.
A Cloudflare survey carried out in December 2017 revealed that TLS 1.3 accounted for only 0.06% of Internet HTTPS traffic and that the main reason for this puny market share was that many middleboxes were intentionally downgrading traffic, as they could not support it.
These old and aging Internet middleboxes were also at the heart of an incident in February 2017 when over 50,000 Chromebooks experienced various issues because Google gave TLS 1.3 a more primary role in Chrome OS, leading to flickering screens and bricked devices. Google eventually rolled back TLS 1.3 support in Chrome OS to fix the problem.
Comments
GT500 - 6 years ago
The biggest problem with TLS 1.3 that I see is simply that server Operating Systems run extremely outdated versions of software (such as OpenSSL), so we may have a long wait until server OS maintainers give us newer versions of software that even have support for TLS 1.3 (CentOS 7 does not appear to support it at all right now).
Yeah, sure, you can manually compile and install a newer version of OpenSSL... And then all of the packages you already had installed that were compiled for older versions of OpenSSL can be broken, and SSL/TLS won't work at all (if stuff will even run anymore)...
MIRAI - 6 years ago
"The biggest problem with TLS 1.3 that I see is simply that server Operating Systems run extremely outdated versions of software"
Pardon but I didn't see the text in the article that said clients will stop using TLS1.2 effective immediately. You should probably look up again how a client and server negotiate what protocol is being used before making such claims. If the server only offers TLS1.2 the browser will use this version as well unless you block it manually in options.
e.g. Firefox
#allow at least TLS1.0
security.tls.version.min;1
#allow up to TLS1.3
security.tls.version.max;4
Unless v min and v max are both 4 you can use any version of TLS from 1.0 to 1.3
Also I fail to see the issue, if people run outdated appliances they will just render themselves obsolete in the long term. Always forward, TLS1.2 is 10 years old.
GT500 - 6 years ago
What on Earth are you talking about?
dimitrirosto - 6 years ago
At a quick glance I don't see any significant differencies between 1.3 and 1.2 except for incompatibility with software and browsers. Yes, it's a bit faster and secure. But it's like comparing two Ferrari. 1.2 is older but it's still a Ferrari... Main differences between these two you can already find on Wiki https://en.wikipedia.org/wiki/Transport_Layer_Security But I don't see any really outstanding changes. It's like new OWASP Top 10. To my mind, we will have to wait for months or even years when 1.3 will be supported by browsers, online services etc. Though there are some vendors and services that already support it: Cloudfare, Akamai, OpenSSL, SSL test by High-Tech Bridge (very useful https://www.htbridge.com/ssl/), new versions of browsers are ready to support it. Not that much.
GT500 - 6 years ago
Browsers already support TLS 1.3 (to a certain extent at least), but server owners will have to wait for distros to bundle versions of OpenSSL that actually support it before our HTTP/SMTP/etc. servers can support it. I've gone ahead and configured NGINX for TLS 1.3, but the version of OpenSSL that comes on CentOS 7 doesn't support it, and there's no telling when CentOS will actually update the version of OpenSSL they use to support it...
As for the point of TLS 1.3, the performance and the security enhancements were the primary reason behind it. Server operators didn't need TLS to have fancy new features, they just needed it to be harder to crack the encryption and for the performance to be better for a better user experience. TLS 1.2 still supported ciphers that weren't very secure, and most server admins really don't know what they are doing when they configure TLS, so this newer version of TLS will help with simplifying server config by (eventually) reducing the amount of garbage that we need to put in our config files to make sure that communication is secure.
Some day I may be able to restrict all traffic to TLS 1.3 and won't have to specify which ciphers to allow in each config file. That day may be years from now, but at least I can look forward to it.