By now, you may have seen some of the release announcements for RFC 8446, the latest iteration of the TLS protocol known as TLSv1.3. This major overhaul has been a long time in the making, as the Internet Engineering Task Force (IETF) have been working on it for the past five years, and introduces some much needed improvements in one of the most widely used protocols for providing transport encryption. In this blog, we’re going to look at what TLSv1.3 means for your organization and why you should prepare to adopt it. If you’re looking for a detailed technical review, check out this great rundown by Nick Sullivan at CloudFlare.
TLSv1.3 – Quick and Dirty
Transport Layer Security (TLS) is used to provide encryption and integrity for data being transmitted over HTTPS, which is being used for roughly 73% of websites today. It’s predecessor, Secure Sockets Layer (SSL), has been phased out over recent years, as significant security flaws were discovered that could allow attackers to decrypt data captured in transit. After the death of SSL, TLSv1.0, TLSv1.1, and TLSv1.2 were the available encryption options for client/server web communications. But 1.0 and 1.1, referred to as “early TLS” by some (looking at you PCI DSS), also have known security weaknesses and a lack of security protections that were added in with TLSv1.2. So those versions are also in the process of being “sundowned.”
Enter TLSv1.3. Researchers have known for years that the desire to maintain backwards compatibility has hamstrung the protocol from making the much-needed move to a faster, more secure code base. After a ton of work, and using formal verification methods to help avoid some of the pitfalls from the earlier instances of the protocol, TLSv1.3 was officially published on August 10th, 2018. This newer version deprecates the support for a lot options that introduced security vulnerabilities. That deprecation also allowed the designers to reduce communication overhead and create a simpler protocol.
You can probably already answer that question based on what’s already been laid out in this article. TLSv1.3’s main advantages:
- Increase in speed – while we’re getting closer and closer to running everything over HTTPS on the Internet, this is crucial piece of the protocol’s overhaul. Reducing the negotiation process by two round trips in most cases will be a noticeable improvement to the human eye, hopefully increasing the adoption rates of TLSv1.3.
- Increase in security – and who doesn’t love getting more secure AND getting faster? The removal of support for some cipher suites and configuration options that are now known to be problematic is great to help avoid insecure default configurations and annoying tweaks in server-side negotiation options.
- Simpler – less complexity usually means faster and more secure, but the important part here is also staying power. It’s much easier to envision longevity for a protocol that is easy to use and has formal verification methods backing its design.
So with all those advantages, I think we’ll see a very large spike in adoption rates as devices start supporting the protocol. I’m also predicting we see standards organizations pick up this new protocol quickly because of its clear advantages. So don’t be surprised when the next iteration of PCI DSS, NIST, HIPAA, etc. put an emphasis on rolling out this new technology. In fact, for people frustrated by making small changes to your web server’s TLS configuration every time you do a vulnerability scan for PCI compliance, TLSv1.3 could be your dream come true!
If you have any questions or want more details, feel free to get in touch.