The IETF has finally given the okay to the TLS 1.3 protocol, which will speed up secure connections and make snooping harder for attackers.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- TLS 1.3 has been approved for use, which will make all secure internet connections faster and safer.
- The security and speed improvements brought by TLS 1.3 are due to the elimination of unnecessary handshake steps and the forced use of newer encryption methods.
Transport Layer Security (TLS) version 1.3 has been approved by the Internet Engineering Task Force (IETF), making it the new industry standard for secure connections.
The version approved is actually the 28th draft of the upgrade to TLS 1.2 and has been in discussion by IETF members for over two years. TLS is a fundamental part of securing internet connections via HTTPS, which likely slowed down its adoption so that IETF members could be sure it didn't open up exploits.
With the newest version set to become the standard model for securing internet connections, users can expect connections to complete faster due to less clutter in computer-to-computer communication. That same speed increase will also make TLS more secure because much of what was eliminated was old, obsolete encryption.
Not without controversy
TLS 1.3 drew concerns from the financial and banking industries when it was beginning to be considered in 2016. The streamlined communication that is a hallmark of TLS 1.3 makes it impossible for banks to decrypt and monitor TLS connections.
Financial industry security professionals requested the inclusion of a backdoor in TLS 1.3 that would allow them to continue to monitor TLS traffic, but that was rejected in the final version that was approved, with IETF members saying a backdoor would eliminate the advantages that TLS 1.3 would provide.
SEE: Guidelines for building security policies (Tech Pro Research)
A second controversy in TLS 1.3 is its use of 0-RTT Resumption, which allows two computers that previously competed a TLS 1.3 handshake to store each other's information and use old keys for future connections. As The Register points out, an attacker who gains access to 0-RTT Resumption information could spoof a connection, though it will be hard to do so because acquiring a resumption key would require gaining physical access to a machine.
How TLS 1.3 will speed and secure the internet
The security and speed improvements that TLS 1.3 brings are dependent on each other: It's secure because it's faster, and it's faster because of security improvements.
To better understand how that two-way relationship works it helps to understand how a TLS 1.2 connection works. Under TLS 1.2, the initial connection opens up a dialog about which kind of encryption to use, which a server and client have to agree upon. Once agreed, they begin sharing encryption keys.
TLS 1.3, on the other hand, eliminates the debate over what form of encryption to use. Instead, the initial connection is a statement from the client saying what it plans to access, the server provides an encryption key, the client provides a session key, and then the connection takes place.
Since the server automatically provides a key, clients won't be able to trick a server into using older forms of encryption, which is known as downgrade attack.
Between forcing the use of new encryption and the elimination of unnecessary initial communications, TLS 1.3 has the potential to do a lot of good for the internet. Some browsers have already rolled out versions of TLS 1.3 based on previous IETF drafts. Now that it has finally been formalized, expect your browser to update to a new version. That's one update you definitely shouldn't ignore if you want the latest in secure connection technology.
- 27 ways to reduce insider security threats (TechRepublic)
- Snooping on HTTPS is about to get harder: TLS 1.3 internet encryption wins approval (ZDNet)
- Top 5 HTTPS best practices (TechRepublic)
- Google tightens noose on HTTP: Chrome to stick 'Not secure' on pages with search fields (ZDNet)
- How to establish strong microservice security using SSL, TLS and API gateways (TechRepublic)