According to the IETF, 30 percent of connections on Chrome and 27 percent on Firefox use TLS 1.3. Here’s what you need to know about TLS 1.3 and what this new website security edition of TLS means for your company.
One of the things about the SSL industry that I love most is that it’s constantly evolving. Anything fresh is still there to talk about, explore, argue, and think about. Today, we’re going to learn about something in the SSL universe that’s pretty recent. We are going to have the newest TLS version of the cryptographic protocol under the hood of TLS 1.3, which is expected to take SSL stability and performance to new heights.
I have a question for you before I get to TLS 1.3. Will you change your car to fifth gear directly? Well, no, you can’t, don’t you? In the same way, before we get to TLS 1.3, it’s important to understand what TLS means. So, we’re going to get started!
What Is TLS (Transport Layer Security)?
Necessity is the mother of creativity, as the cliché goes. In the early 1990s, as more and more individuals were using the internet and there was unexpectedly a need to protect the privacy of users, the need for the TLS protocol was established. SSL (secure socket layer), the first internet authentication protocol, was invented to address this issue. So, what’s the distinction between TLS and SSL?
First developed by Netscape, SSL was launched as SSL 2.0.0. in 1995. SSL 1.0 has never been released. TLS eventually became SSL’s counterpart. Three versions of TLS have been released so far, and TLS 1.3 is the most recent.
A secure connection between a client (usually the web browser of an end user) and a web server is provided by TLS. By encrypting the data-in-transit, this safe link is created. Many IP-based internet protocols, including HTTPS, POP3, SMTP, and FTP, support TLS data encryption.
TLS is used in regular usage by what is known as a “SSL certificate.” These digital certificates are also known as “TLS certificates,” but since it’s more convenient, more people use the legacy term “SSL certificate.” These credentials are the reason that, if you send documents to a website, your sensitive information is not leaked to the internet.
How TLS 1.3 Came Into Existence
The software industry has taken huge strides with respect to computer capacity as time has progressed. The technology of today has made it possible for us to use smartphones and exchange data at an unparalleled pace. There is, however, a problem in the form of security with growing efficiency prowess and data sharing. For TLS 1.0 and TLS 1.1, the more processing capacity, the more fragile outdated protection systems are, and that’s what happened. Both of these protocols were sufficiently protected for a period of time, but have since shown that after security flaws were found in them, they do not stand the test of time.
That is why, in 2008, TLS 1.2, the most commonly used TLS protocol, came into being. It is the longest-serving TLS protocol, but it still has vulnerabilities, as it relates to all encryption technologies. The bulk of TLS 1.2’s limitations, though, are theoretical in nature, and that’s why it’s still a reliable protocol to use. The perceived vulnerabilities in TLS 1.2 underscored the need for a more stable TLS 1.2 replacement, and the search to build TLS 1.3 began there.
The journey to the introduction of TLS 1.3 was by no means a simple one; it took 28 drafts to describe it for the Internet Engineering Task Force (IETF). There were several roadblocks, such as middleboxes and efforts by commercial elements to undermine them. But eventually, TLS 1.3 was launched in 2018 after a decade of work.
How TLS Version 1.3 Is a Significant Upgrade Over TLS 1.2
First, let’s say it again, as TLS 1.2 is already a secure protocol to use, there is no reason to worry. More than 67 percent of the websites analyzed by SSL Labs currently support TLS 1.2 as of May 2020, while just 29.7 percent of pages support TLS 1.3. That said, TLS 1.2 was published in 2008, and that’s why, with the future in mind, it has some issues that need to be answered.
Among the many technological variations, version 1.3 of TLS includes three enhancements that are very important for an average user. Those benefits are:
- Increased Speed
- Better Security
- Simplified Cipher Suites
In a little more depth, let’s read about each of these advantages.
TLS 1.3: The Performance Benefit of a Shortened Handshake Process
There is a process known as the “handshake process” at the heart of all SSL/TLS protocols. This handshake process happens when the client and the server connect through authentication and encryption processes to securely transfer the data. It’s a series of communications between both parties back and forth.
It involves two round trips of communication between the client and the server as far as the TLS 1.2 handshake is concerned. As a consequence, the number of negotiations required is four. While this is not a big idea when you have just a few users on your website, when you do it at scale, it hurts the network performance.
This concern is addressed by TLS 1.3 by reducing the handshake to a single round trip. This is because discussions only take place twice between the client and the server. Increased network speed results in this. The difference might be in milliseconds, but this is undoubtedly a significant advantage in domains where even a microsecond can make a world of difference.
Not only that, but TLS 1.3 also provides another feature that will have a significant performance impact. This characteristic is referred to as “Zero Round Trip Time Resumption” (0-RTT). The 0-RTT functionality paves the way for SSL/TLS handshakes that have zero round trips, just as its name suggests.
The 0-RTT feature comes into play when a connection is resumed by a server and client. Therefore, no back and forth communication happens on websites that you’ve visited in the past, and data encryption occurs with the first message you send to the server. This is achieved by the Master Key of Resumption. 0-RTT significantly decreases load time.
TLS 1.3: The Security Advantage
The most obvious but also the most essential benefit of TLS 1.3 comes in the form of security. TLS 1.3 has discontinued support for some of the older, potentially insecure ciphers and algorithms that were supported in TLS 1.2. These deprecated items include:
- RSA Key Transport
- Various Diffie-Hellman groups
- CBC Mode Ciphers
- RC4 Steam Cipher
- MD5 Algorithm
- EXPORT-Strength Ciphers
TLS 1.3: Simplified Cipher Suites
The amount of negotiations between the client and the server has been cut in half, as we have seen before. This decline results in a reduced size of the cipher. Cipher suites that had four ciphers in them were used by TLS 1.2 and its previous TLS versions. Therefore, it made hundreds of cipher combinations possible and did not provide any specific instructions for improved protection in finding the correct cipher combination.
However, TLS 1.3 simplifies this method of choosing the best combination of ciphers since it has only five ciphers to choose from. As below are these cipher suites:
Do Browsers Support TLS 1.3?
Initially, there were some issues when the TLS 1.3 update was released, and the browsers took a bit of time to accept it. However, today, support for TLS 1.3 has been allowed by all major browsers. However, as a web user, as older versions may not be compliant with TLS 1.3, you must ensure that you are using an upgraded version of your browser to take advantage of it.
Final Word: Start Using TLS 1.3
If it had been up to security nerds like me, we would have made it mandatory to use TLS 1.3 on all pages. Fortunately, or sadly, that is not the case, based on how you look at it. Although it is certainly a saddening thing to see just a fraction of TLS 1.3 websites take into account all the opportunities it provides. However, since the amount is growing day by day, there is a silver lining.
If you have a website, then you need to make sure you have TLS 1.3 support available. You should go to the SSL Labs website to search the TLS protocols that your server supports, if you’re not sure. If your site already supports TLS versions previous to TLS 1.2, you can uninstall its support as soon as possible, as it might place your website at considerable risk. And if you discover that your web server is not TLS 1.3 compliant, you know what to do. Huh? Right?