Introducing TLS 1.3, the first major overhaul of the TLS protocol with improved security and speed

The Internet Engineering Task Force (IETF), an organization that defines internet protocols, standardized the latest version of its most important security protocols, Transport Layer Security (TLS). Introducing TLS 1.3.

The latest version, TLS 1.3 i.e. RFC 8446 was published on August 10, 2018. This version is the first major overhaul of the protocol, which brings in significant security and performance improvements.

https://youtu.be/HFzXrqw-UpI

TLS 1.3 vs TLS 1.2

The TLS 1.2 was defined in RFC 5246 and has been in use by a majority of all web browsers for eight years. The IETF organization finalized TLS 1.3, as of March 21, 2018.

One can still deploy the TLS 1.2 securely. However, many of the high profile vulnerabilities have exploited certain parts of the 1.2 protocol along with some outdated algorithms. In the new TLS 1.3, all of these problems have been resolved and the included algorithms are said to have no known vulnerabilities.

In contrast to the TLS 1.2, the v1.3 has an added privacy for data exchanges. This is done by encrypting more of the negotiation handshake to protect it from eavesdroppers. This helps in protecting the identities of the participants and impedes traffic analysis.

In short, the TLS 1.3 has some performance improvements such as faster speed and increased security. Companies such as Cloudfare are making the new TLS 1.3 available to their customers.

What’s new in the TLS v1.3?

Improved security

The outdated and insecure features in the TLS 1.2 removed in the v1.3 include:

SHA-1

3DES

AES-CBC

Arbitrary Diffie-Hellman groups — CVE-2016-0701

EXPORT-strength ciphers – Responsible for FREAK and LogJam

The cryptographic community was having a constant check to analyze, improve, and validate security in TLS 1.3. It also removes all primitives and features that have contributed to weak configurations and has enabled common vulnerability exploits like DROWN, Vaudenay, Lucky 13, POODLE, SLOTH, CRIME and more.

Improved Speed

Web performance was affected due to TLS and other encrypted connections. However, the HTTP/2 helped in overcoming this problem. Further, the new version, TLS 1.3, helps in speeding up the encrypted connections even more with features such as TLS false start and Zero Round Trip Time (0-RTT).

Simply put, TLS 1.2 requires two round-trips to complete the TLS handshake. On the other hand, the v1.3 requires only one round-trip, which in turn cuts the encryption latency in half.

Another interesting feature with the TLS 1.3 is, one can now send data on the first message to the server to the sites which the user has visited previously. This is called a “zero round trip.” (0-RTT). This results in improved load times.

Browser support for TLS v1.3

Google has started warning their users in search console that they are moving to TLS version 1.2, as TLS 1 is no longer that safe. TLS version 1.3 is enabled in Chrome 63 for outgoing connections. Support for TLS 1.3 was added back in Chrome 56 and is also supported by Chrome for Android.

https://twitter.com/screamingfrog/status/940501282653077505

TLS 1.3 is enabled by default in Firefox 52 and above (including Quantum). They are retaining an insecure fallback to TLS 1.2 until they know more about server tolerance and the 1.3 handshake.