Crossbow Labs

TLS v1.3: Be ready to migrate to a faster and more secure HTTPS traffic

In recent years, numerous enterprises have withdrawn from obsolete and vulnerable protocols such as SSL and early TLS (TLS v1.0 and 1.1). Though many businesses settle in TLS v1.2 (considered secure for deployment), it is always good to look forward to a more reliable protocol. The susceptibility of TLS v1.2 to weak algorithms and exploitation of its optional parts are pressing concerns.

In August 2018, an improved variant of TLS v1.2 got published (RFC 8446). The improvements indicated the arrival of TLS v1.3, and betterment in terms of configuration, privacy, security, and speed. Since the industry will take a while to settle down with the new protocol, we believe now is a good time to kindle the topic again.

In the context of technology, speed is the fundamental obligation. TLS v1.3 with a reduced round trip in handshake reduces encryption latency. With the ability to store key information exchanged in a previous handshake speed increases and leads to a faster reconnection. Technically speaking it utilises 0-RTT resumption (read as – Zero Round Trip Time). However, this speed could be risky if a malicious user can access both the device and the O-RTT information because then he/she may spoof connection.

Another significant feature of TLS v1.3 is that it does not support algorithms such as SHA1, RC4, MD5, DES, 3DES, AES -CBC. Therefore, it bars admins from misconfiguring it. The cryptographic algorithms on which TLS v1.3 works are essentially those which do not have known vulnerabilities like the Elliptic Curve Diffie-Hellman key exchange, Authenticated Encryption with Associated Data ciphers and HKDF. Simultaneously, this feature helps in fighting against downgrade attacks.

A beneficial security feature in TLS v1.3 is using a unique key for each network session. The key exchange protocol generates a one-time key that is to be used only for the current network session. Also besides this, the negotiation handshake is more secure when compared to TLS v1.2.

Owing to all these upgrades, in a few years from now or even before we may have to say goodbye to TLS v1.2 in the same way we did for SSL and early TLS. TLS v1.3 as of now will be the driver to a faster and more secure HTTPS traffic!