The web will soon be a little safer with the approval of this new security standard
TLS 1.3 makes a few prominent changes that should keep you safe.
- The "handshake" between client and server has been streamlined and encryption initiated earlier to minimize the amount of data transmitted in the clear.
- "Forward secrecy," meaning hackers can't skim decryption keys from one exchange and use it to decrypt others later.
- "Legacy" encryption algorithms have been removed as options, as these could occasionally be forced into use and their shortcomings leveraged to break the cipher on messages.
- A new "0-RTT," or zero round-trip time, mode in which the server and client that have established some preliminaries before can get right to sending data without introducing themselves to each other again.
The whole standard is 155 pages long, and really only other engineers will want to dig in. But it's available here if you'd like to peruse it or go into detail on one of the new features.
Also at The Register.
(Score: 2) by VLM on Monday March 26 2018, @12:08PM (1 child)
Is 0-rtt still open to replay attacks or did they fix that? Something mumble appendix E.5 mumble.
I'm curious if what I heard is 1) true and 2) for a previous revision
(Score: 2) by takyon on Monday March 26 2018, @12:50PM
Reg article says:
https://www.infosecurity-magazine.com/news/tls-protocol-13-approved/ [infosecurity-magazine.com]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]