Stories
Slash Boxes
Comments

SoylentNews is people

Transport Layer Security Version 1.3 Approved

posted by mrpg on Monday March 26 2018, @11:07AM   Printer-friendly
from the Certificate-verification-failed dept.

takyon writes:

The web will soon be a little safer with the approval of this new security standard

TLS 1.3 makes a few prominent changes that should keep you safe.

  • The "handshake" between client and server has been streamlined and encryption initiated earlier to minimize the amount of data transmitted in the clear.
  • "Forward secrecy," meaning hackers can't skim decryption keys from one exchange and use it to decrypt others later.
  • "Legacy" encryption algorithms have been removed as options, as these could occasionally be forced into use and their shortcomings leveraged to break the cipher on messages.
  • A new "0-RTT," or zero round-trip time, mode in which the server and client that have established some preliminaries before can get right to sending data without introducing themselves to each other again.

The whole standard is 155 pages long, and really only other engineers will want to dig in. But it's available here if you'd like to peruse it or go into detail on one of the new features.

Also at The Register.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Transport Layer Security Version 1.3 Approved | Log In/Create an Account | Top | 29 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Monday March 26 2018, @08:25PM

    by Anonymous Coward on Monday March 26 2018, @08:25PM (#658634)

    Perspectives had an alternative (which ran along side the CA system). It goes like this:

    * You visit site, they give you a certificate (potentially self-signed).
    * You ask the notaries (similar to CAs, but you get to choose who you trust rather than the site getting to choose).
    * The notaries send you what they have for the cert of that site (either cached or they can fetch it when asked).
    * Once enough notaries have reported back, you check that enough of them (you set threshold) agree with the cert you have gotten.
    * If so, you trust the cert (self signed or not) because either it is valid, or the entire trust network is compromised.

    The reason this system works, is that to compromise a site, you must issue your compromised cert to the entire internet (not just your target), this means that the original site owner can notice.

    The reason it doesn't work, is that the notaries have no way to get paid for their services.