One year ago the IETF published TLS 1.3 in RFC 8446. Here is what is different from previous versions.
TLS 1.3 is the seventh iteration of the SSL/TLS protocol, having been preceded by SSL 1.0, SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2.
TLS 1.2 has been serving the internet faithfully for a decade now, yet nearly 25% of the Alexa Top 100,000 still doesn't support it. That's problematic, because making the jump from TLS 1.2 to to TLS 1.3 is already a fairly large change. Upgrading from even older protocols will require even more configuration.
Now, that's not to imply upgrading is prohibitively difficult, it's more to illustrate that one of the biggest challenges that's going to face TLS 1.3, at least for the next year or so, is the rate of adoption.
As of the end of last year, just over 17% of the Alexa Top 100,000 supported TLS 1.3.
Here are the primary differences in TLS 1.3 and prior versions:
- Eliminates support for outmoded algorithms and ciphers
- Eliminates RSA key exchange, mandates Perfect Forward Secrecy
- Reduces the number of negotiations in the handshake
- Reduces the number of algorithms in a cipher suite to 2
- Eliminates block mode ciphers and mandates AEAD bulk encryption
- Uses HKDF cryptographic extraction and key derivation
- Offers 1-RTT mode and Zero Round Trip Resumption
- Signs the entire handshake, an improvement of TLS 1.2
- Supports additional elliptic curves
In short, TLS 1.3 is faster to establish, faster to reestablish, streamlined throughout, and more secure than previous versions of SSL and TLS.
Most popular browser clients already support TLS 1.3. Server library versions supporting TLS 1.3 include
- OpenSSL 1.1.1
- GnuTLS 3.5.x
- Google's Boring SSL (current)
- Facebook's Fizz (current)
What's in your server?
(Score: 5, Informative) by The Shire on Wednesday July 17 2019, @01:44AM (6 children)
This helps on the server side but will go largely unnoticed by the end user.
Actually there are three mandated by TLS 1.3:
TLS13-CHACHA20-POLY1305-SHA256
TLS13-AES-256-GCM-SHA384
TLS13-AES-128-GCM-SHA256
Mostly true, however TLS 1.2 also supports ciphers with PFS (Perfect Forward Secrecy) and there are no known attacks that can crack it. Using TLS 1.2 with the proper set of ciphers is every bit as secure as TLS 1.3.
It's also worth pointing out that TLS 1.3 does not fix the SNI problem which allows anyone on the wire (like your service provider) to easily determine the domains you're communicating with. This was once something ISP's did by intercepting DNS queries but now that we have DNSSEC, DoT (DNS over TLS), and DoH (DNS over HTTPS) protecting those queries they have fallen back to intercepting the TLS SNI field. So while they cannot decrypt the traffic, they can still easily track the domains you are connecting to. In other words, they still know you're watching porn. Until there is a more widespread adoption of ESNI (Encrypted Server Name Identification) they will still be building browser histories on you. Cloudflare currently supports this but most browsers need manual settings to make it work.
(Score: 5, Interesting) by edIII on Wednesday July 17 2019, @02:59AM (1 child)
Cloudflare still causes tracking [privateinternetaccess.com].
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by FatPhil on Wednesday July 17 2019, @07:21AM
So TLS1.3 is broken by design right from the off, and that, boys and girls, is "progress".
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Wednesday July 17 2019, @04:18AM (2 children)
> intercepting the TLS SNI field.
SNI was a workaround made for IPv4. Remove SNI and IPv4. IPv4 is like GeoCities. Far past its expiration date. ISPs have replaced modems with faster technologies that include WiFi with IPv6 built into them. There is as much reason to keep IPv4 around as there is Internet Explorer 6.
(Score: 4, Insightful) by The Mighty Buzzard on Wednesday July 17 2019, @10:29AM (1 child)
Dumbest quote of the day and I've barely got any coffee in me yet. IPv6 doesn't even make up a quarter of our bandwidth usage and we use it for all inter-server communication, including backups.
My rights don't end where your fear begins.
(Score: 1, Informative) by Anonymous Coward on Wednesday July 17 2019, @01:35PM
A few years ago I went fully IPv6 at home. My ISP supported it, my router supported it, my desktop supported it. Then I got an IOT thing and had to turn IPv4 back on.
(Score: 5, Interesting) by driverless on Wednesday July 17 2019, @04:34AM
That's the important thing. And it was mostly driven by Google, as a means of making Google's content delivery more efficient. The security red herring was just an excuse to replace existing algorithms with all the latest hipster stuff, but most of the motivation behind 1.3 was to make things easier for organisations like Google to push content out to clients, even when it negatively impacted security (0RTT is just a giant foot-shoot waiting to happen). Properly-implemented TLS 1.2 is no more or less secure than properly-implemented 1.3. And that's the rub, you don't get better security by throwing everything away and starting again, you get it by fixing your existing code. Since TLS 1.3 is starting again from a mostly new codebase, there's going to be lots and lots of vulns discovered that were bred out of TLS 1.2 implementations over the years. Keep an eye on anything doing 0RTT in particular, but there's lots more areas for vulnerabilities.