Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Wednesday July 17 2019, @12:34AM   Printer-friendly
from the heat-death-of-the-universe-to-break,-or-maybe-five-years dept.

One year ago the IETF published TLS 1.3 in RFC 8446. Here is what is different from previous versions.

TLS 1.3 is the seventh iteration of the SSL/TLS protocol, having been preceded by SSL 1.0, SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2.

TLS 1.2 has been serving the internet faithfully for a decade now, yet nearly 25% of the Alexa Top 100,000 still doesn't support it. That's problematic, because making the jump from TLS 1.2 to to TLS 1.3 is already a fairly large change. Upgrading from even older protocols will require even more configuration.

Now, that's not to imply upgrading is prohibitively difficult, it's more to illustrate that one of the biggest challenges that's going to face TLS 1.3, at least for the next year or so, is the rate of adoption.

As of the end of last year, just over 17% of the Alexa Top 100,000 supported TLS 1.3.

Here are the primary differences in TLS 1.3 and prior versions:

- Eliminates support for outmoded algorithms and ciphers
- Eliminates RSA key exchange, mandates Perfect Forward Secrecy
- Reduces the number of negotiations in the handshake
- Reduces the number of algorithms in a cipher suite to 2
- Eliminates block mode ciphers and mandates AEAD bulk encryption
- Uses HKDF cryptographic extraction and key derivation
- Offers 1-RTT mode and Zero Round Trip Resumption
- Signs the entire handshake, an improvement of TLS 1.2
- Supports additional elliptic curves

In short, TLS 1.3 is faster to establish, faster to reestablish, streamlined throughout, and more secure than previous versions of SSL and TLS.

Most popular browser clients already support TLS 1.3. Server library versions supporting TLS 1.3 include

- OpenSSL 1.1.1
- GnuTLS 3.5.x
- Google's Boring SSL (current)
- Facebook's Fizz (current)

What's in your server?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Interesting) by edIII on Wednesday July 17 2019, @02:59AM (1 child)

    by edIII (791) on Wednesday July 17 2019, @02:59AM (#867818)

    Cloudflare still causes tracking [privateinternetaccess.com].

    --
    Technically, lunchtime is at any moment. It's just a wave function.
    Starting Score:    1  point
    Moderation   +3  
       Interesting=2, Informative=1, Total=3
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 2) by FatPhil on Wednesday July 17 2019, @07:21AM

    by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Wednesday July 17 2019, @07:21AM (#867899) Homepage
    Christ, that's damning: "A design that requires internet users to “trust” that no one will do this is a fundamentally broken design."
    So TLS1.3 is broken by design right from the off, and that, boys and girls, is "progress".
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves