TLS 1.3 Approved – Let’s get ready for much faster and secure HTTPS connections !

      No Comments on TLS 1.3 Approved – Let’s get ready for much faster and secure HTTPS connections !

It’s been few years now, the IETF’s TLS 1.3 standardization effort always looked like a never-ending story. Glad to note the wait is over. After 28 drafts for review, last week IETF finally ratified TLS 1.3 as an approved standard.  Indeed, TLS 1.3 promises significantly faster SSL/TLS performance and a much secure communication protocol standard ever before!  It also brings a radical change to its predecessor TLS 1.2 protocol currently surviving with many known risks.  

TLS 1.3 fundamentally changed the existing TLSv1.2 protocol with several new additions and changes to  processes:

  • Expected to speed-up atleast 2X by establishing TLS handshake in the first round-trip (existing TLS 1.2 requires 2 more roundtrips).  The client can send Key material and encrypted payload without server feedback. All handshake messages after ServerHello will be now encrypted.
  • No compression and renegotiation.
  • Deprecates legacy public-key encryption (Static RSA Key transport and Diffie-Hellman) and hashing (MD5 and SHA-1) algorithms. 
  • Will use Elliptic-curve algorithms as base (ECDHE) instead of RSA Key transport (known to have issues with ‘Forward Secrecy’).
  • New signature algorithms ed25519 and ed448, uses HMAC and also extended support for ChaCha20, Poly1305, Ed25519, x448 and x25519.  All public-key encryption mechanisms used will ensure forward secrecy.
  • HMAC based Extract and Expand Key derivative function (HKDF)
  • Enforces “Forward Secrecy” assuring past session stay secure.  “Deep packet inspection” and passive monitoring on TLS sessions will no longer effective and make sense.
  • Introduced TLS False Start and Zero Round-Trip-Time (0-RTT) resumption will significantly help speed up connections especially with previously established handshakes or frequently connected Web sites.  This will boost the performance of Mobile apps and SaaS Cloud applications.
  • No force downgrade options available, during use it resists tampering and it cannot force peers to negotiate different cipher suite parameters.

and more…

Most browsers (Firefox, Chrome) already provide TLS 1.3 implementation (based on earlier IETF drafts). OpenSSL 1.1.1 has an alpha version of TLS 1.3 as well. Considering the performance and security,  TLS 1.3 will trigger faster adoption in all industry especially among the Mobile and SaaS Cloud providers!  Undoubtedly TLS 1.3 is very promising and compelling for secure Web communication.. let’s stay tuned.

References:

Leave a Reply

Your email address will not be published. Required fields are marked *