It's time to upgrade to TLS 1.3 already, says CDN engineer
- 23 June, 2017 21:03
Businesses dragging their heels over rolling out TLS 1.2 on their website might have an excuse to delay a little longer: Version 1.3 of the TLS (Transport Layer Security) encryption protocol will be finalized later this year, and early deployments of it are already under way.
TLS, the successor to SSL, is used to negotiate secure connections to web or mail servers, encrypting data on the move.
Six years in the making, TLS 1.2 added new, stronger encryption options -- but retained all the older, weaker encryption schemes that had gone before in the name of backward compatibility. Unfortunately, this meant that someone able to perform a man-in-the-middle attack could often downgrade connections to a weaker encryption system without the user being aware.
Such attacks are good reasons to upgrade to TLS 1.3, according to Filippo Valsorda, a systems and cryptography engineer who has deployed TLS 1.3 system at content delivery network Cloudflare.
"A number the vulnerabilities that came out in the last two years that affected TLS 1.2 wouldn't have affected TLS 1.3 because of changes to the protocol," he said at a meeting of the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) in mid-June.
The designers of TLS 1.3 chose to abandon the legacy encryption systems that were causing security problems, keeping only the most robust. That simplicity is perhaps one of the reasons it will be ready in half the time it took to design its predecessor.
Connections will still fall back to TLS 1.2 if one end is not TLS 1.3-capable -- but if a MITM attacker attempts to force such a fallback, under TLS 1.3 it will be detected, Valsorda said.
Almost 93 percent of the websites in Alexa's top one million supported TLS 1.2 as of January, up from 89 percent six months earlier, according to a survey by Hubert Kario's Security Pitfalls blog. But seven percent of one million means a lot of websites are still running earlier and even less secure protocols.
Among the laggards are some sites you would hope to be on top of security: those taking online payments. Payment processors are still urging sites using their services to upgrade to secure versions of TLS before June 30, 2018, a deadline imposed by the Payment Cards Industry Security Standards Council.
So if you're still dithering over an upgrade from SSL or an early version of TLS to the latest thing, why not go straight to TLS 1.3?
There's no real reason not to, according to Valsorda.
"I think it is viable to do TLS 1.3 deployment now," he said.
Cloudflare said last September that it would offer users of its content delivery network early access to TLS 1.3.
Now, said Valsorda, "All the Cloudflare customers on the free plan have TLS 1.3 enabled by default and we haven't seen any problems."
Cloudflare tends to enable beta features such as this automatically for non-paying customers, allowing paying customers with larger or more complex networks to opt in when they are ready. To date, 3,000 domains have opted to turn on TLS 1.3, in addition to those for whom Cloudflare turned it on by default.
The few glitches Cloudflare did encounter turned out not to be at the server end, but on the client side.
A few organizations using security appliances to monitor their users' web-browsing habits found that connections to servers running TLS 1.3 were dropped without warning, blocking access to the sites concerned.
This issue occurred only in appliances that passively monitored connections without trying to insert themselves into the connection, Valsorda said. When they overheard an exchange they didn't understand -- such as the negotiation of a TLS 1.3 connection -- they would simply cut it off. The two or three models concerned have now been patched by their manufacturers, he said.
The process of testing for such glitches is still largely manual, Valsora said: An organization running such an appliance would need to take a TLS 1.3-compatible version of Google Chrome, enable TLS 1.3 in the settings (a process he described as "not super user-friendly") and then try to connect out to a TLS 1.3-enabled website such as Cloudflare.com.
"Maybe we should be working on how to enable better testing out of enterprises," he added.
So if you do decide to upgrade to TLS 1.3, what's in it for you?
Apart from its immunity to attacks on earlier versions, "TLS 1.3 has a huge performance benefit in terms of connection setup time," Valsorda said.
That's because negotiating the initial encrypted connection takes only one round-trip between client and server in TLS 1.3, compared to two round-trips in TLS 1.2. That can save several hundred milliseconds on a mobile internet connection, potentially halving the time to download some images, he said.
There's also an option called 0-RTT (zero round-trip time) within TLS 1.3 to resume a recently used connection without renegotiating the encryption, speeding things even more.
Few web servers and CDN services support TLS 1.3, still fewer the 0-RTT option for now. The website Is TLS fast yet? has a list. (Its answer, by the way, is "Yes.")
SSL and TLS aren't just for web servers, they are also used to encrypt connections to mail servers.
Janet Jones, co-chair of a M3AAWG group that aims to prevent the pervasive monitoring of communications, sees TLS 1.3 as key to securing email against interception.
"Some industries are going to love it from a security standpoint," she said.
On the other hand, wider usage of TLS 1.3 is not going to please governments wanting to conduct surveillance, or banks needing to comply with regulations to prevent collusion among traders. "They're not going to have the solutions to look at traffic and monitor it," she said.
But, she said, that's no reason to hold back on deployment of TLS 1.3.
"I would like to see more of our members doing deployments when this is released, or even prerelease."