TLS 1.3 Genesis, Mechanism and Working

Genesis

The Journey from SSL to TLS.

SSL stands for Secure Socket Layer which was first developed by Netscape and remained unreleased because of security flaws in the protocol; Later its Version 2.0 was launched in Feb 1995 which again had many security flaws and was forced to revamp and launch Version 3.0 in 1996.

Protocol Published

SSL 1.0 Unpublished

SSL 2.0 1995

SSL 3.0 1996

TLS 1.0 1999

TLS 1.1 2006

TLS 1.2 2008

TLS 1.3 2018

Due to many security flaws

The much required Transport Layer Security version TLS 1.3 approved finally by IETF after 28 drafts. TLS 1.3 is not a minor redesign; it is a major redesign of TLS 1.2.Internet Engineering Task Force (IETF) is an open source community of network, designers, operators, vendors, and researchers who collaborate to evaluate the standards.

If interested can read more about the Drafts in detail Click Here.

So what’s New in TLS 1.3?

“Enhanced Security and Speed”

Okay!

Speed: Web connections depend on TLS for securing network traffic and TLS 1.3 be a big step to move forward in securing connections with enhanced performance. With TLS 1.3 forward secrecy is mandatory, which ensures your sessions key will not be compromised even if the private key that present in the server is compromised.

TLS 1.3 removes old and unsafe cryptographic primitives, it is built using modern analytic techniques to be safer, it is always forward secure, it encrypts more data, and it is faster than TLS 1.2

TLS 1.3 removes old and unsafe cryptographic primitives, it is built using modern analytic techniques to be safer, it is always forward secure, it encrypts more data, and it is faster than TLS 1.2.

Security: a) Removed: TLS 1.3 now removes obsolete and insecure features from TLS 1.2, including the following:

  • SHA-1
  • RC4
  • DES
  • 3DES
  • AES-CBC
  • MD5

Arbitrary Diffie-Hellman groups — CVE-2016-0701

EXPORT-strength ciphers – Responsible for FREAK and LogJam.

b) Added : New Algorithms and Cipher included are:

ed25519, ed448, X25519, X448 ChaCha20/Poly1305.

And What’s more?

The TLS 1.3 version requires only a single round trip to set up the connections which give enormous speed for new connections.

LS 1.3 is designed for speed, specifically by reducing the number of network round-trips required before data can be sent to one round-trip or sometimes even zero round-trips.

TLS 1.3 brings changes in handling Server Name Identification “the SNI value is explicitly specified in the handshake, so the servers do not require to associate the SNI value in the ticket”.

Want to know whats SNI https://en.wikipedia.org/wiki/Server_Name_Indication  

So, Which Browsers Support TLS 1.3?

Unfortunately for now many browsers do not support the latest version of TLS yet and are in maintenance but you can run it on the latest version of FireFox and Chrome.

The Developer versions of these browsers have this feature turned on as default.

Links to Developer Version of these Browsers :

Firefox – https://www.mozilla.org/en-US/firefox/developer/

Chrome – https://developers.google.com/web/tools/chrome-devtools/

How to Enable TLS 1.3 in Chrome

If you’re running Chrome 62+ you can follow these instructions to enable TLS1.3 in your browser:

  1. Enter “chrome://flags/” in the browser’s address bar
  2. Search for TLS 1.3 and make sure the “Enabled (Draft)” option is selected
  3. Restart the browser

How to Enable TLS 1.3 in Firefox

If you’re running Firefox Latest Build (59.0.2) you can follow these instructions to enable TLS1.3 in your browser:

  1. In the browser’s address bar, enter “about:config”
  2. Change the security.tls.version.max from 3 to 4
  3. Restart the Browser

Digging Deep in  TLS 1.3

Less Latency, Less Problems

The biggest and main factor in page load time is latency or the time needed to transmit data between browser and server. Latency is especially relevant to mobile users and visitors who are geographically distant from the server. While encryption is essential to the digital and modern web, thus adding more latency. Fortunately, the new version of TLS adds less latency than previous versions.

Everybody realizes that page loading times matter with regards to holding requests, yet few individuals acknowledge exactly how enormous a distinction a couple of milliseconds can make. For instance, Amazon found that each 100ms of inactivity prompts a 1 percent decrease in their sales. In like manner, Google found that a negligible half-second increment in seek page age time made activity drop by 20 percent. These misfortunes include after some time; It’s evaluated that online business stages can lose up to $4 million in incomes yearly for each millisecond they lag behind their competitors.

Making the Internet Safer

Web security is likewise vital to organizations. Sites that store delicate data about clients on their servers are well known focuses for Hackers, and prominent hacks can irreversibly harm an organization’s notoriety. The new TLS intends to address the security issues that tormented 1.2, so organizations that do the switch are putting forth better insurance for their clients and themselves by implementing TLS1.3.Connections can still revert to TLS 1.2 if necessary, but TLS 1.3 can tell if a fallback was caused by a man-in-the-middle attack and block the threat.

The Payment Cards Industry (PCI) Security Standards Council has asked payment processors around the globe to adopt much a secure version of TLS by June 30, 2018.

While the 1.2 version carried a lot of unnecessary chunks left over from the original TLS, the new version is trimmer and much better equipped to deal with attempted man-in-the-middle attacks (MITM) and a collection of other cyber threats prevailing.

Okay, Understood but was it easy to Implement?

No!

Challenges to Implementing TLS 1.3

The finalized version of TLS 1.3 was expected to be ready earlier in 2017, but full deployment keeps getting delayed. While this hasn’t stopped many developers from taking advantage of the draft version.

The biggest obstacle to full TLS 1.3 deployment has been faulty middlebox devices. Google and Firefox noticed connection failures when testing the new version of TLS because some middleboxes responsible for directing internet traffic automatically block messages that don’t resemble known protocols. Therefore, more changes may be necessary to reduce the failure rate to an acceptable level.

These challenges are to be expected since implementing TLS 1.2 also came with a learning curve. Such “version intolerance” inspired browsers to include fallbacks, which led to a proliferation of old security vulnerabilities. TLS 1.3 features a new version negotiation mechanism to discourage browsers from implementing fallbacks, and Google has introduced its own mechanism called GREASE to help prevent connection failures.

The TLS protocol was designed for extensibility so that new features could be added without requiring existing clients to be updated. This feature has allowed TLS to adapt to changing algorithms and security requirements, but the amount of time it takes for new values to appear compared to the number of TLS implementations across the world has pushed that extensibility to its limits. The purpose of GREASE, which stands for Generate Random Extensions And Sustain Extensibility, is to identify interoperability issues by collecting information from around the world. Consequently, TLS is getting closer to perfection every day.

TLS 1.3 – Summary

As of the official arrival of TLS 1.3 drawing closer, these are energizing circumstances in the realm of security and web execution. Given that HTTP/2 was discharged only two or three years back and conveyed some real upgrades to the universe of web execution, the acknowledgment and utilization of TLS 1.3 will just further the objective of diminishing dormancy and advancing the web around the world.

In case despite everything you’re utilizing a TLS 1.0 or 1.1 yet aren’t exactly prepared to make the hop to 1.3, it’s a smart thought to move to TLS 1.2 for now. This rendition of TLS is as yet secure and in spite of the fact that has shortcomings, is broadly embraced and is as of now the standard.

Leave a Reply