TLS (Transport Layer Security) v 1.3 has recently been approved by the Internet Engineering Task Force (IETF) and the seemingly minor upgrade from version 1.2 appears to have some major changes.
ShowMeCon presenter John Wagnon, Senior Solution Developer for F5 Network’s DevCentral technical community, outlined the differences and history of the TLS protocol. I used his presentation and video on their website (resource below) as well as my own research to hit the high points in this blog.
First, some basic understanding of the SSL/TLS and history might make sense. You can read the basic definitions here:
But, cutting to the quick-TLS is basically a secure (encrypted) process of the client and server handshake. This handshake enables the user to communicate securely over the Internet.
Timeline: (Note: the timeline may differ depending on the article read. But years represented are relatively accurate.)
- 1994 – Netscape develops SSL version 1.0 but it is never publicly released.
- 1995 – Netscape develops SSL v 2.0 in an effort to fix many of the problems with version 1.
- Late 1994 – the first draft of SSLv3 is released to IETF
- Late 1996 – TLS v1.0
- 2006 – TLS v1.1
- 2008- TLS v1.2
- 2018 – TLS v1.3
What has changed in TLS v1.3?
Performance, by means of speed, is improved. Version 1.3 has shortened the handshake and turn around time in order to significantly reduce time.
There are better security features. Old, less secure ciphers are removed. Encryption is enabled early in the handshake process. Version registration is removed. This means that a bad actor could not intervene and make the server downgrade to an older, more vulnerable protocol.
Perfect forward secrecy (PFS) is required for the handshake to occur. What this does is generate a new private key for every session. Read more detail in the resource below.
Note: Firefox v61+ and Chrome v63+ support TLS v1.3
Resources:
Recommendations for TLS/SSL Cipher Hardening
The SSL/TLS Handshake: an Overview