The Transport Layer Security (TLS) Protocol, an integral technology in end-to-end data protection.
Just like SSL (Secure Socket Layer) which has been deprecated by the Internet Engineering Task Force (IETF), TLS is a cryptographic protocol used in web apps, websites, email, instant messaging, VoIP and others, to provide communications security over a computer network, servers and browsers.
And here, the IETF which defines internet protocols, has standardized TLS 1.3, an upgraded security protocol based on the earlier TLS 1.2 specifications.
Describing it as "a Major Revision Designed for the modern internet," the IETF noted that the update contains "major improvements in the areas of security, performance, and privacy."
According to TLS Working Group Chairs Joseph Salowey, Sean Turner and Christopher Wood:
"Most modern web browsers and many applications you probably use already support TLS 1.3. For those not currently supporting the protocol, we expect future updates to bring in support."
The work began in April 2014. The protocol was so central to encryption of web traffic that it has taken a long time for the engineers to check that nothing in it can cause major problems.
Because the TLS 1.3 is meant to power secure transactions on the web, including handling the encryption of every HTTPS connection, one of its biggest advantage compared to TLS 1.2 is that it can make it even harder for eavesdroppers to decrypt internet traffic.
This is because the TLS 1.3 introduces an improved encryption method during the negotiation handshake stage of data transport. This is meant to help protect the identities on either end of the exchange, as well as forward secrecy, which encrypts all communications in such a way that prior communications aren’t compromised by potential future breaches.
"Although the previous version, TLS 1.2, can be deployed securely, several high profile vulnerabilities have exploited optional parts of the protocol and outdated algorithms," explained IETF in a blog post. "TLS 1.3 removes many of these problematic options and only includes support for algorithms with no known vulnerabilities."
To help ensure the security of TLS 1.3, the team at IETF has collaborated with members of the cryptographic research community, including hackathons and workshops.
The version that strips some insecure optional features from the previous version 1.2, is also less resource hungry and more efficient. What this means, users of the web should be able to both reduce latency and benefit from lower CPU usage.
Because TLS 1.3 introduces significant changes and updates, some argues that it should be called TLS 2.0.
Initially, the implementation of TLS 1.3 caused some problems.
Google, for example, reported that the TLS 1.3 has bricked tens of thousands of its Chromebooks, causing the company to pause its support for the protocol. The banking industry has also pleaded the IETF to introduce a backdoor to the system because without it, the system could lock them out from seeing what's happening inside their own networks.
Then there was concerns from the addition of a component called "0-RTT Resumption" which effectively allows the client and server to remember if they have spoken before. This component makes connections much faster, but opens up a potential security hole.
But according to IETF, it has put a lot of work into making sure that 1.3 has been tested in real-world situations before getting the official stamp.
"The process of developing TLS 1.3 included significant work on 'running code'," IETF noted, adding: "This meant building and testing implementations by many companies and organizations that provide products and services widely used on the internet, such as web browsers and content distribution networks."
While the protocol has major improvements in the areas of security, performance, and privacy, there are still some areas remained where researchers haven’t yet landed their hands on. But there are definitely many reasons to put in in place.
Especially because TLS 1.3 represents a big jump in general security.
Many modern web browsers and applications are already taking advantage of the new update. As of the moment of the introduction, Facebook said that it already serves almost half of its traffic over the new protocol. Others include Google, Cloudflare and Mozilla.
TLS 1.3, or RFC 8446, was published on August 10th, 2018. It credits Edward Snowden's mass surveillance revelations in 2013 as a major driver in the design of this protocol.
