“As consumers we get more demanding all the time. We want better quality. We want it faster. And cheaper. Plus, we want more choices. Whoever comes along that can satisfy all these ‘wants’ gets our business.”
– Price Pritchett
There’s an old joke passed around among technical employees… Perhaps you’ve heard it? Engineers in the trenches often appeal to the following formula, or to something like it, as a way of pushing back against unreasonable demands from management:
“Sure thing, Boss. We can get your project done really fast, improve product quality, and get the whole job done for a lot less money. And, guess what? You get to pick any two.
Which two would you like?”
Introducing TLS 1.3
For years here at NetBurner, we’ve been talking about and offering Transport Layer Security (TLS), the successor to SSL (Secure Sockets Layer). In fact, we’ve written several articles on it. (If you’d like to review TLS basics, check out “Cover Your Data Assets with TLS”). You may also recall “Getting Back On The Horse” from a few months ago, our introduction to TLS session resumption. In that Learn Blog, we explained how TLS 1.2 facilitates reestablishing a connection between network devices that have been idle for a while without having to go through the entire security handshake all over again.
In today’s Learn Blog, we’re going to take a look at TLS 1.3, the latest version of the protocol.
TLS 1.3 is an internet standard five years in the making. On August 10th, 2018, and accompanied by a certain amount of fanfare, the Internet Engineering Task Force (IETF)—the standards body that defines internet protocols—published the TLS 1.3 specification.
You know that faster/better/cheaper joke? Surprisingly, if you substitute ‘simpler’ for ‘cheaper’ and ‘more secure’ for ‘higher quality’ in the above formula, TLS 1.3 offers a full triple advantage over TLS 1.2.
TLS 1.3 For A Three-Way Improvement Over TLS 1.2
Today we’ll dive right into TLS 1.3, the relatively new kid on the block (defined in RFC 8466). We aren’t going to do a deep dive, but if you really can’t live without getting down into some nitty-gritty details, you can check out this article. Instead, well give you an overview by doing a straight-up comparison between TLS 1.3 and its predecessor, TLS 1.2 (defined in RFC 5246) which has been the security standard for almost a decade.
TLS 1.3 Is Faster
Who wouldn’t want faster? Faster is good. We like faster. But how does TLS 1.3 get there?
One of the improvements that makes TLS 1.3 faster than TLS 1.2 is the way the initial handshake has been shortened.
As illustrated in the diagram below, three exchanges between client and server—each typically 34 milliseconds long—have been removed from the connection protocol. This results in an average total time savings of over 100 milliseconds every time a connection is established.
But wait, there’s more! When a session is resumed, TLS 1.3 offers another time-saving feature called Zero Round Trip Time (0-RTT). What is 0-RTT? When you resume a session with a site you’ve previously visited, you can include data in the very first message sent to the server. This eliminates the need for a preliminary handshake. The time saving benefits should be obvious!
TLS 1.3 Is Simpler
Cutting down on the number of steps required for a TLS handshake, as we have just seen, has the pleasant side effect of simplifying the TLS protocol. Less protocol steps mean less code to implement, archive, and maintain, and less things to go wrong, misunderstand, and misconfigure.
Besides a simplified handshake, more than a dozen crypto algorithms that were in TLS 1.2 have been stripped out of TLS 1.3. Weaker elliptic curves and hash functions have been removed, including:
- SHA-1
- RC4
- DES
- 3DES
- AES-CBC
- MD5
- Some weaker Diffie-Hellman groups
- Intentionally weakened export-grade ciphers
Getting rid of this excess crypto-baggage streamlines LS 1.3 considerably and makes it more robust.
TLS 1.3 Is More Secure
At this point, you may be wondering why the above mentioned crypto algorithms were removed. Doesn’t having fewer options make a system less capable?
Sometimes less is more.
Over the lifetime of TLS 1.2, clever hackers have discovered vulnerabilities in many of the cryptographic algorithms embedded in TLS 1.2, or in the way the algorithms were being used within the TLS protocol. If you’re curious, you can read about a couple of these attack vectors in this interesting article about Logjam and FREAK.
As each of these kinds of flaws were discovered, white-hat hackers developed workarounds and patches as a means of mitigating the security holes.
However, though successful, all too often these workarounds turned out to be confusing, and consequently, much too easily misconfigured.
The simple solution—applied in TLS 1.3—was to remove all the at-risk crypto algorithms.
As for any loss of capability, just think about it. Don’t you want to use the best available, most secure cryptographic options anyway?
And The Winner Is…
By now, the winner should be obvious: TLS 1.3
But does this mean the evolution of Transport Layer Security is over with and done?
Of course not. Though it is now about two years since its formal introduction, TLS 1.3 is just beginning to come into widespread use. There are already some criticisms and concerns which are beyond the scope of this article. But hackers will no doubt continue to hack, and the white hats will surely continue to patch TLS and develop workarounds as each new threat arises.
Should You Be Worried About Using TLS 1.2?
Not really.
As we mentioned above, the security issues in TLS 1.2 have been addressed by various workarounds and configuration measures. And more help is on the way…
What’s Up With NetBurner and TLS 1.3?
At the moment, NetBurner still only delivers and supports TLS 1.2. However, that is about to change. Although we’re not quite ready to pin down a precise release date, we are excited to share the news that version 1.3 is already up and running in-house, and we will soon be making TLS 1.3 available to our customers. And, as you know, we’ve already got you covered with a broad and capable assortment of ready-to-rock solutions.
For an enjoyable virtual shopping trip for development kits, NTP servers, and a variety of serial to Ethernet servers, check out the products and solutions on the NetBurner website. You’ll find development kits for everything we sell, making it easy for your engineering team to fold our latest technology into your cutting edge project.
NetBurner support is second to none, available by phone or by email. We’d love nothing more than to hear from you today! Feel free to leave a comment below, or email us directly at [email protected].