Via The Register I see that TLS 1.3 has finally rolled off the standards and committee draft assembly line. This is pretty big news, not least because we’ve been working with the current TLS 1.2 standard for almost a decade, and the defects in it have well and truly been discovered and exploited.
There’s a good number of reasonable news articles around about this that are worth reading for more detail than I’m going to give you here, such as this nice one from CSO Online which gives a background on what TLS is all about. You might also like to brush up on what the TLS/SSL handshake is, as this is one of the places where some of the nastiest exploits of TLS 1.2 and earlier have been found.
I can also recommend the articles from eWeek and Kinsta, which cover off different aspects in somewhat more detail than the CSO Online article.
So. What do we get out of TLS 1.3?
- It’s faster than it’s predecessors, partially through improving the initial handshake algorithm, and partially through the way it deals with ongoing encryption of traffic after the handshake;
- it deprecates the use of a lot of broken cryptographic algorithms, enforcing very strong encryption (although servers are allowed to back down to TLS 1.2 if that’s all that the client supports);
- it plugs a lot of security flaws, particularly the horrible ones where the handshake is compromised and where a man-in-the-middle can silently intercept traffic;
- it’s much more resistant to attacks that involve spoofing the server or client identity;
- it supports forward security, giving strong protection against the loss of the server’s private key.
One thing that arises from TLS 1.3 that’s going to upset a lot of traditional security officers though is that it pretty well breaks any current ability to examine traffic on the network via deep packet inspection and passive monitoring – the article at The Register has some good discussion of this. My opinion is that this is actually a good thing. A broad and general bad habit has arisen over the last decades where there is a reliance on perimeter and network security, and endpoint and application security is considered too hard. This is not a sustainable way of thinking, and is demonstrably one of the root causes of a lot of the big data leaks we’ve seen (feel free to argue about this with me, I’d love the debate). Going forward let’s instead switch to envisioning our systems as places where we perform secure and safe computation against well protected data stores in a hostile and dangerous network environment. If we assume that our communications are compromised, we can focus on preventing compromise of the servers and clients, and be as safe operating in the cloud as in private data centers.
One caveat around the state of this though – currently a lot of the public focus is on adoption of TLS 1.3 within browsers. The more interesting question is whether it’s been rolled into the operating systems as well, and to what extent. Right at the time of writing, the answer is “sort of, watch this space”. There’s some notes for Windows
MacOs/iOs out there, but I would expect that the major OS vendors will silently roll this out pretty quickly.