Introducing TLS 1.3 – The future of Encryption

TLS Version 1.3 And it only took 28 drafts!

After four years and 28 different drafts, the Internet Engineering Task Force has finally approved TLS 1.3. And even then, TLS 1.3 was only approved at the most recent London meeting after a wave of last minute activity including an 11th hour pitch from the banking industry to insert a back door.

That didn’t go over well, but eventually TLS 1.3 won unanimous approval (with one “no objection”) which sets the stage for it to be implemented in… well, everything.

TLS 1.3 sees improvements that should seriously hamper any attempts to decrypt intercepted HTTPS connections and any other encrypted network packets. That’s not going to make the NSA or the Ruskies too happy, but that’s kind of the point.

In addition to be even more robust, TLS 1.3 will also streamline the handshake process and allow for even faster encryption to take place.

Unfortunately, the work on TLS 1.3 has been extremely slow. Google had problems last year when an IT administrator for the Maryland school system reported that about one-third of the 50,000 Chromebooks he had enabled TLS 1.3 on bricked. And then there was the aforementioned incident where the banking industry complained it wouldn’t be able to decrypt the traffic within its own networks.

However, the same ability to decrypt data their own data can be used nefariously, much like just about everything in the banking industry, which makes trusting a banker one of the most dangerous things you can do in this life. I’m convinced that when Virgil finally leads me on my orientation to hell, the bankers will have their very own ring. Hopefully several.

Anyway, back to getting back doored by bankers. The IETF said no. Which means the financial sector will have to do some extra work in order to inspect TLS 1.3 traffic. Everybody wins.

Two of the biggest updates to TLS 1.3, and one of the biggest reasons that the banking industry had a cow, have to do with forward secrecy and ephemeral keys.

As you may know, TLS creates an encrypted connection between a client and a server. This is done at the outset using what we call the “SSL handshake.”

Unfortunately, the previous iterations of the handshake were long and could take half a second. For what it’s worth a part of me just died typing that last sentence. We live in a world where people are inconvenienced by half a second.

But, with TLS 1.2 the handshake took several roundtrips. The client would send something to the server, then the server would respond, then they would begin a series of hand claps and fist bumps. Eventually they agree on a session key that uses mutually supported algorithms and ciphers and voila! Encrypted communication.

TLS 1.3 asks the age old question, “who has that kind of time?” And streamlines the handshake into a single rountrip proposition that is less like a clubhouse secret handshake and more like the handshake exchanged by a couple at the end of a long and contentious divorce settlement. Just a perfect economy of emotion offering an ironic end to a process that was anything but.

Aaaaanyway… In addition to that, TLS 1.3 also gets rid of a bunch of outmoded algorithms that have been found vulnerable.

• RC4 Steam Cipher
• RSA Key Transport
• SHA-1 Hash Function
• CBC Mode Ciphers
• MD5 Algorithm
• Various Diffie-Hellman groups
• EXPORT-strength ciphers
• DES
• 3DES

Beyond a refined handshake and dropping support for all but the most recent ciphers, TLS 1.3 also boasts something called 0 RTT resumption. This feature allows two parties to remember the details of their last session and to resume it without needing to repeat the handshake. Kind of like calling that ex I mentioned earlier for a quick- [Editor’s Note: CARL!]

This will only speed TLS 1.3 even more. TLS 1.3 supports all major browsers like chrome, firefox, and internet explorer.

No word yet on TLS 1.4, though the IETF may want to get to work on it is now considering how long this last one took.