HARDER, STRONGER, FASTER, BETTER web security standards are on their way after the latest Transport Layer Security protocol got the thumbs up.
The Internet Engineering Task Force (IETF), which is responsible for creating the standards and rules that govern the internet, gave TLS 1.3 the nod.
This will usher in the next major version of the protocol and comes after technologists spent the last four years discussing its contents. More than 28 drafts for 1.3 have been generated during this time.
However, the IETF has chosen the 28th draft as the final version – outlining new processes for HTTPS connections. This is essentially the way that a client and server communicate with each other on the internet.
According to the IETF, version 1.3 of the Transport Layer Security protocol will enable client and server applications to “communicate over the Internet in a way that is designed to prevent eavesdropping tampering, and message forgery”.
The most notable change with TLS 1.3 is that it abandons outdated encryption and hashing algorithms, such as MD5 and SHA-224, which has been thoroughly broken for years.
These have been replaced with more complex alternatives, including ChaCha20, Poly1305, Ed25519, x448 and x25519.
On top of this, TLS 1.3 attempts to speed up contact time between the client and the server by decreasing connection latency. In the past, this has proven problematic for HTTPS requests.
TLS 1.3 also introduces TLS False Start and Zero Round Trip Time (0-RTT), intended to make it quicker for host servers to establish encryption handshakes with clients they have come across in the past.
Overall, TLS 1.3 should be a radical step-up for internet security compared to the ten-year-old TLS 1.2. Unlike previous TLS versions, 1.3 comes with better protections to stop downgrade attacks, for example.
In these cases, attackers are able to compromise servers by using outdated versions of the TLS protocol. IETF said there was a “strong consensus” among its members for the changes outlined in TLS 1.3.
Despite this, the organisation admitted that there have been a number of challenges before it could be agreed – especially from companies in the financial industry, who suggested that the extra security mechanisms may make regulatory compliance more difficult for them.
“The area that was most controversial was around the inclusion of a 0-RTT mode that has different security properties than the rest of TLS,” the IETF explained.
“S.3 lists the major differences from TLS1.2, as agreed by the contributors. We do not think that the RFC needs to list the changes that occurred between each draft.
“The draft has had three WGLCs [working group last calls] to address various issues and the chair’s assessment was fair in each of these discussions. At this point there are no known outstanding issues.”
The main web browsers, including Chrome, Edge, Firefox, Safari, Opera and Vivaldi, are likely to support the standard by rolling out updates within the coming weeks. µ
Save this article