What’s going on with TLS 1.3? Why is it so special? Let’s hash it out.
It’s almost been a year since my former colleague, Vince wrote a piece about the expected release date of TLS 1.3. And you know what? It’s still in the “expected” phase. Now you might want to term this as stagnation but don’t. TLS is the protocol that forms the foundation of web security. Therefore it has to be ‘perfect’ to avoid any potential disasters, and that is precisely what the Internet Engineering Task Force (IETF) has been doing.
TLS, the protocol behind the so-called ‘SSL certificate’ is responsible for secure communication and authentication between websites and browsers. TLS 1.2, the longest and perhaps, the finest serving member of the TLS family was published a long way back in 2008. With all due respect to TLS 1.2 and its impressive tenure, it’s now time to welcome TLS 1.3.
So, where exactly is TLS 1.3?
It’s where it’s been for the past one year – in the draft phase. Currently, draft 22 is the latest version of TLS to have been published.
Simply put, it’s still work in progress.
Why is it taking so long?
From the first TLS 1.3 version released on April 17, 2014, to the latest 22nd version, these draft versions are continuously tested and reviewed by vendors such as Google, Cloudflare, Mozilla, and many others. What they do is they roll out TLS 1.3 support, test them, and report issues as they discover them. In Feb 2017, one such proxy issue forced Google to back out of TLS 1.3 support. Such concerns keep popping up and as a result, make us wait longer.
TLS 1.2 vs. TLS 1.3 – What’s the difference?
We wouldn’t be so desperate about TLS 1.3 if it weren’t special, right? Well, it is. That’s why many, including us, cannot wait to use TLS 1.3. Here are the reasons why:
TLS 1.3 is Faster
In HTTPS connection, when two parties (web server and browser) come across each other, they perform an SSL/TLS handshake for authentication and encryption purposes. In the current TLS 1.2, it takes two round-trips from both sides to complete a handshake. In TLS 1.3, it’s going to cut this journey to one round-trip only. Thereby making connections to site faster. Granted, it will be milliseconds so you probably won’t notice, but we will.
Another feature that will make 1.3 faster is ‘Zero Round Trip Time Resumption’ (0-RTT). This feature speeds up the connections to site visitors who had recently visited your site. On mobile networks, this speed change is pretty noticeable.
TLS 1.3 is More Secure (Obviously)
As the time passes, we all (except Keanu Reeves) lose our powers, and so do the security protocols. TLS 1.2, once considered to be fully secure, is now vulnerable (don’t worry, it’s not that simple). This is down to its older, insecure protocols, ciphers and algorithms. TLS 1.3 eliminates such elements of risk by discontinuing support to obsolete ciphers and algorithms. This includes the following:
- RC4 Steam Cipher
- RSA Key Transport
- SHA-1 Hash Function
- CBC Mode Ciphers
- MD5 Algorithm
- Various Diffie-Hellman groups
- EXPORT-strength ciphers
When will TLS 1.3 be released?
If I were a politician, I would answer this question by saying “That’s an interesting question. As of now, I am not in a position to comment about this.”
But I’m not a politician, right? In my own words, I’d say “I don’t know.” My wild guess is six months. That’s because it’s been some time since TLS 1.3 has been in the “final phase” or “last call,” and it could remain so for a bit more.
In the meantime, you have Hashed Out to keep you updated with all the changes happening with TLS 1.3 and the SSL/TLS industry.