04-04-18, Encryption protocol TLS 1.3 was finalised and approved by the IETF
The new TLS 1.3 protocol was finalised on 21 March 2018. Prior to this, the protocol hadn’t been updated for more than 8 years. TLS 1.3 brings improved security and performance.
The Internet Engineering Task Force (IETF) is responsible for the description of the TLS protocol. The previous version of TLS (TLS 1.2) was described in RFC 5246 and was used for 8 years, with supported by most web browsers. On 21 March 2018, protocol TLS 1.3 was finalised.
Improved speed in TLS 1.3
In terms of web performance, TLS and encrypted connections initially added additional milliseconds. With the advent of HTTP/2, this problem was solved and TLS 1.3 now allows even faster encrypted connections. In TLS 1.3, the following features were introduced:
- TLS false start
- Zero Round Trip Time (0-RTT)
In version 1.2, a TLS handshake required two round-trips, while in TLS 1.3 only one round-trip is needed for this. This means the encryption procedure time is halved.
So Zero Round Trip Time is another advantage. If you visited any site previously, then you can send data in the first message to the server. This feature is called 0-RTT. As a result, pages load much faster.
Improved security in TLS 1.3
TLS 1.3 removed obsolete and unsafe algorithms that existed in TLS 1.2: SHA-1, RC4, DES, 3DES, AES-CBC, MD5, CVE-2016-0701 and so on.
This means that attacks on TLS, such as Heartbleed, POODLE, etc. that had previously occurred, can be avoided.
Connections will continue to fall back to the TLS 1.2 version of the protocol if either side does not support TLS 1.3, but if an attacker attempts to trick this fallback (using man-in-the-middle (MITM) attacks), then in TLS 1.3 will be detect this and prevent it from happening.
The protocol has become more simple, and therefore there are likely to be fewer configuration errors.
- In Chrome 63, TLS 1.3 support is enabled for outbound connections. TLS 1.3 support appeared in Chrome 56.
- In Firefox 52, TLS 1.3 is enabled by default. It is also included in Quantum.
Other browsers promise to include the protocol in a few months’ time.