Andrea Danti - Fotolia

Finalized TLS 1.3 update has been published at last

The finalized TLS 1.3 update has been published after a four-year process. The new protocol promises to be faster and more secure than its predecessor, TLS 1.2.

The finalized and completed version of TLS 1.3 was published last week following a lengthy draft review process.

The Internet Engineering Task Force (IETF) published the latest version of the Transport Layer Security protocol used for internet encryption and authentication on Friday, Aug. 10, 2018, after starting work on it in April 2014. The final draft, version 28, was approved in March. It replaces the previous standard, TLS 1.2, which was published in RFC 5246 in August 2008. Originally based on the Secure Sockets Layer protocol, the new version of TLS has been revised significantly.

"The protocol [TLS 1.3] has major improvements in the areas of security, performance, and privacy," IETF wrote in a blog post.

Specifically, TLS 1.3 "provides additional privacy for data exchanges by encrypting more of the negotiation handshake to protect it from eavesdroppers," compared with TLS 1.2, IETF explained. "This enhancement helps protect the identities of the participants and impede traffic analysis."

TLS 1.3 also has forward secrecy by default, so current communications will stay secured even if future communications are compromised, according to IETF.

"With respect to performance, TLS 1.3 shaves an entire round trip from the connection establishment handshake," IETF wrote in its blog post announcing the finalized protocol. "In the common case, new TLS 1.3 connections will complete in one round trip between client and server."

As a result, TLS 1.3 is expected to be faster than TLS 1.2. It will also remove outdated cryptography, such as the RSA key exchange, 3DES and static Diffie-Hellman, and thus free TLS 1.3 of the vulnerabilities that plagued TLS 1.2, such as FREAK and Logjam.

"Although the previous version, TLS 1.2, can be deployed securely, several high profile vulnerabilities have exploited optional parts of the protocol and outdated algorithms," IETF wrote. "TLS 1.3 removes many of these problematic options and only includes support for algorithms with no known vulnerabilities."

And, as Mozilla explained in a blog post, "TLS 1.3 is designed in cooperation with the academic security community and has benefitted from an extraordinary level of review and analysis. This included formal verification of the security properties by multiple independent groups; the TLS 1.3 RFC cites 14 separate papers analyzing the security of various aspects of the protocol."

TLS 1.3 has already been widely deployed, according to Mozilla. The Firefox and Google Chrome browsers have draft versions deployed, with final version deployments on the way. And Cloudflare, Google and Facebook have also partially deployed the protocol.

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing