Snooping on HTTPS is about to get harder: TLS 1.3 internet encryption wins approval

The latest version of the protocol for HTTPS secure connections gets green light from the IETF.
Written by Liam Tung, Contributing Writer

Video -- Firefox's 2018 roadmap: What Mozilla has in store for this year

The Internet Engineering Task Force (IETF) has approved version 1.3 of the Transport Layer Security (TLS), the key protocol that enables HTTPS on the web.

TLS 1.3 was approved by engineers at an IETF gathering in London last week. The approved document is the 28th version of the TLS 1.3 proposal that has been hashed out over the past four years.

TLS is the successor to SSL and version 1.3 was designed to prevent attacks that undermined client and server communications secured with TLS 1.2 and earlier versions.

The main benefit of TLS 1.3 is that it supports stronger encryption and drops a host of legacy encryption algorithms.

It also introduces 0-RTT or zero round trip time resumption, which is designed to speed up connections on sites that users frequently visit and is expected to deliver lower latency on mobile networks.

Major internet players have been gradually upgrading to TLS 1.3 over the past few years, though there have been hiccups and obstacles to its deployment.

Download now: Encryption policy

While Chrome, Firefox, and Opera and Edge already support TLS 1.3, they don't do so by default. A study by Cloudflare, which enabled TLS 1.3 by default on the server side last year, found that in December that just 0.6 percent of traffic was secured with TLS 1.3. The cause was in part due to how network appliance vendors had implemented TLS 1.2.

These appliances, which intercept and inspect HTTPS traffic, were also causing TLS 1.3 connections to fail.

This failure hit over 100,000 Chromebooks last year after Google updated them to Chrome OS 56. The devices could no longer connect to the web because Symantec's BlueCoat appliance simply hung up on a connection when confronted with TLS 1.3 rather than negotiate down to TLS 1.2.

Some US banks were also concerned about the TLS 1.3 upgrade for this reason, because the appliances they'd already invested in for monitoring employees would need to be replaced or redesigned.

Previous and related coverage

Tens of thousands of Chromebooks fail because of Symantec BlueCoat problem

Did your web access just go badly wrong when you upgraded to the Chrome web browser 56 or Chrome OS 56? The problem is probably in your web proxy.

Let's Encrypt free wildcard certificates now live

The authority says the free certificate service will "break down barriers for HTTPS adoption across the Web."

Google: This surge in Chrome HTTPS traffic shows how much safer you now are online

Google's HTTPS-everywhere push is showing results in page loads on Chrome.

Google: Chrome is backing away from public key pinning, and here's why

Google wrote the HTTP public key pinning standard but now considers the web security measure harmful.

DHS orders federal agencies to bolster cybersecurity with HTTPS, email authentication (TechRepublic)

The US Department of Homeland Security will require federal agencies to use web and email encryption practices to enhance their security posture.

Editorial standards