​Web security gets a boost as TLS gets major overhaul

Expect wide and fast adoption of the latest web encryption protocol after engineers finalise Transport Layer Security (TLS) version 1.3.
Written by Liam Tung, Contributing Writer

Internet standards group the Internet Engineering Task Force (IETF) has published the final version of Transport Layer Security (TLS) version 1.3 or TLS 1.3, which eventually will be the main protocol for securing web communications on HTTPS sites and apps.

The IETF published the latest version of TLS 1.3 protocol, now called RFC 8446, on Friday. Engineers at CloudFlare -- an early supporter of TLS 1.3 -- hailed it "the first major overhaul of the protocol" in years, which brings speed, performance and security improvements over its predecessor, the decade-old TLS 1.2.

IETF engineers in March finally approved the 28th version of TLS 1.3 proposals that were developed over four years. Now the protocol is now officially complete, that should clear the way for its deployment on websites and browsers.

CloudFlare implemented one of those early versions of TLS 1.3 on its servers in 2016, but by the end of 2017 found most traffic still relying on TLS 1.2. None of the major browsers, such as Chrome and Firefox, had enabled TLS 1.3 by default, resulting in little traffic protected by the updated protocol.

Since then however web giants like Facebook have enabled TLS 1.3. Google enabled it in Chrome 65 -- the latest version of Chrome is version 68 -- but at the time had only rolled out support on Gmail.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

Firefox-maker Mozilla also announced that TLS 1.3 draft 28 is already shipping in Firefox 61, noting that one of its biggest improvements on the security front is that it cuts out outdated cryptography in TLS 1.2 that made attacks like FREAK, POODLE, Logjam and others possible. It will ship the final version off TLS 1.3 in Firefox 63, due out in October.

"Although the previous version, TLS 1.2, can be deployed securely, several high profile vulnerabilities have exploited optional parts of the protocol and outdated algorithms," IETF engineers said in a statement. "TLS 1.3 removes many of these problematic options and only includes support for algorithms with no known vulnerabilities."

Similar to Clouuflare, Mozilla's data shows that around five percent of of Firefox connections are TLS 1.3, however Facebook has reported that more than half of its internet traffic is secured with TLS 1.3 and also open-sourced its TLS library, Fizz, which contains TLS 1.3.

The IETF TLS working group expects that now the core protocol is complete, adoption of TLS 1.3 should be "fast-paced and widespread".

"Most modern web browsers and many applications you probably use already support TLS 1.3. For those not currently supporting the protocol, we expect future updates to bring in support. Similarly, if you manage a website or other online service, the servers and infrastructure you use are likely to start using TLS 1.3 though it is worth double checking with your providers," IETF's TLS working group chairs wrote.


Editorial standards