A new version of TLS was launched in 2018 – the TLS 1.3 protocol. TLS 1.3 aims to solve all of the problems facing its older version – TLS 1.2.
Transport Layer Security (TLS) is a cryptographic protocol designed to provide secure communication between web browsers and servers. It is used in almost every app nowadays. Many IP-based protocols such as HTTPS, SMTP, POP3, and FTP support TLS. Secure Sockets Layer (SSL), on the other hand, is a protocol used to establish an encrypted link between web browsers and servers. It uses symmetric cryptography to encrypt the data transmitted. Encryption keys are based on shared secret negotiation at the beginning of any communication session. This secret negotiation is referred to as the TLS handshake.
The most widely used versions of TLS nowadays are TLS 1.0, TLS 1.1 and TLS 1.2. While TLS 1.0 & TLS 1.1 are known to be very vulnerable, the TLS 1.2 protocol is considered to be much more secure and is thus recommended for use. Furthermore, In October 2018, Apple, Google, Microsoft & Mozilla (responsible for Chrome, Edge, IE, Firefox, and Safari browsers) announced that by the first half of 2020, TLS 1.0 & 1.1 will be disabled by them. While that is a good move by them, the question is: What if TLS 1.2 is no longer as secure as we thought?
TLS version 1.2 was released in 2008. It is currently the most widely implemented version of TLS. TLS 1.2 offers major improvements over the older version, TLS 1.1. The most essential improvement, however, is in the encryption protocol. TLS 1.2 allows the use of more secure hash algorithms such as SHA-256. In addition, it allows the use of advanced cipher suites that support elliptic curve cryptography. Up until recently, TLS 1.2 was considered fairly secure, but the discovery of new vulnerabilities, similar to the old TLS protocols’ vulnerabilities, put TLS 1.2’s reliability in question.
We know about the Zombie POODLE attacks from five years ago which leveraged SSL 3.0 vulnerabilities. And apparently, they haven’t really died.
Researchers have revealed two new vulnerabilities in the TLS 1.2 protocol which allows attacks similar to POODLE to breach it. The source of one vulnerability is in TLS 1.2’s support for the outdated cryptographic method, cipher block chaining (CBC). Using the CBC method allows man-in-the-middle attacks (MITM) on users’ encrypted web and VPN sessions. With some minor tweaking of the familiar POODLE attack, it is possible to hack systems that still make use of outdated crypto methods.
Another vulnerability was also found in TLS 1.2 which allows the GOLDENDOODLE attack to breach outdated crypto methods. GOLDENDOODLE is similar to, yet more powerful than the POODLE attack. It has more powerful and rapid hacking abilities, and even if a system has fully eradicated the POODLE flaw, it could still be vulnerable to GOLDENDOODLE attacks.
While this issue should have been resolved four or five years ago, the support for older protocols – which was included mainly to ensure that older legacy browsers and client machines won’t be locked out of websites – means that the issue still remains. Meanwhile, those websites, operated mainly by government agencies and financial institutions, remain vulnerable.
In addition to TLS 1.2’s security issues, problems in performance and privacy were also noted in TLS 1.2. Therefore, a new version of TLS was launched in 2018 – the TLS 1.3 protocol. TLS 1.3 aims to address all of the problems facing TLS 1.2. Security-wise, TLS 1.3 completely abandons backward compatibility and has a completely new functional security design. TLS 1.3’s security was designed from scratch, which allows it to perform the same functions as TLS 1.2, but with significantly improved resilience to attacks.
In August 2018, version 1.3 of the TLS protocol was released. The new version includes a lot of privacy, security and performance improvements. With TLS 1.3, encrypted connections are much faster and more secure than before. While high profile vulnerabilities were discovered in TLS 1.2, TLS 1.3 solves those issues and supports only state-of-the-art algorithms with no known vulnerabilities.
TLS 1.3 also provides additional privacy by encrypting more of the handshake to protect it from eavesdroppers.
Features removed from TLS 1.3:
Bottom line: TLS 1.3 takes a significant step forward in enhancing security. It removes all primitive features that lead to weak configurations. TLS 1.3 prevents common SSL/TLS vulnerabilities such as DROWN, POODLE, SLOTH, CRIME, and more.
While TLS 1.2 was a good choice for a TLS protocol until recently, but now, TLS 1.3 offers a better solution with a refreshing approach, especially for security-related matters. As configurations change often, implementing new protocols in an organization’s production systems can be quite painful. This is the main reason why a well-designed protocol like TLS 1.3 has yet to see extensive usage. However, when choosing between a temporary inconvenience and a vulnerability that will cause extensive and expensive damage, the preference is clear. And, what if even this temporary inconvenience can be eradicated? That’s right. CHS by CalCom will deploy the protocol update automatically on your entire production environment without causing outages. Ask us how.