TLS 1.3 : Everything to know about the protocole’s new version

Published on , by Jacky Thierry, in the category #Security & Adminsys

TLS 1.3

About the author

Jacky THIERRY

CTO, Project Manager, Startup owner

Working since 15 years in IT, i managed various web projects for world wide companies, web agencies or local associations. I am specialized in agile projects, with outsourced teams around the world.

  • Jacky Thierry linkedin
  • Jacky Thierry twitter
  • Jacky Thierry instagram
  • Jacky Thierry RSS feed
Jacky Thierry

Discover TLS 1.3

What is TLS ?

TLS (Transport Layer Security) is a protocol aiming to securize your communications on the web.

This protocol is the new version of SSL (who was stopped after version 3) and is massively used on internet, toward the HTTPS protocol, which is basically an addition of TLS over HTTP.

It uses TLS certificates (also called SSL certificates) and securizes all transferts between a client and a server with the following functionnalities :

  1. Datas’s encryption and integrity
  2. Authentification and ligitimacy of the server

You can also read this article to know more about SSL certificates

Created by Netscape (when it was still SSL), TLS is now managed by the IETF organization.

IETF

IETF (Internet Engineering Task Force) is a non lucrative organization, created in 1986, who is developping and promoting web standards for internet.

Its main goal is to make a better internet with studies and technical documentations to inspire people and companies who are designing and using internet.

It’s a free and opened organization, without any requirements, based on volunteering work from its participants.

How does TLS work ?

This protocol designs a connexion’s process between a client and a server.

It will create dialog between the two to share its requirements and technicicals specificities and choose a algorithm both client and server could use and understand.

During a dialog, each transfert is called RTT: Round Trip Time.

New features in TLS 1.3

Performances

Until version 1.3, TLS needed 2 RTT to make a connexion. Now, 1 RTT will be enough.

Better, a new functionnality, called 0-RTT, will allow for all initialized connexions to keep in memory all informations about server’s certificate given in the first connexion. The client won’t have to ask again for every request this datas, saving 1 RTT.

The impact of theses 2 evolutions may seem low (1 RTT takes usually only few hundred milliseconds), but for internet connexions with important latence, like connexions from a mobile phone, the difference could be significative.

Security

In order to work correctly and encrypt datas, TLS needs an encryption cypher.

Many are availables, each one ismore or less recent or secured.

TLS 1.3 removes a dozen obsolete ciphers to optimize its datas encryption security :

  • RC4 Steam Cipher
  • RSA Key Transport
  • SHA-1 Hash Function
  • CBC Mode Ciphers
  • MD5 Algorithm
  • Various Diffie-Hellman groups
  • EXPORT-strength ciphers
  • DES
  • 3DES

How to use TLS 1.3

Libraries

OpenSSL is a tool made for manipulating certificates. TLS is suported since the version 1.1.1, which is still in beta at the moment.

The final version compatible with TLS 1.3 is planned to be release during the second semester in 2018.

Web servers

Today, only Nginx supports TLS 1.3. Apache, who is built on OpenSSL libraries, will be compatible after the release of OpenSSL 1.1.1.

Here how to activate TLS 1.3 on Nginx by updating the website vhost :

vi /etc/nginx/sites-availables/website.conf

ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

Internet browsers

Some browsers already accept TLS 1.3 :

  • Chrome (since version 66)
  • Firefox (since version 60)

More information on browsers compatibility on caniuse