Credit: Peter Sayer
Businesses dragging their heels over rolling out TLS 1.2 on their website might have an excuse to delay a little longer: Version 1.3 of the TLS (Transport Layer Security) encryption protocol will be finalized later this year, and early deployments of it are already under way.
TLS, the successor to SSL, is used to negotiate secure connections to web or mail servers, encrypting data on the move.
Six years in the making, TLS 1.2 added new, stronger encryption options -- but retained all the older, weaker encryption schemes that had gone before in the name of backward compatibility. Unfortunately, this meant that someone able to perform a man-in-the-middle attack could often downgrade connections to a weaker encryption system without the user being aware.
Such attacks are good reasons to upgrade to TLS 1.3, according to Filippo Valsorda, a systems and cryptography engineer who has deployed TLS 1.3 system at content delivery network Cloudflare.
"A number the vulnerabilities that came out in the last two years that affected TLS 1.2 wouldn't have affected TLS 1.3 because of changes to the protocol," he said at a meeting of the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) in mid-June.
The designers of TLS 1.3 chose to abandon the legacy encryption systems that were causing security problems, keeping only the most robust. That simplicity is perhaps one of the reasons it will be ready in half the time it took to design its predecessor.
Connections will still fall back to TLS 1.2 if one end is not TLS 1.3-capable -- but if a MITM attacker attempts to force such a fallback, under TLS 1.3 it will be detected, Valsorda said.
Almost 93 percent of the websites in Alexa's top one million supported TLS 1.2 as of January, up from 89 percent six months earlier, according to a survey by Hubert Kario's Security Pitfalls blog. But seven percent of one million means a lot of websites are still running earlier and even less secure protocols.
Among the laggards are some sites you would hope to be on top of security: those taking online payments. Payment processors are still urging sites using their services to upgrade to secure versions of TLS before June 30, 2018, a deadline imposed by the Payment Cards Industry Security Standards Council.
So if you're still dithering over an upgrade from SSL or an early version of TLS to the latest thing, why not go straight to TLS 1.3?
Sign up for Computerworld eNewsletters.