TLS 1.3 Final published: better security and speed
The final version of TLS 1.3 -- Transport Layer Security -- has been published by the IETF, the Internet Engineering Task Force, and popular browsers such as Firefox support it already (an earlier draft version and soon the final version).
Tip: point your browser to the SSL/TLS capabilities test on SSLLabs to find out which versions your browser supports. Check the protocol features on the page to find out which protocols the browser supports. If you want to check out which TLS versions a server supports, run the company's SSL Server Test tool instead.
TLS 1.3 is a major update to TLS 1.2 even though the minor increase of the version might indicate otherwise.
Transport Layer Security is what is used by devices for secure transactions on the Internet. Basically, if you see HTTPS being used in the browser it is powered by TLS. Whether that is TLS 1.3 already or TLS 1.2 depends on the browser and the site that the browser connects to.
Multiple drafts of the new TLS 1.3 specification were released in the past four or so years ever since work began in earnest on the new standard. Browser makers like Mozilla or Google implemented support for various draft versions and the functionality was considered experimental at that time.
Some sites did make use of TLS 1.3 already; Mozilla notes that about 5% of Firefox connections use TLS 1.3 already and that companies like Google, Facebook or Cloudflare support TLS 1.3 already.
Firefox supports a draft version that is essentially identical to the final published version. Mozilla plans to release the final version in Firefox 63 which the organization plans to release in October 2018.
Google Chrome supports an earlier draft version already as well and will support the final version of TLS 1.3 in an upcoming version.
Chrome and Firefox include options to manage TLS support in the browsers. Mozilla started to enable TLS 1.3 support in Firefox Stable in 2018.
What makes TLS 1.3 special?
TLS 1.3 is a major update of the standard that improves speed and security significantly. One of the main advantages of TLS 1.3 is that basic handshakes take a single round-trip compared to TLS 1.2's two round-trips. The time it takes to connect to servers that support TLS 1.3 is reduced because of that which means that web pages that support TLS 1.3 load faster in browsers that support the new standard.
Security is improved as well in TLS 1.3 when compared to previous versions. TLS 1.3 focuses on some widely known and analyzed cryptographic algorithms while TLS 1.2 includes support for more algorithms of which some were exploited successfully in the past.
TLS 1.3 encrypts most of the handshake next to that which improves privacy when connecting to servers as much of the information that is in the open when TLS 1.2 is used is now encrypted and unreadable while in transit.
Cloudflare published a technical overview of TLS 1.3 on the company blog; a good read for anyone interested in the topic.
In Waterfox prefs the setting for “security.tls.version.max” is 3 with “security.tls.version.min” showing 1.
I assume that means TLS will switch where appropriate according to what a site supports. Is that correct?
Yes that is right. 3 means up to TLS 1.2 is supported.
It sounds like “you will have to update your browser in near future”. Security holes are an open-ended honey pot allowing major browser companies to spy on you even more. Like viruses for anti-virus companies. I will be forced very soon to switch to Pale Moon v28 losing my full theme, forced to surf with themes all as ugly as each other. Bored.
I hope it doesn’t mean that all HTTPS site will only work with TLS 1.3 in the future.
No, it doesn’t mean that (well, depending on how far into the future you mean). 1.2 will continue to work for the foreseeable future. The introduction of 1.3 does mean, though, that the effort to officially kill off 1.0 and 1.1 has begun.
That said, everyone should move to 1.3 as soon as is practical. 1.2 is compromised and should not be considered trustworthy. It is not, at this time, a major security issue for most uses — but it will become that as time passes.
Thank you John for your answer.
Let’s hope “the foreseeable future” represents many years.
It very likely will. Remember that 1.0 was released in 1996 and it remains technically supported despite it being so insecure as the basically be like a lock on a screen door. Also, it’s taken four years to develop and release 1.3. These things don’t move quickly.
If history is any guide, 1.2 will be supported for at least another decade, although “past performance is no guarantee of future results”.
For those who want to remove the insecure cipher suites in Chrome at the Qualys SSL Test:
–cipher-suite-blacklist=0x002F,0x0035,0x000A,0x009C,0x009D
https://www.bleepingcomputer.com/forums/t/680687/test-qualys-ssl-labs-client-test-with-chrome/