The New Transport Layer Security (TLS) 1.3 Standard
By: Brandon Polk, Director of Compliance Services
Contextual Security Solutions | August 15, 2018 @ 11:02
It’s official… the new Transport Layer Security (TLS) protocol version has been released, TLS v.1.3, via RFC 8446. So what is TLS and why is it important? TLS is a communications protocol that securely exchanges information between two endpoint computers, a client and a server. TLS is the most widely deployed security protocol today and is used for things like HTTPS connections in web browsers, virtual private networks (VPNs), voice over IP (VoIP), and desktop applications.
TLS is the successor to the older Secure Sockets Layer (SSL) protocols and brings enhanced security and performance. Sometimes the terms SSL and TLS are used interchangeably; however, there are distinct technical differences between the two implementations and SSL is no longer considered a secure protocol. In fact, even early versions of TLS have known weaknesses that may allow an attacker to perform man-in-the-middle attacks and ultimately intercept the communications stream.
The latest version, TLS 1.3, addresses a couple of key aspects of the security implementation of the protocol. By utilizing a hybrid cryptosystem consisting of symmetric key cryptography (encryption and decryption keys are the same) and public key cryptography (encryption and decryption keys are different), you the protocol encrypts more data with less effort. This allows the encryption key exchanges to occur faster and reduces the overall footprint for an attacker to intercept. Finally, TLS 1.3 removes problematic encryption ciphers, such as CBC-mode and RC4 ciphers, that have been compromised to carry out information disclosure and downgrade attacks, such as the BEAST and FREAK attacks. Ultimately, all of this results in a faster and more secure TLS connection compared to previous versions as can be seen in the following illustration:
It is also important to note that some compliance frameworks pay close attention to system configuration standards including which protocol versions are implemented and how security features are configured. For example, PCI DSS requirements 2.2.3, 2.3, and 4.1 states that all versions of SSL and early versions of TLS do not meet the intent of strong cryptography or secure protocols and therefore cannot be used a security control.
For more information about how we can help you assess your security posture and determine whether it meets best practices and/or compliance requirements, contact us via info@contextualsecurity.com.