IETF releases TLS 1.3 standard

The IETF recently release the final version of the TLS 1.3 security protocol. With version 1.3 your website will be faster and more secure than it used to be. The new protocol is more efficient and a lot of legacy cruft was removed.

Improved performance

TLS 1.3 greatly speeds up the secret handshake between a browser and your webserver. This handshake needs to happen before parties can exchange useful information. The faster it gets out of the way, the better.

TLS 1.3 reduces the number of round-trips from 7 to 5
The difference between a TLS 1.2 and TLS 1.3 handshake.

As illustrated, the number of steps or ’round-trips’ is greatly reduced in TLS 1.3. This is relevant because each step adds to the total latency of a page view. Time your visitor spends waiting while staring at a blank browser window.

Security improvements

Version 1.3 improves the overall security of the protocol in two ways. It does away with a number of insecure legacy algorithms and technologies dating back to the previous century. Examples include MD5, RC4 and the so-called ‘export ciphers’. Some of these were responsible for the most embarrassing security breaches of the recent past.

How to start using TLS 1.3

In order to start using the new goodies, a couple of items need to align. First off, browsers will need to support the new protocol. As usual, Microsoft is late to the show while Google and Mozilla are way out in front. I’d advise webmasters to wait a few months for all mainstream browsers to get their act together.

The same goes for the makers of popular web servers, cryptography libraries and the operating systems that run them. It’s not very likely for a currently stable operating system to suddenly start supporting a new version of TLS. So unless you want to get your hands dirty and recompile your SSL library and the webserver stack that depends on it, I’d advise you to wait it out. In most cases this depends on when OpenSSL version 1.1.1 or later lands in your operating system of choice.

A much quicker option would be to start using a CDN like Cloudflare. They take over the internet-facing edge of your network and will be able to serve TLS 1.3 transparently to your users. All you need to do, is flick a switch in their control panel. Their free plan does have limitations you should be aware of, so make sure you’re aware of all the quirks before you enable a CDN.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.