Increases in both performance and security are what can be expected as TLS 1.3 takes a less is more approach to encryption over the public Internet. The fourth generation of the TLS protocol - Transport Layer Security version 1.3 (TLS 1.3) was published in RFC 8446 in August 2018, and brings with it a higher level of performance and security to the Internet ecosystem.

Performance

Expect higher connection speeds with TLS 1.3 as it streamlines the number connections to establish a session.

TLS 1.2 uses two rounds of round-trip connections for session establishment. The first is a hello connection to establish the client and server and send the certificate. The second is a client key exchange and establishes encryption.

Less is more for TLS 1.3. This protocol version only uses one round-trip for session establishment. In this case, the client key share is provided with the client hello and the server can respond to establish the connection. Example of TLS 1.2 and TLS 1.3 handshakes

In the TLS handshake example above, we see TLS 1.3 will improve the connection speed by 100ms. For more information about the TLS 1.3 connection, see The New Illustrated TLS Connection for an explanation on every byte.

Enhanced Security

TLS 1.3 also applies a less is more approach to enhance security. Primarily, TLS 1.3 enhances security by removing the following attributes:

  • RSA key transport as is doesn’t provide forward secrecy
  • CBC mode ciphers which is responsible for BEAST and Lucky 13
  • RC4 stream cipher which has been subject to attack
  • SHA-1 hash function deprecated in favor of SHA-2
  • MD5, SHA-224 and DSA
  • Arbitrary Diffie-Hellman groups used in Logjam
  • Export ciphers responsible for FREAK and Logjam
  • Compression and renegotiation

And, TLS increases security by adding:

  • Protocol version downgrade protection
  • ChaCha20 stream cipher with the Poly1305 message authentication code
  • Ed25519 and Ed448 digital signature algorithms
  • x25519 and x448 key exchange protocols

Support
TLS 1.3 is already supported by Chrome, Mozilla and Opera as well as by major web service providers such as Google and Cloudflare.

Through December 2018, Netcraft advised that after reviewing over 49 million servers, 10.5 percent already support TLS 1.3. It may be too early to set a trend line, but indicators show the growth rate increasing at over 1 million servers per month. If growth accelerates through higher browser adoption and implementation by cloud providers, we may see TLS 1.3 supported by 50 percent of Internet connections by the end of 2019.

HTTP/3

The forthcoming HTTP/3 protocol will be more secure than HTTP/2, which is currently supported by about 50 percent of servers. HTTP/3, also known as HTTP-over-QUIC, is in development - draft IETF RFC. The good news is that since HTTP/3 is based on QUIC, it will be more secure than HTTP/2 as QUIC incorporates TLS 1.3 by default.

Although it took many years to develop TLS 1.3, it has been deployed before any vulnerabilities have been found in TLS 1.2, and should provide a secure Internet for many years.

Please find more information in our TLS 1.3 and TLS 1.2 comparison whitepaper.

Bruce Morton

Bruce Morton

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.