Last Updated: 30th September, 2019
TLS 1.3 (Transport Layer Security (TLS) Protocol): Transport Layer Security (TLS) and now a deprecated forerunner while Secure Sockets Layer (SSL), has become cryptographic protocol standard (cryptographic technique) that can provide security of communication over a network of computers. Multiple protocol variants are widely used in apps such as web browsing, on-site messaging, voice over IP (VoIP), and emails. Websites might use TLS to secure any and all interactions between web browsers and servers.
The primary objective of the Transport Layer Security (TLS) Protocol is to provide privacy and data integrity here between two or more other computer applications that communicate directly.
The United States often call to forbid the use of encrypted communication platforms almost every year. Occasionally this escalates to demands for “backdoors” to be placed in encryption to allow law enforcement to unlock devices or intercept messages between terrorists and criminals.
The frustrated response from the tech community is normally twofold; it would be technically impossible as many encryption schemes are open source, and backdoors just make it easier for criminals to break into systems. Even the NSA, the world’s largest spy agency, has been compromised in the past, so who do you suggest looks after these backdoors?
Every day enterprises large and small lawfully intercept, decode and inspect encrypted IP traffic. The reasons range from compliance with internet access policies, regulatory mandates and to protecting against malware or intellectual property theft.
This lawful intercept is made possible by provisions within the Transport Layer Security (TLS) Protocol, the internet’s most widely used encryption schema, that allows a proxy server or in-line filter such as a next generation firewall to act as a certificate authority for connecting users making a TLS connection across an IP network.
However, TLS 1.2 has a few issues, including an older cryptographic technique that is less secure than modern equivalents. As such, the new TLS 1.3 (Transport Layer Security (TLS) Protocol) version is starting to be rolled out as a replacement. This updated version is more secure, offers faster handshaking with lower latency and includes new connection privacy protection, intended to protect individuals from man-in-the-middle attacks and ‘pervasive monitoring’.
One of the biggest changes with TLS 1.3 (Transport Layer Security (TLS) Protocol) is that server certificates are now encrypted, which will make it difficult for an enterprise proxy/content inspection server to determine whether a communication is between a legitimate source like a bank or malicious malware sending back command and control information to a hacker.
With TLS 1.3, once a connection is made through a proxy, that proxy needs to maintain the connection for the entire duration of the communication.
Although most browsers now support TLS 1.3, most of the big services make it an optional rather than mandated requirement. However, this may well change, and some of the large SaaS and cloud providers are considering this approach.
For enterprises, this supposed improvement in security may well cause several headaches when it comes to lawful inspection. Firstly, enterprises need to maintain a proxy for all TLS 1.3 sessions, even if the communication is deemed to be legitimate and secure.
When deployed in its most secure fashion, TLS 1.3 (Transport Layer Security (TLS) Protocol) does make it harder for enterprises to determine content, legitimacy and as such, its use will undoubtedly force enterprises to ramp up resource utilization on an SSL/VPN/Proxy appliance.
Organizations have a choice to make: stay on TLS 1.2 for as long as possible, accepting all of its flaws or move to TLS 1.3 (Transport Layer Security (TLS) Protocol) and ramp up proxy/VPN appliances to deal with the new workload. A more innovative approach is to move to a cloud access security broker (CASB) model which can effectively act as an inspection portal for all IP traffic flows.
For smaller organizations, this CASB model may prove a bit of overkill, but it can be really beneficial for larger organizations that have a lot of diverse applications, SaaS, PaaS, IaaS and distributed or mobile workers.
Architecting such a migration does require a multi-discipline team spanning security, networking, applications and policy experts, but the benefits include a much more robust access control process and if done right, a simpler way of managing the whole process irrespective of use cases.
There is still an only sluggish adoption of TLS 1.3 with a recent survey by SSLlabs suggesting that as of May 2019, only 14.2% of the 150,0000 most popular sites on the internet support TLS 1.3. However, several large CDNs including Akamai , Akamai Blog and CloudFlare are already offering TLS 1.3 as a default.
This situation will improve further if one of the bigger SaaS services starts to require it or if more vulnerabilities are discovered with TLS 1.2 that further negate its usefulness. TLS 1.3 (Transport Layer Security (TLS) Protocol) will ultimately become the standard (cryptographic technique), and for enterprises, the clock is ticking.