There hasn’t really been a major update in security encryption protocols, but we live in a world where malware infect millions of users, daily. And thus, a new version, TLS 1.3 was launched to help us curb the problem of data security. Experts all over the world have given mixed reactions to this. The reason behind is the fact that this new version will help users in enhancing their security practices but also help the “bad guys” in breaching privacy. You ask how? Let’s begin the discussion by knowing about TLS.
What Is TLS?
Transport Layer Security which is abbreviated as TLS is successor of SSL (Secure Socket Layer). It’s basically a secure connection established between servers and web browsers. You might wonder why and how it is secured? Well, it is because of symmetric cryptography that is used for data encryption that is been transmitted. In this, the keys are uniquely generated for each connection that is established and are shared in the beginning of any session. This is also known as TLS handshake. The IP-based protocols such as HTTPS, SMTP, POP3, FTP support TLS in encrypting data. So, when you access any website, the web browsers are actually utilizing the SSL certificate. And because of this, you see “HTTPS” in the URL that depicts the website is authentic. But what is special in TLS 1.3?
TLS 1.3: What’s New In This?
Well, the new version will only support data encryption channels that provide Perfect Forward Secrecy. Simply put, this version ensures that anyone won’t be able to a copy of encrypted traffic and decrypt them via brute force attack. This will eventually limit the use of ciphers which implies that “not only channel but also the setup of the session will be largely encrypted.” This is a huge step taken and will reduce the time and number of rounds for data transfer. If we compare the handshake of version 1.2 with 1.3, the results would come out as follows:
It is faster and takes fewer rounds. This is possible because of TLS false start and Zero Round Trip Time. Moreover, with TLS 1.2, the major problem was it didn’t get configured with websites easily and rendered them vulnerable to attacks. With TLS 1.3, this gets resolved along with SHA-1, RC4, AES-CBS, MD5 and many others that were a major problem in TLS 1.2. So, we can say that just like HTTP/2, this is another protocol that will benefit us. Well, everything seems fine with this, but why a few experts aren’t happy?
Where Things Start Getting Tricky?
Let’s assume that a browser tries to a server but the middlebox device that “scans for malware along an encrypted channel) is not running TLS 1.3, three things can happen!
- Middlebox may opt to block the session that will lead to a terrible user experience because user will not be able to access the website.
- It might let the session continue without inspection which will be a win-win situation for malware.
- Middlebox may downgrade the session to weaker TLS connection.
All of these are not appreciable and thus we can say that the best thing about this protocol is also the worst one! Also, if you are someone who needs to access the websites to gather information, your spree might get hindered. Why? Because not all websites are certified and this protocol will not let you access them! If we expand our horizons, we’ll see that the sectors such as banking and healthcare are not yet ready for this. Thus, the concerns of security experts are genuine. We might struggle a lot if we implement this new protocol without proper analysis and upgrades. There is no denying the fact that this protocol will be implemented, but we’ll have to be prepared. The ad-hoc users might not find this a big challenge but the enterprises need to act soon as they will take time! Mark Urban has conveyed that “In fact, many organizations already have existing network security architectures in place that are fine-tuned to deal with current conditions and changing the strength of encryption can create challenges.”
Will These Be Able To Counter New Issues?
Any system left unattended will invite hackers and no matter what format we have used for data encryption, we’ll be in trouble. The hackers won’t sit idle for long and will try to exploit the vulnerabilities and we cannot stay blindfolded to the fact that we are definitely behind them. We hope that the security professionals come up with tactics to help us deal with the problems. Till then we can appreciate that a new protocol is released and we are moving forward in the world of web! What do you think? Do let us know in the comments section below!