TLS (Transport Layer Security) is the cryptographic protocol that provides communication security to all modern websites. First released in 1999 as an upgrade to now-deprecated SSL 3.0, TLS 1.0 evolved into TLS 1.1 and then, in 2008, into the current TLS 1.2 version. While TLS 1.2 has been an enormous success over the last ten years, the ever-changing web security landscape and the emerging cyber threats have long required an improvement. After a decade in the making and 28 drafts to define, TLS 1.3 was finally released in August 2018. In this quick overview, we’ll show you what is new in TLS 1.3.
TLS 1.3 removes obsolete algorithms and ciphers
The two key areas where TLS 1.3 excels over its predecessor are security and speed. TLS 1.3 removes several vulnerable and out-of-date features from TLS 1.2. Below are some of the ciphers and algorithms discounted by TLS 1.3:
- RC4 Stream Cipher
- RSA Key Transport
- SHA-1 Hash Function
- CBC (Block) Mode Ciphers
- MD5 Algorithm
- Various Diffie-Hellman groups
- EXPORT-strength ciphers
A simplified protocol is easier to implement, and at the same time offers fewer opportunities for hackers to explore.
TLS 1.3 is faster than TLS 1.2
TLS 1.3 introduces a brand new handshake which reduces the time it takes to encrypt a connection. Previously, TLS 1.2 required two round-trips to complete the TLS handshake, but now, the 1.3 release needs only one round-trip. This change decreases encryption latency in half. Even though the difference is in milliseconds, it adds up at scale and helps companies improve their network performance.
Another new feature that cuts down the encryption time is the Zero Round Trip Time Resumption (0-RTT). When a user re-visits your site in a short time, 0-RTT makes the connection almost instantaneous.
What browsers support TLS 1.3?
At the time of writing this article, Chrome (67+), Firefox (61+), Opera (57+), Edge (76), and Safari (12.3), all support the latest TLS release. Chrome and Firefox were first to roll out support for TLS 1.3. Use this link to check what browser versions are compatible with TLS 1.3.
How to enable TLS 1.3 on your server?
Popular server platforms such as Apache and Nginx, as well as some CDNs, including Cloudflare, support the new TLS 1.3 protocol. Updating to the new versions is easy.
First, you need to update your SSL/TLS library to one of the following versions:
- OpenSSL 1.1.1
- GnuTLS 3.5.x
- Facebook Fizz (current)
- Google’s Boring SSL (current)
Once you’ve updated your library, choose your server, and follow the steps below:
Enable TLS 1.3 on Apache
TLS 1.3 is available starting from Apache HTTP 2.4.38.
- Log into your Apache server
- Backup then open the SSL configuration file, by default its ssl.conf
- Locate the SSLProtocol line
- Add + TLS 1.3 at the end of the SSL Protocol line
- Your final code should look like this: SSLProtocol -all +TLSv1.2 +TLSv1.3
- Save the file and restart Apache HTTP
Enable TLS 1.3 on Nginx
TLS 1.3 is available starting from Nginx 1.13.
- Log into your Nginx server
- Backup then open the niginx.conf file
- Change nginx.conf using vi or your favorite editor
- Locate the ssl_protocols line
- Add TLSv1.3 at the end of the line
- Your final code should look like this: ssl_protocols TLSv1.2 TLSv1.3;
- Save the file and restart Nginx
It will take a while for TLS 1.3 to be universally adopted, and you could speed up the process by enabling it on your website and systems. The benefits are for everyone to see. A faster, lighter, but most importantly, safer encryption for your business and customers.