• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • Daily Security Bytes
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

TLS 1.3 Is Coming and That’s Just Fine

March 28, 2018 By Marc Laliberte

Lock Key

This week, the Internet Engineering Task Force (IETF) formally approved TLS 1.3 draft 28 as a Proposed Standard, officially making it the latest revision of the Transport Layer Security (TLS) protocol. The approval comes after four years of revision by the TLS Working Group and leaves TLS 1.3 only a few verified implementations away from receiving Internet Standard designation.

TLS 1.3 contains several major differences from TLS 1.2 to improve both security and operability. New additions include:

  • 0-RTT (Zero Round Trip Time Resumption). 0-RTT is a new negotiation mode designed to speed up resumed connections by allowing clients to send encrypted application data along with their session renegotiation message. This differs from previous TLS negotiation modes that require clients and servers to complete the entire handshake before sending encrypted data.
  • Removal of all static RSA and Diffie-Hellman cipher suites. In TLS 1.3, only cipher suites that offer perfect forward secrecy (PFS) are allowed. Without PFS, an attacker that obtains an RSA private key or other pre-shared key off of a server could then decrypt all SSL/TLS traffic sent to and from that server. With PFS, every session uses a new unique key meaning a single compromised session doesn’t impact every other session.
  • New session handshake process. TLS 1.3 overhauls the session handshake process, with changes such as deprecating the TLS 1.2 version negotiation field, encrypting all messages after the ServerHello, and even removing some messages entirely like ChangeCipherSpec.

You can find the rest of the major changes from TLS 1.2 on page 16 of the proposed standard document.

Of all the changes coming with TLS 1.3, the two most controversial ones are 0-RTT and the deprecation of the RSA key exchange. While 0-RTT significantly improves latency in many cases, it comes at the cost of security. Without going into the nitty-gritty details, 0-RTT messages are vulnerable to replay attacks, meaning an attacker capable of capturing your encrypted connection can re-send (replay) your 0-RTT data to the server, potentially triggering unexpected behavior. The good news is, most modern web applications are replay-resilient on their own to deal with normal network glitches. That said, 0-RTT’s inclusion means all applications and services that implement TLS 1.3 must be mindful of potential replay attacks.

The removal of the RSA key exchange and other non-PFS cipher suites has triggered concerns from many companies and organizations that rely on SSL/TLS decryption for security and data loss prevention. Members of the financial industry have noted that this change renders out-of-band decryption nearly impossible.

Potential privacy concerns aside, SSL/TLS decryption is vital for ensuring security in the modern work place. Malware authors are increasingly adopting encryption to hide their communication and second stage payloads from detection. Luckily, in-line proxies (like those in the WatchGuard Firebox appliances) will remain perfectly capable of decrypting TLS 1.3 traffic after implementing the new protocol standard. In-line proxies preform what is effectively a man-in-the-middle (MitM) attack against SSL/TLS sessions, a process that PFC-enabled cipher suites do not impact.

If you are a WatchGuard customer, we are in the process of testing TLS 1.3 internally while awaiting the final release OpenSSL v1.1.1, which will add support for the approved standard. Until the WatchGuard proxies officially support TLS 1.3, content inspection via decryption will still work, albeit by securely downgrading TLS 1.3 negotiations to TLS 1.2. –Marc Laliberte

Share This:

Related

Filed Under: Editorial Articles Tagged With: Infosec news

Comments

  1. Jon DeGeorge says

    August 19, 2018 at 6:51 am

    I am very happy that you actually implemented TLS 1.2 correctly. Proxies that break with 1.3 handshakes are NOT implementing 1.2 correctly.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • USA’s Answer to GDPR
  • Rolling PWN

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Hacker Summer Camp 2022
  • Private Sector Offensive Actors
  • USA’s Answer to GDPR
  • Rolling PWN
  • Over a Billion Records Leaked in Shanghai National Police Database Hack
View All

Search

Archives

Copyright © 2022 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use