Transport Layer Security is a security protocol used for facilitating seamless and safe communication between servers and web browsers. Put it his way, TLS encrypts data so that only the intended recipient and the sender can access it. Currently, TLS 1.2 and TLS 1.3 are the most commonly used TLS versions. After some major upgrades, TLS's 1.3 version has emerged as one of the most extensively used and the safest security protocols for websites that need a high-end encryption service. The latest TLS 1.2 and TLS 1.3 are faster and safer than their outdated versions.
TLS 1.3 - A Safer Alternative to the Previous TLS Versions
The Internet Engineering Task Force has introduced several modifications in Transport Layer Security in the past eight years. TLS 1.2 version has been in use by most website owners because of its excellent security features and unparalleled speed. However, more and more companies are now switching to TLS 1.3 for improved performance and better security. Additional features, like Zero Round Trip Time and the TLS False Start, have improved encryption speed. Like HTTP/2, this latest TLS upgrade is expected to benefit all websites. By enhancing your site’s security and loading speed, TLS 1.3 will result in an excellent user experience.
How is TLS 1.2 Different from TLS 1.3?
The biggest difference between TLS 1.2 and 1.3 is that two round trips are required for executing a TLS handshake in the 1.2 version, while the 1.3 completes the same in just one round trip. The encryption connections, as a result, have gotten faster than before. Not only does it improve the security and lower the latency, but this improvement in the speed has been shown to speed up the website loading times.
TLS 1.2 consisted of various features, including but not limited to, DES, 3DES, SHA-1, RC4, and MD5, all of which needed secure and proper configuration in order for this safety protocol to function properly. Failure to configure TLS 1.2 securely would make your website highly vulnerable to cyber-attacks. Security consultants and experts have said that TLS 1.3 will become safer and faster in the coming years.
Google has also done its part in informing each website owner about the risks associated with TLS 1 and how the websites must be moved to the TLS 1.2 or the latest TLS 1.3 versions for improved security and performance. Although Chrome and other popular browsers support TLS 1.3, some browsers, like Opera, are yet to embrace the latest version of TLS. People believe that this delay in adopting the latest versions of the Transport Layer Security is the incompatibility of this protocol with the SSL services. You can take the SSL server test to determine whether your server is compatible with TLS 1.3.
Detecting obsolete TLS configurations
Over time, new versions of the TLS protocol are developed and some of the previous versions become obsolete for numerous technical reasons or vulnerabilities such as TLS versions 1.0 and 1.1, and therefore should no longer be used to sufficiently protect data.
NSA's recommended detection strategy contains three stages:
Stage 1: identify clients and servers which are using old TLS versions. If a client offers or a server accepts any old TLS or SSL version, traffic should be blocked immediately.
Stage 2: when TLS 1.2 is in use, you should detect whether the traffic is based on an obsolete cipher suite.
Stage 3: when TLS 1.2 or TLS 1.3 are in use with the right cipher suites, key exchange mechanisms should be investigated. If a weak key exchange method is detected, it should be blocked.
The following table indicates the prioritization and urgency for immediate remediation of obsolete TLS versions from the NSA:
Version | Additional Monitoring | Traffic Response | Asset Response |
---|---|---|---|
SSL 2.0 | N/A | Immediate Block | Disable service until reconfigured to only support TLS 1.2 and TLS 1.3. |
SSL 3.0 | N/A | Immediate Block | Disable service until reconfigured to only support TLS 1.2 and TLS 1.3. |
TLS 1.0 | N/A | Immediate Block | Immediately reconfigure to only support TLS 1.2 and TLS 1.3 |
TLS 1.1 | If not blocked, detect obsolete cipher suites | Blocking recommended | Reconfigure to only support TLS 1.2 and TLS 1.3 as soon as possible |
Recommended hardening for TLS
Obsolete TLS provides a false sense of security and sensitive data requires robust protection. Using CalCom's software CHS is capable of producing an accurate report regarding hardening SSL/TLS protocol consequences, so you won't find out about it only when it breaks. Learn More about CalCom's Hardening Suite (CHS) and how it will present the status of each server and indicate whether it is hardened according to best practice recommendations.