New, stronger crypto standard lacks backward compatibility
The Internet Engineering Task Force is on the verge of approving a new standard for encrypted internet traffic that will make the web a safer place to shop, bank and browse — but it could also break a lot of stuff for people who don’t update their browsers.
Transport Layer Security, or TLS, is an encryption protocol that works with web browsers. It’s the math, and the shared standards, that underlie the green padlock users see — the symbol which gives users the confidence that they are connected to the right site and is private enough to share personal or financial data.
TLS supersedes SSL, or Secure Sockets Layer — a protocol dating back to 1995 that has proven to be thoroughly broken. But the latest TLS version was finalized in 2008 and in recent years has been the subject of many high profile attacks and newly discovered bugs.
The first draft of TLS 1.3 was offered by the IETF in 2014 and the non-profit, which sets the standards that keep the internet universally compatible and open, has since been working on a final version.
“There’s no timeline” for the IETF working group to finish drafting the standard, task force spokesman Greg Wood told Cyberscoop. The 15th draft was published last month.
“It’s a consensus-based process … Once the working group is in agreement, the final standard is sent out for review by wider technical community,” Wood said.
Any issues raised at that stage have to be addressed before the task force publishes the standard and it comes into force, he explained.
Nonetheless, Mozilla’s Firefox and Google’s Chrome browsers have implemented preliminary versions of TLS 1.3 in their developer releases — the latest, as yet untested, updates to their software which they share ahead of public release. And there are other programs implementing the new standard, too.
“TLS 1.3 is huge step forward for web security and performance,” wrote Nick Sullivan of Cloudflare, the content delivery company. Cloudflare announced Tuesday that they will be offering TLS 1.3 to all their customers.
Crypto experts agree 1.3 will be faster and much more secure. Older versions of TLS typically require at least three exchanges between the server hosting web content and the browser viewing it before any actual traffic can move. This is known as 3-RTT, for Round Trip Time, and contributes to the latency that sometimes plague encrypted sites.
The lower the RTT, the faster the web connection. TLS 1.3 aims for a maximum of 1-RTT, according to engineers.
However, one of the ways TLS 1.3 is being made more secure is to eliminate what engineers call backwards compatibility — the ability of websites using the new standard to be viewed with outdated browsers.
“The need for backwards compatibility allows an attacker to force the [encryption] protocol into an older, insecure, version,” wrote Bruce Schneier in 1998 — the year SSL was first introduced.
Backwards compatibility is at the root of many vulnerabilities in earlier versions of TLS — like the POODLE and FREAK attacks.
To deal with this problem, TLS will eliminate many older, less secure, encryption technologies, including RC4 ciphers, SHA-1 hashes and so-called “export grade” ciphers.
“I think we will see far fewer vulnerabilities and we will be able to trust TLS far more than we have in the past,” concluded Cigital’s Jesse Victors.