CloudFlare Implementing Latest Draft of TLS 1.3

CloudFlare aims to jump-start adoption of the next generation of internet encryption by supporting a draft standard.

TLS 1.3

The Transport Layer Security 1.3 specification is not yet a finalized Internet Engineering Task Force (IETF) official standard, but that's not stopping content delivery network provider CloudFlare from implementing it. CloudFlare announced on Sept. 20 that it is now supporting several advanced encryption technologies on its platform, including TLS 1.3, Opportunistic Encryption and HTTPS Rewrites.

TLS 1.3 is the latest incarnation of the standard for encrypting data in motion across the internet that originally was known as Secure Sockets Layer (SSL). Following SSL 3.0, which is no longer considered to be safe, TLS became its successor in 1999 with the TLS 1.0 specification. The most recent formal version of TLS is the 1.2 specification that was defined in 2008.

"CloudFlare supports the latest draft of the TLS 1.3 specification, which is very close to the final version of the protocol," Nick Sullivan, head of cryptography at CloudFlare, told eWEEK. "We expect this draft to be standardized soon."

Both the Mozilla Firefox and Google Chrome web browsers support the latest draft of TLS 1.3 as well. Sullivan noted that anyone using Firefox or Chrome with TLS 1.3 will automatically connect to CloudFlare sites with TLS 1.3.

"With about 4 million CloudFlare customers today, this will encourage browser vendors to enable TLS 1.3, and we hope that this is a call for action to make that happen," he said.

Among the promises of TLS 1.3 is that it can enable encrypted traffic to be as fast as nonencrypted traffic. Historically, one of the most cited reasons why organizations have not deployed SSL/TLS is because of the performance impact that it has on traffic.

"TLS 1.3 decreases connection time compared to previous versions of TLS, which has remained the same since the beginning of SSL," Sullivan said.

In addition, TLS 1.3 builds on top of the next-generation HTTP/2 web standard for even faster page loads. The HTTP/2 standard was declared by the IETF to be final on Feb. 18, 2015, providing improved web traffic prioritization, control and security capabilities. Sullivan added that encrypted sites are already faster than unencrypted sites today as a result of CloudFlare's launching support for HTTP/2 back in 2015.

While support for TLS 1.3 is helpful for encouraging the use of encryption, CloudFlare is also taking additional measures, including support for HTTPS Rewrites and Opportunistic Encryption. Sullivan said the HTTPS Rewrite technology was developed by CloudFlare security experts in collaboration with technologists from the Electronic Frontier Foundation (EFF) who manage the HTTPS Everywhere project.

"The main difference between the two is that with HTTPS Rewrites we rewrite links on your page, and with Opportunistic Encryption we tell the browser that the site is available over an encrypted connection via an HTTP header," Sullivan explained. "Rewriting links helps fix mixed content on all browsers, while Opportunistic Encryption only works with Firefox."

The reason why HTTPS Rewrites and Opportunistic Encryption are needed is because many websites will still mix non-HTTPS content, including images, links and videos, with HTTPS pages. Sullivan said that CloudFlare's Automatic HTTPS Rewrites solves the problem of mixed content errors, which occur when content is loaded using unencrypted HTTP on an HTTPS site.

"These errors result in a warning message or the removal of the green lock icon in the address bar," Sullivan said. "With Automatic HTTPS Rewrites, images or content that use HTTP will automatically be secured using HTTPS whenever possible."

Overall, CloudFlare is working to make encryption as simple and as accessible as possible, he said.

"We believe online services should be available using encryption, and that encryption should be enabled by default," Sullivan said. "These three features make it easier and more appealing than ever for customers to make encryption their default. However, the choice is ultimately up to our customers. That's why we created these features—to make the decision to encrypt a no-brainer."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.