TLS 1.3 Protocol Approved by IETF, Improving Web Encryption | eWeek

TLS 1.3 Encryption Standard Moves Forward, Improving Internet Security

TLS 1.3
Mar 26, 2018
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

After years of development and 28 drafts, the Internet Engineering Task Force has approved Transport Layer Security 1.3 as a proposed internet standard. The new standard aims to provide improved security and cryptographic assurances for the internet.

“TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery,” the IETF announcement message for TLS 1.3 states.

TLS 1.3 is the successor to TLS 1.2, which was formally defined in August 2008 and is supported in most major web browsers and servers. Many browsers and servers, however, still also run the older TLS 1.1 protocol that was defined in April 2006 as an update to the TLS 1.0/Secure Socket Layers (SSL) v3.0 web encryption protocol that came out in 1999.


Among the multiple improvements in TLS 1.3 is increased speed of operation. A core promise of the new encryption standard is that encrypted traffic will be handled by servers and browsers as fast as unencrypted traffic. When TLS 1.2 was first defined, only a small fraction of web traffic was encrypted. In 2018, encrypted HTTPS traffic accounts for over 50 percent of web traffic according to multiple reports including one from Cisco.

TLS 1.3 is also more secure than its predecessors as it removes support for older, less secure cryptographic algorithms.

“The list of supported symmetric algorithms has been pruned of all algorithms that are considered legacy,” the TLS 1.3 draft standard states. “Those that remain all use Authenticated Encryption with Associated Data (AEAD) algorithms.”

The removal of older protocols is an important step in limiting multiple types of attacks that have been reported by researchers in recent years. Attacks such as POODLE, FREAK and Logjam are primary reasons why SSLv3.0 and TLS 1.0 are not considered to be safe. Those attacks made use of older, less-secure cryptographic algorithms to exploit HTTPS. 

Going a step further, all of the public-key exchange methods supported in TLS 1.3 support forward secrecy.

“The goal of forward secrecy is to protect the secrecy of past sessions so that a session stays secret going forward,” Patrick Crowley, engineering lead for Cisco’s Stealwatch, wrote in a blog post. “With TLS 1.2 and earlier versions, a bad actor who discovered a server’s private key could use it to decrypt network traffic that had been sent earlier.”

The TLS 1.3 specification also serves to remove a potential attack vector by encrypting all messages after the initial “ServerHello handshake” is made to initiate an encrypted data stream.

“The newly introduced EncryptedExtension message allows various extensions previously sent in clear in the ServerHello to also enjoy confidentiality protection from active attackers,” the IETF standard draft states.

Deployment

Although TLS 1.3 is only a recommended internet standard, browser and infrastructure operators have already takes steps to implement earlier drafts of the protocol. Among the vendors that have long supported TLS 1.3 is CloudFlare, which began implementing draft support in September 2016.

“There are over 10 interoperable implementations of the protocol from different sources written in different languages,” the IETF TLS 1.3 announcement states. ” The major web browser vendors and TLS libraries vendors have draft implementations or have indicated they will support the protocol in the future.”

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.