Posted under: Research and Analysis
Transport Layer Security (TLS) is fundamental to the security of the Internet. Proposed changes to the protocol are generating extensive controversy within and outside of the security industry. Rather than getting into the cryptographic specifics this post focuses on the root of the controversy and why we believe TLS 1.3 should proceed with the full support of technical professionals.
What is TLS 1.3? – Transport Layer Security (TLS) is the primary protocol for securely sending information over the Internet. It is the successor to SSL (Secure Sockets Layer) and is built into every web browser, web server, and many other applications. Nearly every website in the world uses TLS to one degree or another to protect communications such as signing into a site with a password, looking at your banking information, or reading your email. It is also embedded into many other applications and the guts of the Internet. You use it every day. if you are reading this on our site, you are using it now. If you checked your email today, TLS is what prevented someone on the Internet from reading it.
If you are completely non-technical, think of it as a security envelope for your data. but the reality is TLS does much more.
TLS 1.3 is a proposed draft to update the current version (no surprise, TLS 1.2) and improve security and performance. As with any software TLS is never “perfect” and needs updating from time to time. For example, one of the changes cuts the time in half to initiate a secure connection. 1.3 also simplifies the kinds of encryption it supports in order to eliminate known security vulnerabilities. TLS 1.3 is already supported in some web browsers even though the standard isn’t final.
Why is TLS 1.3 controversial? – TLS 1.3 eliminates a security weakness of TLS 1.2, but that exact weakness is used by many organizations to monitor aspects of their networks. Some organizations and security vendors want to keep that weakness so they can continue to use their existing technique to monitor traffic.
Thus we have to choose between better inherent security of the Internet, or supporting a widely used monitoring technique.
Monitoring itself is not inherently “bad”. Common tools like Data Loss Prevention rely on peering into encrypted connections on corporate networks to identify sensitive data being accidentally or maliciously exposed. Other tools sniff these connections to look for activity created by attackers and then block or generate an alert. It’s a form of wiretapping, but one that is widely used as part of security programs, not for spying (although it can obviously be used for both).
Security is always a balancing act and we often face these difficult decisions. However, in this case, there are alternative techniques to achieve the same security goals and it is our position that we should not keep a vulnerability in a core Internet protocol just to support existing security tools.
The controversy is about security vs. costs. The fact that existing monitoring approaches will support 1.3, but will perhaps cost a bit more to implement should not be an excuse for reducing security.
What exactly is the security weakness TLS 1.3 eliminates? – TLS 1.3 eliminates support for an older way of setting up an encrypted connection that uses one master key and could allow someone, if they got a copy of the key, the ability to sniff all encrypted traffic. They could also decrypt any previously recorded traffic that was protected with that key. The proposed updates to TLS use a different key for every connection, so there isn’t some master key to expose and allow unrestricted monitoring. We call this perfect forward secrecy for those that want to look it up.
This is a pretty big weakness that’s been used in attacks. Unfortunately, it’s also used by legitimate security tools to monitor traffic more easily than using alternate options.
Does TLS 1.3 reduce enterprise and government security? – No.
It changes how you need to implement some security. It will cost money to update to new kinds of systems to perform the same kinds of monitoring. It require re-thinking how we do some things today. But it does not eliminate the ability to achieve the same security objectives.
Organizations that need to monitor traffic can do so with four techniques:
- Active interception (man in the middle) techniques.
- Using software installed to capture the traffic on systems instead of on the network.
- Capturing data on the Internet servers they connect to. For example, some cloud services allow you to track all your employee’s data and activity (if your organization subscribes to the service).
- For servers you control you can still use TLS 1.2. It will likely be supported for many MANY years.
Do we really need to remove passive monitoring from TLS 1.2? – Yes.
It’s a simple choice – we can make network sniffing attacks harder, or we can make them easier. We can improve security, or we can leave a known vulnerability. Our position is that we should always choose stronger security. The Internet is littered with the consequences of choosing weaker options, especially when encryption is involved.
Support for passive monitoring of encrypted connections may help some aspects of an organization’s security program but it does so at the expense of longer-term security. Attackers, criminal or otherwise, can leverage this for spying on organizations, individuals, and governments. They can potentially record traffic on networks and then decrypt it later… even weeks, months, or years later. We have seen this exploited in criminal and government attacks; this is not a theoretical vulnerability.
What is the impact if TLS 1.3 is adopted? – There won’t be any immediate impact (in most cases).
TLS 1.2 is still completely supported and will be for a long time. As online services start adopting TLS 1.3 organizations that rely on passive sniffing of encrypted connections may start losing visibility into those connections. Organizations that want to maintain this visibility will need to update their tools and techniques.
However, since the entire Internet isn’t shifting to TLS 1.3 overnight there is time to make this transition.
Transport Layer Security 1.3 brings important security improvements to one of the most foundational technologies used to protect Internet communications. It eliminates a form of passive sniffing that, although used for legitimate security purposes, also weakens Internet communications. Our position is we would rather have an inherently secure Internet than keep a security weakness just to support existing security tools and practices that have alternative ways of meeting the same goals.
This is a conflict between security and costs. Sometimes costs wins, but time and time again we suffer the consequences of making that compromise. Considering how absolutely essential TLS is to a safe and secure Internet, leaving in a known weakness to save a little money and gain a little convenience for a small subset of the world is simply unjustifiable.
This is a Security Bloggers Network syndicated blog post authored by email@example.com (Securosis). Read the original post at: Securosis Blog