TLS 1.3 support is coming this spring

While March brings NCAA Madness, this year it also brought TLS 1.3, which will be coming to all Akamai customers soon!  Let’s give some background.

TLS 1.3 is latest revision of the TLS protocol. It is also known by its older name, SSL. It is the protocol used for all secure HTTP connections on the Internet; think of it as the “s” in “https.”

TLS 1.3 took a relatively long time to develop, almost four years. Much of that time was spent by the TLS Working Group (WG) of the Internet Engineering Task Force (IETF) actively working out the cryptographic details. This included various experts, who had done analysis of previous versions of the protocol, as well as industry and privacy advocates. (At one of the early working group meetings, someone from the ACLU found a flaw in a protocol designed by Google. The importance of wide public review cannot be overestimated!)

TLS 1.3 brings a handful of new capabilities over previous versions that will be noticeable to end-users. An important goal of this new version was to reduce communication latency by reducing the number of round trips needed to set up a connection between a client and a server. For example while previous versions would have three messages (hello, server key, client key), there are now two (hello and client key, server key). Even for a large globally-distributed platform like Akamai, removing an extra round-trip will improve efficiency.

Another benefit of TLS 1.3 is the emphasis on privacy. While TLS 1.2 could support something known as forward-secrecy, TLS 1.3 requires it. Put simply, forward secrecy means that, if one of the cryptographic keys in a connection is compromised, it gives no hints about decrypting any other connection. As the working group was concluding its work, a number of larger Enterprises  realized that this would prevent some of the monitoring and diagnostic tooling they use.Yet, after several discussions, the working group decided not to accommodate them.  

Secrecy means that a new key has to be generated on each connection attempt. TLS 1.3 uses modern, very efficient, cryptographic algorithms to offset this cost. In fact, this has also been part of TLS 1.3: a “spring cleaning” of algorithms. Considering all previous versions of the protocol, there are more than 140 different cipher suits defined. Many of them (such as RC4) are no longer secure, and some of them (pre-shared keys) can be generalized into a common protocol message. As a result, TLS 1.3 has barely a half-dozen ciphers, and all of them are best-in-class. So, for at least the initial deployment, Akamai will not be offering a way to configure the ciphers through meta-data. (Beta customers who had to pick a specific profile can leave that setting, but it’s no longer required.)

One of the most popular TLS toolkits is OpenSSL. Recognizing how important it is to have an open source implementation, and because Akamai uses OpenSSL in its platform, we funded the development TLS 1.3. We have been deploying the various pre-publication draft versions and performing our own scalability and other tests, and we are planning to deploy the final, published, version this Spring.

Once we do this, TLS 1.3 will be available for all customers on our platform. Customers who have Enable All Versions selected in the CPS under the TLS Metadata tab will have it automatically enabled. Customers who want to limit which protocols they use — for example, on the public Web there is a growing practice of removing anything before TLS 1.2 — should be able to explicitly disable those protocols, leaving TLS 1.3 enabled.

Finally, another aspect of TLS 1.3 is that it can be used as the cryptographic infrastructure for exciting new protocols such as QUIC. QUIC is a based on UDP, not TCP, and is designed to be flexible and efficient, while also being secure. Akamai is heavily involved in QUIC — we were the first non-Google site to deploy their initial version — and we are excited because this should help speed QUIC deployments as well.

TLS 1.3 reduces latency to improve performance and its state of the art encryption improves security. In addition, it is easy to implement and will be available to all Akamai customers soon. Get onboard with faster, reliable and more secure web.  


*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Rich Salz. Read the original post at: