TLSv1.3 – The Good, The Bad and The Ugly

TLSv1.3 – The Good, The Bad and The Ugly

A new version of Transport Layer Security (TLS) is coming… welcome TLS1.3!

Well to be fair it is already here and has been for over 12 months, but as is the case with many Internet standards, adoption is taking some time. And for those not fully across exactly what TLS is, it is a security protocol designed to allow secure communication of data over the Internet. Even if you don’t know what it is, you are probably familiar with the small padlock symbol on your browser address bar signifying a ‘secure’ connection … that’s TLS.

Ok, so what’s new in TLSv1.3 and why do I care? Well, it turns out there is a whole heap of new stuff, most of which is outside the scope of a short blog post like this, but essentially it is faster and more secure. So, what’s not to like, surely faster and more secure is a good thing … right?

Well yes, it is most certainly a good thing. Internet security is increasingly issue for both personal and business communications. We are all aware that cyber security issues are increasing daily and has spawned a huge industry to combat and mitigate all aspects of networking and IT infrastructure security (think organisations like Counterhack – experts in keeping your busines cyber-safe … sorry , couldn’t resist a quick plug!) 

So the introduction of TLSv1.3 can only help in maintaining security. The issue is that, along with TLSv1.3 comes ESNI (encrypted server name identification). Web connections using older TLS versions exchange some information in the clear, such as the server certificate name allowing for the origin of the traffic to be determined, even though the communication itself is encrypted. Using ESNI, connections using TLSv1.3 can now encrypt the server name identification field resulting in the origin of the traffic being masked. Put simply, we can no longer identify the origin of the traffic by looking at the certificate name as it is no longer in the clear.  

This is great for privacy …. not so good for surveillance. 

This is a particular concern for countries that are big on surveillance. Since the end of July, China has upgraded it’s ‘Great Firewall’ to block connections using TLSv1.3 and ESNI. Russia are also in the process of adopting legislation that will ban companies or websites that hide the website identifier in encrypted traffic. And whilst China and Russia are obvious examples of jurisdictions that are ‘heavy’ on surveillance, there are plenty of other countries (some pretty close to home) that are just as interested in monitoring Internet usage.

The ultimate result of these moves by China and Russia (and no doubt other jurisdictions) is to make the Internet potentially less secure. It forces companies doing business in these jurisdictions to ‘downgrade’ (or at the very least not ‘upgrade’) making their Internet connections less secure. There are those that also argue that a less secure Internet in these countries may have more serious flow on effects for economic development and foreign investment, as well as leaving citizens of such countries more vulnerable to external privacy threats.

Whilst the jury may be out on how wide ranging the ramifications of TLSv1.3 and ESNI are, one thing is for sure – the introduction of TLSv1.3 does have the potential to fragment the Internet into those that are “secure” and those that are “less secure”. What this means long term remains to be seen, but it will certainly be an interesting space to watch over the next 12 months.