Welcome to WebmasterWorld Guest from 54.198.23.251

Forum Moderators: open

Featured Home Page Discussion

TLS 1.3 Approved As Standard

     
4:11 am on Aug 14, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:8608
votes: 680


An overhaul of a critical internet security protocol has been completed, with TLS 1.3 becoming an official standard late last week.

Describing it as "a major revision designed for the modern Internet," the Internet Engineering Task Force (IETF) noted that the update contains "major improvements in the areas of security, performance, and privacy."


[theregister.co.uk...]

Now, all we have to do is get on board and implement it! (Carl Sagan: There are Billions and Billions)

Won't be done by Friday.
4:28 am on Aug 14, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12551
votes: 833


My Datacenter specs say they've supported both TLS 1.2 and TLS 1.3 since I moved my files there 2 years ago.

Chrome and Firefox both have TLS 1.3 on by default.

So I think this is more of just an official standards announcement. But good news indeed.

"We are merely one voice in the grand cosmic fugue." - Carl Sagan
6:36 am on Aug 14, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:8608
votes: 680


All that is true, of course, yet the reality is there are "billions and billions" of websites yet to embrace the technology. Time will tell, of course. :)
6:39 am on Aug 14, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12551
votes: 833


Websites won't really have to do anything. The HTTPS is in place. As the security certificate key code is automatically updated, so it will upgrade. This is how it upgraded from 1.1.
7:11 am on Aug 14, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:8608
votes: 680


The ones that do nothing are HTTP....

Er ... what is that site certificate for? Again? Lets Encrypt?

@keyplyr, that cake and eat it too is a tough row to hoe.

Takes two parties for TLS to work. Sender and Receiver.
7:18 am on Aug 14, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12551
votes: 833


Yes Tangor. Certs will update and browsers will too. As I said, Chrome and Firefox already have TLS 1.3 on by default.

This is almost seamless. Some old servers may need to be retired if they can't support the newer standards. This is always the case.

Thanks for the news. Always a good thing to learn that security measures are keeping up.
9:30 am on Aug 14, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Nov 13, 2016
posts:596
votes: 89


Good news. It's been a while, I was awaiting after the final draft of the TLSv1.3 protocol.

Just as remarks:
- TLSv1.3 is protocol, so TLS certificates are the same.
- Client software are supporting it since some years, but not necessarily the last draft, this is not a problem with Firefox or Chrome, which are updating often, but this can be an issue for Middleware components, so within some networks the protocol will fail, but will automatically switch to TLSv1.2
- For webmasters managing their own dedicated server, or VPS, if you use OpenSSL, it will require to update it, because the actual stable version doesn't handle TLSv1.3, but the dev version does, and is in beta testing. (OpenSSL had announced they wouldn't release a new version until the TLSv1.3 spec would be final).
- TLSv1.3 also removes all weak ciphers, but I guess that nearly no webmasters are using custom ciphers list.

Next thing I am awaiting now, is the QUIC protocol to be made a standard and official.
10:45 am on Aug 14, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1922
votes: 309


An important milestone!

Anyone know if a particular kernel version is required to support TLS 1.3?

Next thing I am awaiting now, is the QUIC protocol to be made a standard and official.

Indeed, although it didn't help that much when I tested it with the Caddy web server. Still, a nice-to-have.

[edited by: robzilla at 11:07 am (utc) on Aug 14, 2018]

10:59 am on Aug 14, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Nov 13, 2016
posts:596
votes: 89


- TLSv1.3 is protocol, so TLS certificates are the same.

My bad, I forget about DSA certificates. DSA cert will no longer work with TLS v1.3

Indeed, although it didn't help that much when I tested it with the Caddy web server. Still, a nice-to-have.

I tried Caddy too, when I was searching for a web server software with early QUIC implementation. The problem is that, Caddy is slower than Nginx or H20 at the basis. So I don't think the QUIC implementation in GO is representative of the gain it can produce. I tested quicly, the QUIC implementation for H2O , it works better, but this is not usable in production server at all yet. By the way, Kazuho Oku, is very active and a genius :)
2:19 pm on Aug 14, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1922
votes: 309


h2o has a nice feature set, but the need to write Ruby to do more complex stuff has put me off. nginx + modules still works well for me, although it would be nice to skip the modules part and have things like brotli be a part of the standard feature set. Some day.
9:07 pm on Aug 15, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1922
votes: 309


Looks like [github.com] you can now compile nginx with Google's BoringSSL to get TLS 1.3. Will have to try that soon, not sure if that will fly on my CentOS 6 machines.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members