Welcome to WebmasterWorld Guest from 54.196.190.32

Forum Moderators: open

TLS 1.3 Approved As Standard

     
4:11 am on Aug 14, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:8720
votes: 699


An overhaul of a critical internet security protocol has been completed, with TLS 1.3 becoming an official standard late last week.

Describing it as "a major revision designed for the modern Internet," the Internet Engineering Task Force (IETF) noted that the update contains "major improvements in the areas of security, performance, and privacy."


[theregister.co.uk...]

Now, all we have to do is get on board and implement it! (Carl Sagan: There are Billions and Billions)

Won't be done by Friday.
4:28 am on Aug 14, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 890


My Datacenter specs say they've supported both TLS 1.2 and TLS 1.3 since I moved my files there 2 years ago.

Chrome and Firefox both have TLS 1.3 on by default.

So I think this is more of just an official standards announcement. But good news indeed.

"We are merely one voice in the grand cosmic fugue." - Carl Sagan
6:36 am on Aug 14, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:8720
votes: 699


All that is true, of course, yet the reality is there are "billions and billions" of websites yet to embrace the technology. Time will tell, of course. :)
6:39 am on Aug 14, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 890


Websites won't really have to do anything. The HTTPS is in place. As the security certificate key code is automatically updated, so it will upgrade. This is how it upgraded from 1.1.
7:11 am on Aug 14, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:8720
votes: 699


The ones that do nothing are HTTP....

Er ... what is that site certificate for? Again? Lets Encrypt?

@keyplyr, that cake and eat it too is a tough row to hoe.

Takes two parties for TLS to work. Sender and Receiver.
7:18 am on Aug 14, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 890


Yes Tangor. Certs will update and browsers will too. As I said, Chrome and Firefox already have TLS 1.3 on by default.

This is almost seamless. Some old servers may need to be retired if they can't support the newer standards. This is always the case.

Thanks for the news. Always a good thing to learn that security measures are keeping up.
9:30 am on Aug 14, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Nov 13, 2016
posts:596
votes: 89


Good news. It's been a while, I was awaiting after the final draft of the TLSv1.3 protocol.

Just as remarks:
- TLSv1.3 is protocol, so TLS certificates are the same.
- Client software are supporting it since some years, but not necessarily the last draft, this is not a problem with Firefox or Chrome, which are updating often, but this can be an issue for Middleware components, so within some networks the protocol will fail, but will automatically switch to TLSv1.2
- For webmasters managing their own dedicated server, or VPS, if you use OpenSSL, it will require to update it, because the actual stable version doesn't handle TLSv1.3, but the dev version does, and is in beta testing. (OpenSSL had announced they wouldn't release a new version until the TLSv1.3 spec would be final).
- TLSv1.3 also removes all weak ciphers, but I guess that nearly no webmasters are using custom ciphers list.

Next thing I am awaiting now, is the QUIC protocol to be made a standard and official.
10:45 am on Aug 14, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1982
votes: 330


An important milestone!

Anyone know if a particular kernel version is required to support TLS 1.3?

Next thing I am awaiting now, is the QUIC protocol to be made a standard and official.

Indeed, although it didn't help that much when I tested it with the Caddy web server. Still, a nice-to-have.

[edited by: robzilla at 11:07 am (utc) on Aug 14, 2018]

10:59 am on Aug 14, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Nov 13, 2016
posts:596
votes: 89


- TLSv1.3 is protocol, so TLS certificates are the same.

My bad, I forget about DSA certificates. DSA cert will no longer work with TLS v1.3

Indeed, although it didn't help that much when I tested it with the Caddy web server. Still, a nice-to-have.

I tried Caddy too, when I was searching for a web server software with early QUIC implementation. The problem is that, Caddy is slower than Nginx or H20 at the basis. So I don't think the QUIC implementation in GO is representative of the gain it can produce. I tested quicly, the QUIC implementation for H2O , it works better, but this is not usable in production server at all yet. By the way, Kazuho Oku, is very active and a genius :)
2:19 pm on Aug 14, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1982
votes: 330


h2o has a nice feature set, but the need to write Ruby to do more complex stuff has put me off. nginx + modules still works well for me, although it would be nice to skip the modules part and have things like brotli be a part of the standard feature set. Some day.
9:07 pm on Aug 15, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1982
votes: 330


Looks like [github.com] you can now compile nginx with Google's BoringSSL to get TLS 1.3. Will have to try that soon, not sure if that will fly on my CentOS 6 machines.
5:26 pm on Oct 21, 2018 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Sept 13, 2018
posts: 296
votes: 54


So I think this is more of just an official standards announcement. But good news indeed.

Not really. So far, servers which were supporting TLSv1.3 were supporting the "working drafts". Here, we talk about the definitive specifications of the protocol, which means there are differences, between the drafts and final specs. They might be minor, but can still impact the dialog between a client and a host.

So for example, a host could have been proposing TLSv1.3 already, a client could have been supporting TLSv1.3 already, but if they were not using the same draft, they would fall back to TLSv1.2.

Same for the QUIC protocol.

Since I use debian on my servers, I rely on OpenSSL , and TLSv1.3 is supported only with OpenSSL 1.1.1 which is not yet in the stable repository of Debian (it breaks other libraries), and I don't want to try to install this kind of important package from sources. So I am waiting.
8:02 pm on Oct 21, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1982
votes: 330


Chrome now supports the final spec of TLS 1.3. Just tried a custom build of nginx with OpenSSL 1.1.1 and TLS 1.3 seems to be working, pretty sweet :-) Hopefully I can find some time soon to upgrade on production servers. Not expecting big performance gains though.
10:15 am on Oct 22, 2018 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Sept 13, 2018
posts:296
votes: 54


I don't know in which proportions, but there is also an issue with middle boxes, which are blocking TLS v1.3 traffic because it's an unknown protocol to them. But I have no idea if it closes the connection ,of it falls back to TLS v1.2
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members