Forum Discussion

TheAutisticTechie's avatar
TheAutisticTechie
Brass Contributor
Apr 08, 2019
Solved

TLS 1.3

TLS 1.3 is a very needed feature for those in corporate environments for our public facing websites. The speed advantages are immense in larger sites with no caching
  • Eric_Lawrence's avatar
    Eric_Lawrence
    Apr 09, 2019

    TheAutisticTechie As with Chrome, TLS/1.3 is supported in all versions of Chromium-based Edge (and will be supported on all platforms).

     

Unoki's avatar
Unoki
Copper Contributor
Jun 16, 2019

TheAutisticTechie No, TLS 1.3 is not a 'badly needed feature' and the speed benefits are not 'immense,'  unless you are TLS servers on old consumer level hardware that lack AES accelerators.

 

Microsoft is not like garbage developers - I mean open source developers that race to implement something for the personal gratification rather than for the quality of the product. MS, RSA and Cisco have the only TLS 1.0 implementations without active exploits because of it where nearly all other implementations do.

 

In addition, TLS 1.3 was only ratified a few months ago. All efforts so far are based on code written before the standard was ratified and have extreme likelihood of containing legacy code that will provide a vector for exploit. In addition, these open source projects have also carelessly introduced exploits into TLS 1.3 that do not exist in 1.2, and simply having 1.3 enabled enables downgrade attacks against weaker protocols that can be completely broken.

 

Wait for a correct implementation. Most (other than the ones where the protocol was fundamentally broken) of the famous SSL and TLS exploits have been created by bad open source solutions that incorrectly implemented SSL/TLS. You will see no difference in performance, other than perhaps at low power client devices.

  • Avaza's avatar
    Avaza
    Copper Contributor
    Jun 16, 2019
    Microsoft released TLS 1.2 within about 6 months of its ratification.
    It's been longer than that for TLS 1.3 and no word yet on future support.

    Tls 1.3 is designed to bring significant speed & security improvements. Reducing the number of round trips required is a massive improvement, especially for global customers who have longer latencies.

    IIS is falling behind.
    • Unoki's avatar
      Unoki
      Copper Contributor
      Jun 16, 2019

      Avaza 

       

      1. No MS did not release support for TLS 1.2 within 6 months. TLS 1.2 was ratified in August of 2008. NT 6.1 RTMed at the end of July 2009. That is nearly a year.

       

      2. It doesn't matter. TLS 1.3 is not the same thing as TLS 1.2. TLS 1.3 is a radical update to the protocol, so much so that it was nearly named TLS 2.0. Correctly implementing it will take time. If you are fine with settling for exploit-ridden, incorrect implementations of 1.3 currently available, then you cannot claim to care about anything you claim to care about in the implementation. TLS 1.2 is also not yet exploitable and is better than every incorrect implementation of 1.3 out there.

       

      3. Mathematical differences in speed are not measurable differences in speed. It doesn't matter how much you insist there will be a measurable difference between 1.3 and 1.2, it wont be there. Your part about latency is correct, but in order for latency to come into play in speed - which would manifest only through avoiding some packet loss - you will have to be into latencies of 600-700 milliseconds with high jitter, or 800-900 milliseconds or higher with consistent latency. In other words, EXTREME low end satellite service or extraordinarily busy site to site microwave links.

       

      4. IIS is an HTTP server, not a TLS server. The two have absolutely NOTHING to do with each other. Windows keeping an incorrect implementation of TLS out of the operating system which opens up exploits that never existed before, in place of a TLS 1.2 that currently cannot be exploited is foolhardy at best.

      • Avaza's avatar
        Avaza
        Copper Contributor
        Jun 16, 2019
        1) TLS1.2 was announced and available to insiders to use & test at approx 6 months.

        2) Responsible maintenance of a community that use your product should include announcing timelines for major updates like this..

        3) the speed difference, as per plenty of real life benchmarks from the companies using it in production today is not insignificant.

        It makes as 50% improvement in setup time for a TLS connection because only 2 instead of 3 total roundtrips are needed. The TLS component is halved.

        For customers in Australia connecting to a US Server, that typically means about 200ms cut off the TTFB.
        And 200ms latency is common. The global average RTT latency seen by users of Slack is reported as 200ms after they implemented their all-traffic cdn.

        Another advantage of is that in a sense, it remembers! On sites you have previously visited, you can now send data on the first message to the server. This is called a “zero round trip.” (0-RTT). And yes, this also results in improved load time times

        4) all software has vulnerabilities. & patches.
        No one's suggesting cutting corners.
        Microsoft's silence is either due to poor communication or because this isn't a priority.
        If it's low priority it also won't the better developers assigned, and also will be a lower quality implementation.

Resources