Web Security Gets a Much Needed Upgrade
Transport Layer Security, or TLS, is an internet security protocol in which the client (user) and server securely communicate with one another. When you browse the internet, there is much more going on in the background than you are aware of. Your computer is speaking with the server running the site and agreeing upon a set of terms to encrypt/decrypt data going back and forth. Encryption is necessary to communicate securely over the internet. If data isn’t encrypted, then technically anybody can look at the packets of information going between you and the server and read confidential information.

The safest method is called asymmetrical cryptography which uses two separate keys, one to encrypt and another to decrypt. The mathematics are complex in how they relate to one another and the keys are so long that it’s extremely difficult to unlock by brute force. Both are required in order to read the information. Because they are so complex, it takes significant computing resources to make this agreement and if it were used to encrypt every piece of information in a communication session, your computer would likely be unable to handle it. With TLS, the session is treated as a single conversation and the asymmetrical cryptography “handshake” only occurs at the beginning of the session and not at any other time. TLS 1.3 made it to the 28th draft to upgrade the TLS 1.2 protocol after finally being approved by the Internet Engineering Task Force (IETF), which will make it the new industry standard for internet security starting in June 2018.

The upgrade will greatly improve the speed at which client/server communicate simply by removing the ability of old encryption algorithms to work. This prevents a hacker from using legacy formats to intercept security. It will also improve speed by preventing the need from establishing a new handshake after a prior break in communication. For instance, if the client were to go idle or to be interrupted due to a network problem, a new handshake would be required. This is no longer the case with the 1.3 revision. Another improvement is it forces the server to send out pre-approved encryption systems to the client without requiring an “agreement” between them. Since it’s backwards compatible, if one end isn’t capable of using the newer listed encryption systems, the connection will revert to 1.2 in that instance. If the regression in TLS versions is forced, however, the connection will be automatically dropped since forcing that transition is likely due to a hacking attempt.

The improvement will only begin to have an effect once websites adopt the new standard, however, this upgrade to web security is quite well overdue. Within the 4 years TLS 1.3 has taken to produce, much has changed and web encryption, security, and privacy have become practically mandatory. Fortunately, we should be seeing the welcomed security upgrade sooner rather than later.