READ TIME: 1 minute, 56 seconds
tl;dr: TLS 1.3 is here for a reason…security. Here’s a short primer on the benefits of TLS in the public cloud.
When the Internet Engineering Task Force published TLS 1.3 in 2018, it was the first major overhaul of encryption standards in 10 years. TLS 1.2 was showing its age with cipher suites that were presenting a slew of security concerns. Shockingly, some organizations still use SSL version 3.0, which is now highly insecure by any standards.
TLS 1.3 protocol, on the other hand, improved both performance and security, which has quickly made it the de facto encryption protocol to use in public cloud environments.
Its performance is better because TLS 1.3 provides an abbreviated handshake between client and server and it provides for a Zero Round Trip Time (0-RTT). TLS 1.2 required two round-trips to finish a TLS handshake. But TLS 1.3 only needs one round-trip, reducing encryption latency by one-half.
Another performance enhancement comes in how TLS 1.3 handles handshakes after the initial handshake and session end. If a client returns to that server within a specific timeframe, the server will now recognize the client from its previous session and does a quick handshake to resume the session.
TLS 1.3 also enhances security. It removed outdated cryptography that made many attacks possible. It also encrypts everything after the server hello and handshake and removes version negotiation making the interaction between client and server more secure. You used to negotiate what version of TLS/SSL you wanted to use between client and server, which made the system susceptible to attacks as hackers could force the server to downgrade to an older, more vulnerable version of SSL.
Lastly, TLS 1.3 added Perfect Forward Secrecy as a requirement for the handshake between client and server. This simply means that if an attacker records a session today, he or she can't access the content of it in the future by compromising a future session key. There is a new, unique private key between every session between client and server. Which means, more complexity to use those intrusion detection tools.
In our next blog post, we’ll address how enterprise IT teams can leverage encryption in their public clouds while, at the same time, obtain the packet-level visibility needed to do network monitoring and threat hunting effectively.