An Overview of TLS 1.3 – Faster and More Secure

By Brian Jackson Updated on October 01, 2018
212
Shares

It has been over eight years since the last encryption protocol update, but the final version of¬†TLS 1.3 has now been published as of August 2018. ūüĎŹ The exciting part for the WordPress community and customers here at Kinsta is that TLS 1.3 includes a lot of security and performance improvements. With the HTTP/2 protocol update in late 2015, and now TLS 1.3 in 2018, encrypted connections are¬†now more secure and faster than ever. Read more below about the changes with TLS 1.3 and how it can benefit you as a WordPress site owner.

Many IP-based protocols, such as HTTPS, SMTP, POP3, FTP support TLS to encrypt data.

'TLS 1.3: Faster, Safer, Better, Everything.' ūüöÄ -- Filippo Valsorda Click to Tweet

Web browsers utilize an SSL certificate which allows them to recognize that it belongs to a digitally signed certificate authority. Technically these are also known as TLS certificates, but most SSL providers stick with the term “SSL certificates” as this is generally more well known. SSL/TLS certificates provide the magic behind what many people simply know as the HTTPS that they see in their browser’s address bar.

TLS 1.3 vs TLS 1.2

The Internet Engineering Task Force (IETF) is the group that has been in charge of defining the TLS protocol, which has gone through many various iterations. The previous version of TLS, TLS 1.2, was defined in RFC 5246 and has been in use for the past eight years by the majority of all web browsers. On March 21st, 2018, TLS 1.3 has was finalized, after going through 28 drafts. And as of August 2018, the final version of TLS 1.3 is now published (RFC 8446).

Companies such as Cloudflare are already making TLS 1.3 available to their customers. Filippo Valsorda had a great talk (see presentation below) on the differences between TLS 1.2 and TLS 1.3. In short, the major benefits of TLS 1.3 vs that of TLS 1.2 is faster speeds and improved security.

Speed Benefits of TLS 1.3

TLS and encrypted connections have always added a slight overhead when it comes to web performance. HTTP/2 definitely helped with this problem, but TLS 1.3 helps speed up encrypted connections even more with features such as TLS false start and Zero Round Trip Time (0-RTT).

To put it simply, with TLS 1.2, two round-trips have been needed to complete the TLS handshake. With 1.3, it requires only one round-trip, which in turn cuts the encryption latency in half. This helps those encrypted connections feel just a little bit snappier than before.

tls 1.3 handshake performance

TLS 1.3 handshake performance

Another advantage of is that in a sense,¬†it remembers! On sites you have previously visited, you can now send data on the first message to the server. This is called a “zero round trip.”¬†(0-RTT). And yes, this also results in improved load time times.

Improved Security With TLS 1.3

A big problem with TLS 1.2 is that it’s often not configured properly it leaves websites vulnerable to attacks. TLS 1.3 now removes obsolete and insecure features from TLS 1.2, including the following:

Did you know that 83% of WordPress sites are vulnerable to hacker attacks?

WordPress sites hosted by Kinsta are automatically secured. We utilize firewalls, monitor sites uptime, and mitigate any attacks 24/7. If your site is hacked, we’ll fix it for free!

  • SHA-1
  • RC4
  • DES
  • 3DES
  • AES-CBC
  • MD5
  • Arbitrary Diffie-Hellman groups ‚ÄĒ CVE-2016-0701
  • EXPORT-strength ciphers –¬†Responsible for FREAK and LogJam

Because the protocol is in a sense more simplified, this makes it less likely for administrators and developers to misconfigure the protocol. Jessie Victors, a security consultant, specializing in privacy-enhancing systems and applied cryptography stated:

I am excited for the upcoming standard. I think we will see far fewer vulnerabilities and we will be able to trust TLS far more than we have in the past.

Google is also raising the bar, as they have started warning users in search console that they are moving to TLS version 1.2, as TLS 1 is no longer that safe. They are giving a final deadline of March 2018.

TLS 1.3 Browser Support

Chrome has been shipping a draft version of TLS 1.3 since Chrome 65. In Chrome 70 (slated to be released in October 2018), the final version of TLS 1.3 will be enabled for outgoing connections.

A draft version of TLS 1.3 was enabled in Firefox 52 and above (including Quantum). They have been retaining an insecure fallback to TLS 1.2 until they knew more about server tolerance and the 1.3 handshake. Firefox 63 (slated to be released in October 2018) will ship with the final version fo TLS 1.3.

TLS 1.3 browser support

TLS 1.3 browser support

With that being said some SSL test services on the Internet don’t support TLS 1.3 yet and neither do other browsers such as IE, Microsoft Edge, or Opera.

Safari supports TLS 1.3 in version 11.1 on macOS High Sierra but it’s disabled by default. You can enable it manually for testing purposes by running the following terminal command:

sudo defaults write /Library/Preferences/com.apple.networkd tcp_connect_enable_tls13 1

Note: They don’t currently have 0-RTT data support.

It will be a couple more months while the protocol is being finalized and for browsers to catch up. Most of the remaining ones are in development at the moment. Cloudflare has an excellent article on why TLS 1.3 isn’t in browsers yet.

However, as of September 11, 2018, TLS 1.3 surpassed TLS 1.0 as the second most used version at Cloudflare.

TLS 1.3 Server Support

If you’re curious whether or not your server or host supports TLS 1.3 yet you can use the SSL Server Test tool. Simply scan your domain and scroll down to the “Protocol Features” section. It will say either yes or no.

TLS 1.3 server support

TLS 1.3 server support

Kinsta CDN Support

Kinsta’s CDN partner, KeyCDN, launched TLS 1.3 with 0-RTT support on September 27th, 2018. Which means,¬†with the release of Chrome (70) and Firefox (63), all Kinsta customers can take advantage of all the web performance and security benefits of TLS 1.3 (in regards to all media and assets served via Kinsta CDN).

Summary

Just like with HTTP/2, TLS 1.3 is another exciting protocol update that we can expect to benefit from for years to come.¬†Not only will encrypted (HTTPS) connections become faster, but they will also be more secure. Here’s to moving the web forward!

We will have more updates soon regarding upgrading Kinsta servers to TLS 1.3, as well as our CDN partner KeyCDN. Stay tuned.

If you enjoyed this article, then you'll love Kinsta's WordPress hosting platform. Whether it's speeding up your website or getting 24x7 support from our veteran WordPress team, we're here to help your business succeed. Our Google Cloud powered infrastructure focuses on auto-scaling, performance, and security. Let us show you the Kinsta difference! Check out our features

Hand-picked related articles

Comment policy: We love comments and appreciate the time that readers spend to share ideas and give feedback. However, all comments are manually moderated and those deemed to be spam or solely promotional will be deleted.
  1. Gravatar for this comment's author
    Jon DeGeorge August 3, 2018 at 9:27 am

    Safari supports it in version 11.1 on macOS High Sierra, but TLS 1.3 is disabled by default.
    It can be enabled by running the following Terminal command:
    sudo defaults write /Library/Preferences/com.apple.networkd tcp_connect_enable_tls13 1

    1. Gravatar for this comment's author
      Brian Jackson August 15, 2018 at 9:09 pm

      Thanks Jon! I’ve updated the post above with a note about being able to enable TLS 1.3 on macOS.

Leave a Reply

Use WordPress?

Use WordPress?

Join 20,000+ others who get our FREE weekly newsletter with WordPress tips on how to drive more traffic and revenue to your business!

Consent

You have Successfully Subscribed!

Send this to a friend