IETF Approves TLS 1.3 As Internet Standard

An anonymous reader writes: The Internet Engineering Task Force (IETF), the organization that approves proposed Internet standards and protocols, has formally approved TLS 1.3 as the next major version of the Transport Layer Security (TLS) protocol. The decision comes after four years of discussions and 28 protocol drafts, with the 28th being selected as the final version. TLS 1.3 is now expected to become the standard method in which a client and server establish an encrypted communications channel across the Internet -- aka HTTPS connections.

The protocol has several advantages over its previous version -- TLS 1.2. The biggest feature is that TLS 1.3 ditches older encryption and hashing algorithms (such as MD5 and SHA-224) for newer and harder to crack alternatives (such as ChaCha20, Poly1305, Ed25519, x25519, and x448). Second, TLS 1.3 is also much faster at negotiating the initial handshake between the client and the server, reducing the connection latency that many companies cited when justifying not supporting HTTPS over HTTP.

Browsers like Chrome, Edge, Firefox, and Pale Moon have already rolled out support for earlier versions of the TLS 1.3 draft, and are now expected to update this support to the official standard.

PFS made it

[bill_mcgonigle]

I'm pretty sure this means the efforts to make PFS optional failed:

IETF members voted the protocol unanimously, even after members of the financial sector asked for the introduction of a backdoor in the protocol's structure, so financial institutions could decrypt TLS 1.3 traffic inside internal networks.

The proposal was laughed off by experts, who pointed out that the backdoor would effectively make TLS 1.3 useless in the first place.

Re:

[mellon]

Yeah, there was no consensus to do the PFS weakening proposal. The proponents of this work are now working on an out-of-band signaling mechanism. It was a really crappy situation—the people behind the PFS-weakening have a real problem. They were just taking (IMHO) the wrong approach to addressing it. Hopefully now they will regroup and try to do something less harmful to the Internet.

Corporate Management Engine?

[Anonymous Coward]

With 'packet sniffing' via hooks on the corporate desktops just before the traffic is encrypted/after it is decrypted?

Seems like a lot simpler solution overall, doubly so if you have sufficient bandwidth to send them side by side over the same link, or disable the internet accessable link if the oob link isn't also connected.

But maybe that would require too much technical knowledge and pressuring Intel to open up/include the feature for corporate environments.

Re:

[110010001000]

The problem is that there is valid reasons to be able to decrypt traffic. IDS and performance monitoring are two big reasons. However what will happen is that companies will delay rolling out 1.3, and then using static key provisioning rather than ephemeral keys so they can still do MITM.

Re:

[skids]

Say I can't trust MAC/IP/DNS resolution on an internal network,

...fix your network with dhcp snooping, arp protection, ip source guard and DNSSec... but...

then an encrypt everything at the app level policy is supposed to save the day??

...actually that's kind of the point... TLS isn't just encryption it is also server authentication via PKI.

(Back in WEP-just-got-cracked days some people just ran open wifi networks where the only protocol allowed on the hosts/APs was cert-based IPSec. Workable workaround by the same principle.)

Re:

[jfdavis668]

Download the Firefox source code and modify it any way you please.

Re:

[jd]

Give me something that doesn't leak memory, drain the CPU of its blood and has a decent footprint.

Re:

[jfdavis668]

Funny, we are switching all our corporate support to Firefox. Mostly because other browsers don't support the older systems we use.

A better alternative.

[jellomizer]

For people to stop spying on us!
Let the routers and switches do as they intend, no hacks or tricks to tee off data. If the data needs to go to server X then it should go to server X.

I know that is probably the dumbest thing you heard all day. But I wish they would find a way to make encryption secure and much more cheaper (Certificates are still a killer, in terms of ease of installing, and price you often need to pay for them, for the amount of actual validation they give you for it)

Re:A better alternative.

[Alain Williams]

But I wish they would find a way to make encryption secure and much more cheaper (Certificates are still a killer, in terms of ease of installing, and price you often need to pay for them, for the amount of actual validation they give you for it)

Try looking at Let's Encrypt [letsencrypt.org] if you want free certificates.

Re:

[tepples]

A certificate from Let's Encrypt or any other CA trusted by well-known web browsers requires a fully qualified domain name. The fee to register a domain imposes a recurring monetary cost on someone who just wants a certificate to use with a router, printer, or NAS device on a home LAN.

Re:

[skids]

If it's a home LAN you can make your own CA and add it to your OS trust store. What are you talking about, like 10 client devices to provision? Not a huge deal.

Re:

[tepples]

First, the user has to add the CA not only to the operating system's trust store but also the trust store of each web browser, as not all web browsers use the operating system's trust store.

Second, last I checked, it was harder to provision devices running a smartphone OS than devices running a desktop OS. Adding a certificate on Android is impossible without first setting up a PIN or pattern lock [google.com], and developers of apps made for Android 7 "Nougat" and later have to opt in to use of user-provisioned CAs thr

Re:

[skids]

Second, last I checked, it was harder to provision devices running a smartphone OS than devices running a desktop OS. Adding a certificate on Android is impossible without first setting up a PIN or pattern lock [google.com], and developers of apps made for Android 7 "Nougat" and later have to opt in to use of user-provisioned CAs through the network security config [android.com]. Even if Chrome does, your favorite media playing app might not.

It's your choice to use that software. Why are you surprised it puts you on a path of having to pay for things like public CA certs? That's what that ecosystem was designed to do, to make you pay for things.

Re:

[tepples]

What operating system for pocket computers sold in the United States isn't "designed [...] to make you pay for things"?

Re:

[tepples]

I live in the United States, and Slashdot is headquartered in the United States.

Re:

[pnutjam]

You can use several DDNS providers with letsencrypt. Here's directions for the one I use, duckdns.

https://www.reddit.com/r/letse... [reddit.com]

Public Suffix List limits LE issuance on DDNS

[tepples]

You can use several DDNS providers with letsencrypt

And there are several that you can't use because the provider hasn't completed the process to add itself to the Public Suffix List [github.com]. If a DDNS provider is not on the PSL, whether by the provider's ignorance of the PSL, by the provider's choice to remain off the PSL, or by the PSL's own backlog, then all users of that provider put together are limited to 20 certificates per week [letsencrypt.org], and other users are likely to have already obtained those certificates before you.

Here's directions for the one I use, duckdns.

I see that Duck DNS is on the PSL. Do you project

Re:

[pnutjam]

I've been using duckdns since September 2015. If it goes away, I'll find another one. It seems stable enough and they have added features and directions in that time, so it's does not appear to be abandoned.
It also looks like they have met their funding goals and get sufficient monthly income. [patreon.com] Although, you should donate if it's important to you.

Re:

[jd]

The chief problem is that everyone wants an all-in-one router, no modules, no mess, that has a single CPU that does absolutely everything and that allows admins to log in from any port. I've built routers that are a lot more secure than that, but I'm not convinced there's a market for them.

Re:

[jd]

And that's pretty much the thought process that drove my design. An uber-dumb packet forwarder can't be hacked and has the lowest possible latency. You can plug an ultra-dumb firewall in front and have a router module that sits sideways on that figures out how packets are to be forwarded. By being sideways, it isn't directly addressed by anything. If it falls over, oh well, it takes out nothing and delays nothing as it reboots. One module, one function, independent of all other modules. Everything is nice,

Re:

[ckaminski]

pfSense on a $120 PC-engines.ch APU.

3 ethernet ports and enough CPU to handle everything most home users need.

Re:

[thegarbz]

Certificates are still a killer, in terms of ease of installing, and price you often need to pay for them, for the amount of actual validation they give you for it.

Errr that couldn't be further from the truth.

Price: There are several free DV certificates available, and relatively cost effective EV certificates too.

Ease of installing: Are you talking about obtaining or installing? Because installing is literally putting 2 lines in your config file pointing to the certificates for most servers. Obtaining isn't any more difficult. Even the signing process is nothing more than copying and pasting a string into a terminal and then uploading the result to a website.

Actual v

Also

[geek]

It makes MITM attacks almost impossible. GG corporate proxy decryption.

Re:

[Actually, I do RTFA]

How does this prevent me from MITM with self-signed certs that your computer is set to accept via corporate policy?

Also, what's wrong with MITM in that case? Corporations controlling what their computers can do makes perfect sense to me.

Re:

[ageoffri]

Huh? This makes absolutely zero sense. The selection of which traffic is intercepted is based on the destination. TLS1.3 doesn't change that TCP has to have a destination address in the packet.

I'd love for someone to explain if I'm missing something.

Re:

[Actually, I do RTFA]

Corporate proxies used that to set policies like "leave my employee's banking and healthcare traffic alone, inspect everything else".

That sounds like a perfectly reasonable corporate policy. You're not worried about data exfiltrating via the health or banking sites. And employees expect some privacy there (certainly with a corporate health plan, there needs to be firewalls in place). So why wouldn't you intercept all but a few sites?

Not a feature....

[shaitand]

"The biggest feature is that TLS 1.3 ditches older encryption and hashing algorithms (such as MD5 and SHA-224) for newer and harder to crack alternatives"

Adding support for bigger and better algorithms and defaulting to them if available is a feature, dropping support is a nightmare. It's challenging enough communicating with things like embedded web servers on old ilo interfaces and the like because they did this with TLS 1.3. It should be strongly advised to update to the latest and greatest but it shouldn't be forced because it isn't always possible.

Re:

[Aaden42]

Having to support the entirely new version of TLS is the barrier. The ciphers are just an implementation detail.

If your stack supports TLS1.3, it will support the new algos (cause if it doesn't it doesn't support TLS1.3). Removing the junk ciphers & hashes makes it impossible for garbage default settings or clueless admins to turn on insecure options. Removing the cruft won't prevent adoption of TLS1.3 in any meaningful way.

Re:

[shaitand]

Sounds like the argument made with TLS 1.2... which proved to be incorrect and now thousands of enterprises have crappy old browsers that still allow them to turn on "insecure" old settings for all kinds of old hardware they have to use and administer with embedded or unsupported appliances running old webservers and standards. People don't replace things because the oob interface uses a crappy version old HTTPS to load it's self-signed cert driven interface and there are systems like this in EVERY fortune

Re:

[ckaminski]

Seriously, what would it take to get a Rpi Based KVM?

Open source BMC is one place I figured would get some traction - all options are like $300 minimum per node. I'm lucky, my Supermicro boards come with BMCs, but again, not open.

Re: Not a feature....

[ERJ]

The fallback would happen at the protocol level if you need older crypto standards (I.e. TLS 1.3 fallback to TLS 1.2).

Re:

[shaitand]

No, it won't because everyone is going to start requiring the latest and greatest as part of their compliance policy and you'll force people to enable the lowest common denominator and lose the other benefits of the newer protocol as well. Hell, the fallback probably won't even work.

Thanks to forced obsolescence in these standards you have thousands of systems running IE 6 with security settings cranked down because it is the only way for people to do their job and interact with older systems that can't or

Re:

[Alain Williams]

Maybe you should think about retiring these old devices, especially if they are visible from the global Internet. The encryption that they support is no longer fit for purpose and is dangerous -- vulnerable to being cracked by $enemy. Continuing to use them is like continuing to drive a car where it is known that the brakes have failed.

Re:

[vux984]

Maybe you should think about retiring these old devices, especially if they are visible from the global Internet.

What if they are not visible?

The encryption that they support is no longer fit for purpose and is dangerous -- vulnerable to being cracked by $enemy.

God forbid an $enemy inside my lan sees what is about to come out of the laser printer, a few seconds before it literally gets printed out on paper in plain text.

At the lab we have equipment that still run MSDOS internally. Hundreds of thousands of dollars worth, and they work perfectly fine. I agree we shouldn't put them anywhere publicly facing on the internet. But they accept jobs over the LAN just fine.

Continuing to use them is like continuing to drive a car where it is known that the brakes have failed.

It's really not though.

Re:

[grimthaw]

"What if they are not visible?"

Then you're relying on M&M security.

"What is about to come out of the laser printer, a few seconds before it literally gets printed out on paper in plain text."

I'd take a guess that what comes out of that printer would be internal documents which may or may not contain financial, PII and other confidential information.

Re:

[Mark of the North]

What you have to understand is that there is a good chance that an enemy is on your LAN. Not using strong protocols is a very real risk.

In your own example, what is coming out of a laser printer probably is information that you probably don't want being public.

Your equipment that runs MSDOS internally has no business being connected to a network at all.

Re:

[vux984]

What you have to understand is that there is a good chance that an enemy is on your LAN. Not using strong protocols is a very real risk.

In your own example, what is coming out of a laser printer probably is information that you probably don't want being public.

In my home? It's my kids homework assignments mostly. But sure, you're right to the point that i do occasionally print tax information etc. But what? I'm going to toss a $600 color laser printer that works perfectly because it's web based admin panel isn't up to 2018 best practices? because there's a chance my LAN could be compromised ?

Your equipment that runs MSDOS internally has no business being connected to a network at all.

And how are multimegabyte job files going to be moved back and forth? zip'd onto split archives on a bundle of floppy 3.5" disks? Get real. The stuff is IPX/SPX; connected to

Re:

[shaitand]

"What you have to understand is that there is a good chance that an enemy is on your LAN."

Highly improbable. The enemy might be on the users lan but it's very doubtful they are anywhere useful. In most all cases detection software will find all sorts of threats... somehow magically none of these threats resulted in a compromise before the system was added and that is because these attacks are dumb poorly tested and automated bots that don't work with a damn in practice. They work by hamfisted attacks on tho

Re:

[shaitand]

You are aware this is the situation with about 80% of ILO/IPMI/Lights out, etc interfaces on the management networks of essentially every fortune 500 company, ESPECIALLY the ones selling security solutions (maybe not especially but certainly including).

There is nobody upgrading a critical system, anywhere, because the ILO management interface can't run the latest cipher suite. There is also nobody upgrading such an interface after racking the thing even if one is available. Further these are all running sel

Re:

[Anonymous Coward]

Adding support for bigger and better algorithms and defaulting to them if available is a feature, dropping support is a nightmare.

Given than TLS1.3 was never finalized until now, if you have a device that supports TLS1.3 and will only work with a weak algorithm, your device is a POS and you should throw it away.

Nothing in TLS1.3 requires that a browser stop supporting TLS1.0, TLS1.1 or TLS1.2.

Nothing in TLS1.3 requires that a browser stop supporting weaker algorithms when connecting with TLS1.0, TLS1.1 or T

Re:

[Bert64]

The annoying thing is that browsers (especially firefox) are now removing the older ciphers completely, and making it difficult or impossible to turn them back on. There are various old embedded devices we need to connect to which use insecure ciphers and even do stupid things like use small private keys, and there's no way to change that...
The browsers need to implement configuration options to bring back all the weak ciphers so we can still manage these old legacy devices.

Re:

[Strider-]

The browsers need to implement configuration options to bring back all the weak ciphers so we can still manage these old legacy devices.

My favourite bonehead maneuver is in Chrome. If a site doesn't conform to the latest and greatest SSL/TLS (or whatever it is, I don't care) it's internal password manager refuses to work. This encourages the use of weak passwords as they're something tha tyou can remember. Either that or an external password manager. Either way, it's particularly boneheaded because the internal password manager continues to work with non-encrypted websites. SSL 1.0 w/56bit crypto is still better than plain http with no cryp

Re:

[shaitand]

Yes, there is more to TLS 1.3 than the cipher suite. There is no reason you can make TLS 1.3 able to fall back and support older ciphers and dial down only the degree necessary to negotiate a resolution. In that way, claiming to support TLS 1.3 also means continuing to be able to support those older ciphersets.

Honestly, even a self-signed cert serves it's purpose if it is has been saved as an exception in the browser of the admin... that point you not only have encryption but personally known identity verif

Re:

[shaitand]

TLS 1.3 needs to continue to include the ciphers so there is something in TLS 1.3 that forces the browsers to continue supporting older (incidently weaker) algorithms. It is the responsibility of TLS 1.x to include backward compatibility for TLS 1.x-1 otherwise it stops becoming practical to support TLS as the standard at all. Previous versions have cost millions of dollars because of this nonsense and resulted in thousands of old systems running IE 6 with poorly chosen settings so they can interact with th

Re:

[MachineShedFred]

There's still many different ciphers and hashes available without the brand new - they are retiring age-old stuff that is on the edge of being broken, as well as ciphers and hashes that have known collisions and attacks.

If you're still using these 10+ year old ciphers for security, you aren't secure to begin with - your TLS client may as well tell you so outright.

Re:

[shaitand]

"If you're still using these 10+ year old ciphers for security, you aren't secure to begin with - your TLS client may as well tell you so outright."

Nobody is using 10+ year old ciphers for security... they are stuck with what someone was using for security 10+ years ago. Your TLS client doesn't tell you so outright, it drops support for them or forces you to turn on lower security settings that compromise more than just the cipher.

Re: Not a feature....

[buchanmilne]

"If you're still using these 10+ year old ciphers for security, you aren't secure to begin with - your TLS client may as well tell you so outright."

Your TLS client should realise that not all equipment can be tossed just because there is some new standard out or some browser developers decided to deprecate ciphers.

They should allow users to configure policies for which destinations (IP wildcards or subnets, dns suffixes, the way proxy exclusion lists work) may use old ciphers.

I hated having to allow old cip

Re:

[shaitand]

"Generally speaking though, given the security flaws in the previous standards it really is time to force the upgrade."

How exactly do you propose to do that? An upgrade has been forced with every "mode" you just listed and yet magically no upgrades have occurred. After all, there is a reason you know you have the option to adjust and select those modes manually and it isn't because everything magically updates to the latest and greatest TLS.

Re:

[jonwil]

These embedded web servers presumably dont even support TLS 1.3 so the dropping of the older crypto makes no difference for these devices.

Re:

[jabuzz]

That's because there is no easy way to fall back hundreds of devices. Ideally I need a way to say that devices on network X.X.X.X/Y should be allowed to use any crap old TLS and even SSL version because the fricking vendors have stopped doing firmware updates even though the hardware is still under maintenance. However any other network what the hell only known secure protocols allowed.

Not much of an accomplishment

[mi]

The protocol has several advantages over its previous version -- TLS 1.2. The biggest feature is that TLS 1.3 ditches older encryption and hashing algorithms

If removing older options is the biggest new feature, then there is not much to speak of, is there?

And it took these people how long to come to this important milestone?

The decision comes after four years of discussions and 28 protocol drafts

Tar and feathers... Either for those involved, or for those, who described their work for Slashdot...

Re:

[account_deleted]

Comment removed based on user account deletion

enable in firefox about:config

[Anonymous Coward]

security.tls.version.fallback-limit 4
security.tls.version.max 4

Re:

[Anonymous Coward]

This works. It can be tested at Qualsys SSL Labs [ssllabs.com]

Re:

[MachineShedFred]

If you have so many web servers that it takes you two weeks to do this, you should spend the two weeks looking into infrastructure automation like Chef or Ansible.

This config change should take 5 minutes, not two weeks.

Re:

[account_deleted]

Comment removed based on user account deletion

What kind of standard?

[rpetre]

I'd expect someone reporting on IETF standards to know that "Internet Standard" is a different maturity level that "Proposed Standard". I get that "proposed standard" sounds less definitive for someone not used with the lingo, but surely one could have come with a different expression.