Wednesday, July 19, 2017

TLS1.3 support

So TLS v1.3 has been out for some time. You can navigate to various  sites that are  TLS v1.3 and check the status connections for support,   but typically your browser needs to be  enabled for this  new TLS version


The common  browsers like firefox, requires you to navigate the  about:config  and search for the tls  security settings and set the max version to  "4". Other browsers are similar to some degree of fashion.



example:



Now validate using mail.google.com ( yes google is tls v1.3 supported )



vrs  1.2




If you mistakenly set the TLS v1.3 support , and  with no  fallback,  you will start seeing the following connection errors for know  operative websites.



So what's all the TALK  about tls v1.3 ?

A Simpilifed   handshake that speeds up the delivery of  the  1st byte sent for a website.  So speed is one major change.


 1: example of  TLS handshake improvement


2: Improvement  over all and with ciphers from tls v1.2

 https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3_.28draft.29


So what the major issues that can come up ?

  1.   it  very new and needs experimentation and trials by the internet community to become comfortable with
  2.   must  existing systems don't have support for it 
  3.   most management interface for  IT gear has no awareness of  TLS v1.3
  4.   most IT support staff from the network to security engineer,  has no working knowledge of TLS much less for  the latest version
  5. Various SSL deep inspection hardware can break 
  6. some forward proxies if not update will break 


Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \





No comments:

Post a Comment