It's time to upgrade to TLS 1.3 already, says CDN engineer

If you haven't upgraded your website to use TLS 1.2 encryption yet, get ready to skip a step.

Businesses dragging their heels over rolling out TLS 1.2 on their website might have an excuse to delay a little longer: Version 1.3 of the TLS (Transport Layer Security) encryption protocol will be finalized later this year, and early deployments of it are already under way.

TLS, the successor to SSL, is used to negotiate secure connections to web or mail servers, encrypting data on the move.

Six years in the making, TLS 1.2 added new, stronger encryption options -- but retained all the older, weaker encryption schemes that had gone before in the name of backward compatibility. Unfortunately, this meant that someone able to perform a man-in-the-middle attack could often downgrade connections to a weaker encryption system without the user being aware.

It was also susceptible to a bunch of other attacks, including DROWN, SLOTH and POODLE. 

Such attacks are good reasons to upgrade to TLS 1.3, according to Filippo Valsorda, a systems and cryptography engineer who has deployed TLS 1.3 system at content delivery network Cloudflare.

"A number the vulnerabilities that came out in the last two years that affected TLS 1.2 wouldn't have affected TLS 1.3 because of changes to the protocol," he said at a meeting of the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) in mid-June.

The designers of TLS 1.3 chose to abandon the legacy encryption systems that were causing security problems, keeping only the most robust. That simplicity is perhaps one of the reasons it will be ready in half the time it took to design its predecessor.

Connections will still fall back to TLS 1.2 if one end is not TLS 1.3-capable -- but if a MITM attacker attempts to force such a fallback, under TLS 1.3 it will be detected, Valsorda said.

Almost 93 percent of the websites in Alexa's top one million supported TLS 1.2 as of January, up from 89 percent six months earlier, according to a survey by Hubert Kario's Security Pitfalls blog. But seven percent of one million means a lot of websites are still running earlier and even less secure protocols.

Among the laggards are some sites you would hope to be on top of security: those taking online payments. Payment processors are still urging sites using their services to upgrade to secure versions of TLS before June 30, 2018, a deadline imposed by the Payment Cards Industry Security Standards Council.

So if you're still dithering over an upgrade from SSL or an early version of TLS to the latest thing, why not go straight to TLS 1.3?

There's no real reason not to, according to Valsorda.

"I think it is viable to do TLS 1.3 deployment now," he said.

Cloudflare said last September that it would offer users of its content delivery network early access to TLS 1.3.

Now, said Valsorda, "All the Cloudflare customers on the free plan have TLS 1.3 enabled by default and we haven't seen any problems."

Cloudflare tends to enable beta features such as this automatically for non-paying customers, allowing paying customers with larger or more complex networks to opt in when they are ready. To date, 3,000 domains have opted to turn on TLS 1.3, in addition to those for whom Cloudflare turned it on by default.

The few glitches Cloudflare did encounter turned out not to be at the server end, but on the client side.

A few organizations using security appliances to monitor their users' web-browsing habits found that connections to servers running TLS 1.3 were dropped without warning, blocking access to the sites concerned.

This issue occurred only in appliances that passively monitored connections without trying to insert themselves into the connection, Valsorda said. When they overheard an exchange they didn't understand -- such as the negotiation of a TLS 1.3 connection -- they would simply cut it off. The two or three models concerned have now been patched by their manufacturers, he said.

The process of testing for such glitches is still largely manual, Valsora said: An organization running such an appliance would need to take a TLS 1.3-compatible version of Google Chrome, enable TLS 1.3 in the settings (a process he described as "not super user-friendly") and then try to connect out to a TLS 1.3-enabled website such as

"Maybe we should be working on how to enable better testing out of enterprises," he added.

So if you do decide to upgrade to TLS 1.3, what's in it for you?

Apart from its immunity to attacks on earlier versions, "TLS 1.3 has a huge performance benefit in terms of connection setup time," Valsorda said.

That's because negotiating the initial encrypted connection takes only one round-trip between client and server in TLS 1.3, compared to two round-trips in TLS 1.2. That can save several hundred milliseconds on a mobile internet connection, potentially halving the time to download some images, he said.

There's also an option called 0-RTT (zero round-trip time) within TLS 1.3 to resume a recently used connection without renegotiating the encryption, speeding things even more.

Few web servers and CDN services support TLS 1.3, still fewer the 0-RTT option for now. The website Is TLS fast yet? has a list. (Its answer, by the way, is "Yes.")

SSL and TLS aren't just for web servers, they are also used to encrypt connections to mail servers.

Janet Jones, co-chair of a M3AAWG group that aims to prevent the pervasive monitoring of communications, sees TLS 1.3 as key to securing email against interception.

"Some industries are going to love it from a security standpoint," she said.

On the other hand, wider usage of TLS 1.3 is not going to please governments wanting to conduct surveillance, or banks needing to comply with regulations to prevent collusion among traders. "They're not going to have the solutions to look at traffic and monitor it," she said.

But, she said, that's no reason to hold back on deployment of TLS 1.3.

"I would like to see more of our members doing deployments when this is released, or even prerelease."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Peter Sayer

IDG News Service
Show Comments



Victorinox Werks Professional Executive 17 Laptop Case

Learn more >

Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?