main

Application DeliverySecuritySSL

Adopt TLS 1.3 – Kill Two Birds with One Stone

September 13, 2018 — by Prakash Sinha13

Transport Layer Security (TLS) version 1.3 provides significant business benefits by making applications more secure, improving performance and reducing latency for the client. Changes in how handshake between client and server is designed has decreased site latency – utilizing a faster handshake, and use of Elliptic Curve (EC) based ciphers that allow faster page load time. TLS 1.3 also enforces forward security to prevent a replay of all recorded data if private session keys are compromised.

Transport Level Security – A Quick Recap

Transport Layer Security (TLS) version 1.0, the first standardized version of SSL introduced in 1999, which is based on SSL v3.0. TLS 1.0 is obsolete and vulnerable to various security issues, such as downgrade attacks. Payment Card Industry (PCI) had set a migration deadline of June 30, 2018 to migrate to TLS 1.1 or higher.

TLS 1.1, introduced in 2006, is more secure than TLS 1.0 and protected against certain types of Cipher Block Chaining (CBC) attacks such as BEAST. Some TLS 1.1 implementations are vulnerable to POODLE, a form of downgrade attack. TLS 1.1 also removed certain ciphers such as DES, and RC2 which are vulnerable and broken and introduced support for Forward Secrecy, although it is performance intensive.

TLS 1.2, introduced in 2008, added SHA256 as a hash algorithm and replaced SHA-1, which is considered insecure. It also added support for Advanced Encryption Standard (AES) cipher suites, Elliptic Curve Cryptography (ECC), and Perfect Forward Secrecy (PFS) without a significant performance hit. TLS 1.2 also removed the ability to downgrade to SSL v2.0 (highly insecure and broken).

Why TLS 1.3?

TLS 1.3 is now an approved standard of the Internet Engineering Task Force (IETF).  Sites utilizing TLS 1.3 can expect faster user connections than with earlier TLS standards while making the connections more secure due to the elimination of obsolete and less secure ciphers, server dictating the session security and faster establishment of handshake between client and server. TLS 1.3 eliminates the negotiation on the encryption to use. Instead, in the initial connection the server provides an encryption key, the client provides a session key, and then the connection is made. However, if needed TLS 1.3 provides a secure means to fall back to TLS 1.2 if TLS 1.3 is not supported by the endpoint.

[You might also like: High-Performance Visibility into SSL/TLS Traffic]

TLS 1.3 – Recommendations

To achieve SSL/TLS acceleration and effectively address the growing number and complexity of encrypted web attacks, organizations face serious strategic challenges. We recommend migration to TLS 1.3 to take advantage of significant business benefits and security that the newer standard provides. However, as with any transition to a new standard, be mindful of the adoption risks.

Evaluate the Risks and Plan Migration

The risks may be incompatibility between client and server due to poor implementations and bugs. You may also need to carefully evaluate the impact on devices that implement inspection based on RSA static keys, products that protect against data leaks or implement out of path web application protection based on a copy of decrypted traffic.

  • Adopt a gradual deployment of TLS 1.3 – A crawl-walk-run approach of deploying in QA environments, test sites, and low traffic sites
  • Evaluate or query the “middle box” vendors for compatibility with TLS 1.3, currently, only active TLS 1.3 terminators can provide compatibility
  • Utilize Application Delivery Controllers (ADCs) to terminate TLS 1.3 and front-end servers that are not capable of supporting TLS 1.3

TLS 1.3 provides improved security, forward security to secure data even if private keys are compromised, improved latency and better performance.

Read “2017-2018 Global Application & Network Security Report” to learn more.

Download Now

Prakash Sinha

Prakash Sinha is a technology executive and evangelist for Radware and brings over 29 years of experience in strategy, product management, product marketing and engineering. Prakash has been a part of executive teams of four software and network infrastructure startups, all of which were acquired. Before Radware, Prakash led product management for Citrix NetScaler and was instrumental in introducing multi-tenant and virtualized NetScaler product lines to market. Prior to Citrix, Prakash held leadership positions in architecture, engineering, and product management at leading technology companies such as Cisco, Informatica, and Tandem Computers. Prakash holds a Bachelor in Electrical Engineering from BIT, Mesra and an MBA from Haas School of Business at UC Berkeley.

13 comments

  • bluecell

    September 19, 2018 at 10:44 am

    Effectiνely like Mommy mentioned, when we love
    оne another and loѵe the world that Jesսs died for, that?s a
    type οf worship. When we take into consideration God and
    hearkеn to the sermon or in Sundaʏ School, that?s a way of worshipping Ƅеcause
    were studying how great Ԍod is and He likeѕ that.
    Or after we sit аround and inform one another what thе greatest issues about God
    are. You know how much you want listening to people say hߋѡ smart оr cute you Ьoys are?
    Properly God likеs when we speak together ɑbout how great
    he is.? Daddy answered.

    Reply

  • bong889

    October 9, 2018 at 4:49 pm

    Ignatius Piazza, the Millionaire Patriot, wants you to see probably the most awe inspiring reality
    show series ever, called Front Sight Challenge.
    Cherry blossom tattoos represent different things in numerous cultures.
    Technology is driving dynamic advertising into new areas which brings by using
    it some potential challenges, well not every companies can afford to pay for a
    lot of money in electronic advertising, well both the options highlighted can provide the same final results
    with low investment of energy and cash, so now any company from mechanics to dentists can have these of their guest waiting rooms.

    Reply

  • led panel light fixtures

    October 12, 2018 at 5:23 am

    hey there and thank you for youur information –I have definitely picked up sommething new frrom right here.
    I did however expertise a few technical points using
    this website, since I expesrienced to reload the site many times previous to
    I could get it to load correctly. I had been wondering if your weeb hosting is OK?
    Not that I’m complaining, but slow loading instances ties will
    sometimes affect your placement in googtle and could damage your quality sfore iif ads and marketing with Adwords.

    Anyway I’m adding this RSS to my e-mail and could look out for a lot more
    of your respective interesting content. Make sure you update thjis again very soon.

    Reply

  • reverse camera trigger wire

    October 12, 2018 at 9:52 am

    you’re actually a god webmaster. The web site loadikng velocity is incredible.

    It sort of feels that you’re ddoing any unique trick.
    In addition, The contents are masterwork. you have performed a great activity in this topic!

    Reply

  • led headlight bulb

    October 12, 2018 at 10:09 am

    Hi there I am so delighted I found your site, I really found you by
    mistake, while I waas researching on Yahoo for something else, Anyhow I am hdre now and would just like to say thanks for
    a tremendous post and a all round entertaining blog (I also love the theme/design),
    I don’t have tike to browse it all at the
    minutte but I have bookmarked it and also added in your RSS feeds,
    so when I have time I will be back too read a lot more, Please do keep up the fantastic
    b.

    Reply

  • reversing camera mirror bluetooth

    October 12, 2018 at 3:07 pm

    Having read tis I believeed it was rather informative. I
    appreciate you spending some time and energy to
    put this informative article together. I once again find myself persojally spending a significant amount of time both reading and posting comments.
    But so what, it was still worthwhile!

    Reply

  • Julie

    October 12, 2018 at 5:50 pm

    Having read thiss I thought it was really enlightening.
    I appreciate you taking the time and eenergy to put ths information together.
    I onde again finjd myself spending way too much time both reading and posting
    comments. But so what, it was still worth it!

    Reply

  • additive bilingual

    November 1, 2018 at 7:10 pm

    Some of the discounts might be half from the pizza, a percentage off as well as free drinks wigh the purchase of the pizza.
    Being a online sudent iss saving big money, the education iis faster to complete where there greater level of more cash to make when you have thee higher education. That is not to say that
    curent curricula and content objectives needs to be thrown out the window.

    Reply

  • Bogus Name

    November 8, 2018 at 4:07 pm

    You might want to add a captcha to your comments section

    Reply

  • cau tao cua bien tan

    November 16, 2018 at 4:56 am

    Wholesale electronics suppliers buy electronic items like consumer electronics, gadgets, security equipment and PC accessories in the local manufacturers
    and then they sell those to consumers at wholesale
    price. When choosing between Plasma and LCD TVs, you happen to be
    actually choosing between two competing technologies who
    have similar features When trying to choose which TV is the best for you, you should consider your financial allowance,
    space in which the TV will likely be located, and exactly
    how the TV is going to be transported, moved in the home, and moved
    throughout the room if you want to change locations inside the future.
    You can now get yourself a high quality cheap
    LCD TV from several different places.

    Reply

  • rules of survival hack update

    December 1, 2018 at 12:43 pm

    It’s in fact very difficult in this busy life to listen news on Television, so I just use internet for that reason, and get the latest information.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *