Welcome to Consultant Corner
During this time of lockdown and remote working, many are brushing up on their extra reading and learning. We have asked our expert cybersecurity consultants to write up 5-minute reads on trends they’re seeing and tips for IT teams to stay protected. These topics aren’t COVID-19 specific and vary from VPN to brute-force attacks to barcodes.
You can stay alerted to new blogs from ‘Consultant Corner’ as soon as they are made available just register in our pop-up form below. After all, a cybersecurity blog a day keeps the malicious attackers at bay.
This blog is focused on TLS1.3 and is written by, Tom Dixon,Cybersecurity Consultant at SureCloud.
What is TLS1.3?
TLS1.3 was ratified in August 2018, but it has taken a while for support to become common. OpenSSL, one of the most common TLS implementations in the world has supported this new version of TLS since September 2018, but it has taken some time for support to reach clients and servers. You should now be considering enabling TLS1.3 for your services.
Following best practices in the industry, no TLS versions prior to TLS1.2 are now recommended. TLS1.2 was released in 2008 and is over 11 years old. Whilst TLS1.2 has aged well and is still considered secure when well configured, TLS1.3 is designed with current best practices in mind and has removed many features from TLS1.2 that are no longer considered secure. For now, a TLS1.3 server will be secure by default, and cannot be configured in a way to be vulnerable to the well-known attacks against TLS such as SWEET32, and LogJam. TLS1.3 only supports the following cipher suite, which are all considered high security, and all of which provide perfect forward security.
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_AES_128_GCM_SHA256
- TLS_AES_128_CCM_8_SHA256
- TLS_AES_128_CCM_SHA256
Not only is TLS1.3 more secure, but it’s also faster. With new features such as Zero Round Trip Time (0-RTT) and TLS-False start, servers are much quicker at bringing up a TLS1.3 connection and often shortening the connection time by a third for initial connections, and even shorter on reconnecting.
Web Server Support
Web servers support is strong in the non-windows world, but support has been slow for Windows. Testing releases of TLS1.3 support for windows have been released so full support should be available soon. Some of the most common web servers are detailed bellow.
Content-Delivery-Networks
Support on content delivery networks is mixed, with CoudFlare having support, but AWS Cloudfront is lacking support.
Browser Support
Browser support for TLS1.3 is again stronger in third party browsers, however, the “New” Edge, which is based on Chromium, has support. If your clients are running supported web browsers, there is a good chance that they can take advantage of TLS1.3.
What if My Server Isn’t Supported?
TLS1.2 is still considered secure, there is no strong requirement to move to TLS1.3 at this time. It is however, important that your TLS configuration is secure. SureCloud recommends a standard TLS configuration such as Mozilla’s Intermediate compatibility profile. We have written about legacy TLS protocols before. For more information on why TLS1.2 and earlier versions should be disabled, please see this post.
About SureCloud
SureCloud is a provider of cloud-based, Integrated Risk Management products and Cybersecurity services, which reinvent the way you manage risk.
SureCloud also offers a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.