It's time to upgrade to TLS 1.3 already, says CDN engineer

ronjor · Jun 23, 2017

By Peter Sayer IDG News Service - Paris bureau chief, IDG News Service | Jun 23, 2017 4:03 AM PT

If you haven't upgraded your website to use TLS 1.2 encryption yet, get ready to skip a step.
Click to expand...

Minimalist · Jul 3, 2017

TLS security: Past, present and future

The Transport Layer Security (TLS) protocol as it stands today has evolved from the Secure Sockets Layer (SSL) protocol from Netscape Communications and the Private Communication Technology (PCT) protocol from Microsoft that were developed in the 1990s, mainly to secure credit card transactions over the Internet.
Click to expand...

https://www.helpnetsecurity.com/2017/07/03/tls-security/

Minimalist · Mar 24, 2018

World celebrates, cyber-snoops cry as TLS 1.3 internet crypto approved

A much-needed update to internet security has finally passed at the Internet Engineering Task Force (IETF), after four years and 28 drafts.

Internet engineers meeting in London, England, approved the updated TLS 1.3 protocol despite a wave of last-minute concerns that it could cause networking nightmares.

TLS 1.3 won unanimous approval (well, one "no objection" amid the yeses), paving the way for its widespread implementation and use in software and products from Oracle's Java to Google's Chrome browser.
Click to expand...

https://www.theregister.co.uk/2018/03/23/tls_1_3_approved_ietf/

RockLobster · Mar 24, 2018

That's good, last minute concerns about networking nightmares represent the infiltrators that have in the past conspired to weaken and subvert internet security one of the ways they do that is by claiming quite falsely that upgrades will break the internet, when in fact all it takes is a software update. I would hope the honest members of IETF were aware of that and did not allow them to get their way this time.

guest · Jun 19, 2018

Deprecating TLS 1.0 and TLS 1.1 … kill them now!
June 19, 2018
https://securityaffairs.co/wordpress/73678/security/tls-10-1-1-deprecation.html

In March, the Internet Engineering Task Force (IETF) finally announced the approval of TLS 1.3, the new version of the Transport Layer Security traffic encryption protocol.

Surprisingly the both TLS 1.0 and TLS 1.1 version are still adopted online, in many cases the migration of application is still waiting for the commitment of the management to start exposing users to serious risks.

Some experts argue the best way to make the Internet more secure is to ban application fallback to both TLS 1.0 and 1.1 standards.
The PCI Council’s deprecation deadline of June 30, 2018, is upon us and the Internet-Draft urges the deprecation of insecure protocols.

The publication of TLS 1.3 will happen very soon, it is currently under the final review.
Click to expand...

guest · Jun 20, 2018

PayPal reminds users: TLS 1.2 and HTTP/1.1 are no longer optional
Insecure connections will break after June 30th. And it's acquired Hyperwallet, too
June 20, 2018
https://www.theregister.co.uk/2018/06/20/paypal_security_upgrade/

PayPal has reminded merchants that they must support TLS 1.2 and HTTP/1.1 by June 30.

The reason? That's the date the PCI Council mandated for those standards to come into effect.

For most, that means get a new browser, but the requirement also applies to systems connecting to PayPal's APIs. The PayPal Sandbox and Payflow Pilot both support the two standards now; Production endpoints will be ready by June 30; and subsidiary Braintree will also enforce compliance.
Click to expand...

Sampei Nihira · Jun 20, 2018

The PayPal test:

https://tlstest.paypal.com/

Even with IE8 it is OK.

itman · Jun 20, 2018

Sampei Nihira said: ↑

https://tlstest.paypal.com/
Click to expand...

Appear the test is either bogus or Paypal is still accepting TLS 1.1 and 1.2 connections. I am using IE11 and the max. TLS level supported by it is 1.2.

Thought the test was for TLS 1.3.

Sampei Nihira · Jun 20, 2018

It would be interesting to PayPal test with a non TLS 1.2 browser.

guest · Jul 2, 2018

Preparing for Transport Layer Security 1.3
The long-awaited encryption standard update is almost here. Get ready while you can to ensure security, interoperability, and performance.
July 2, 2018
https://www.darkreading.com/endpoint/preparing-for-transport-layer-security-13-/a/d-id/1332163

Despite what may seem like draft after draft of specifications, along with continuous proclamations of "it's almost here!," the latest encryption standard, TLS v1.3, really is almost ready. The Network Working Group of the Internet Engineering Task Force has pushed to make Draft 28 of TLS v1.3 the final standard.
Worth the Round Trip?
One highly discussed feature of TLS v1.3 is the 0-RTT option, which has the potential to significantly increase performance during an encrypted session between endpoints.
Don't Let the Downgrade Drag Security Down
One of the great benefits of TLS v1.3 is that it eliminates support for legacy encryption standards and cipher suites. It allows backward compatibility to TLS v1.2, which, of course, is essential for transitioning to the new standard and to ensure interoperability.

There is much to look forward to with TLS v1.3. New levels of security and performance will benefit everyone and address many issues with current encryption, despite the challenges. If you stay ahead of the process, you can transform changes into opportunities for improvement rather than problems that disrupt your business.
Click to expand...

Sampei Nihira · Jul 2, 2018

With Firefox,Basilisk and I.E.8 it is easy to remove the Insecure Cipher Suites.
I can't do it with Chrome:

Did someone make it?

guest · Aug 6, 2018

Facebook open sources library to enhance latest Transport Layer Security protocol
August 06, 2018
https://techcrunch.com/2018/08/06/f...-up-latest-transport-layer-security-protocol/

Facebook created an API library called Fizz to enhance the latest version, TLS 1.3, on Facebook’s networks. Today, it announced it’s open sourcing Fizz and placing it on GitHub for anyone to access and use.

As for Fizz, “In addition to the enhancements that come with TLS 1.3, Fizz offers an improved solution for middlebox handshake failures, supports asynchronous I/O by default, and can handle scatter/gather I/O to eliminate the need for extra copies of data,” Facebook wrote in the blog post announcing it was open sourcing the library.

Fizz improves the newest version of the Transport Layer Security protocol, and by making it open source, Facebook is sharing this technology with the community at large where others can take advantage of and build upon the work Facebook has done.
Click to expand...

ronjor · Aug 13, 2018

IETF Publishes TLS 1.3 as RFC 8446

By Eduard Kovacs on August 13, 2018
The Internet Engineering Task Force (IETF) on Friday published version 1.3 of the Transport Layer Security (TLS) traffic encryption protocol as RFC 8446.

The final version of TLS 1.3 was approved by the IETF in late March, after nearly four years of work and 28 drafts.
Click to expand...

Sampei Nihira · Aug 14, 2018

https://www.ghacks.net/2018/08/14/tls-1-3-final-published/

sdmod · Aug 14, 2018

I'm an xp sp3 user. How do I update my machine to this new standard TLS 1.3?

sdmod · Aug 14, 2018

I use xp sp 3 and this browser is Firefox 6.0 in Paypal test page.

This is what I get

Sampei Nihira said: ↑

It would be interesting to PayPal test with a non TLS 1.2 browser.
Click to expand...

Sampei Nihira · Aug 14, 2018

Update your browser:

1) Firefox ESR 52.9.0

2) about:config

security.tls.version.max set to 4

3) KB4019276 adds TLS 1.2 support to Windows XP POS READY2009.

TLS 1.3 support is not yet available for the OS POSReady 2009.

We confirm that Microsoft engineers are working on it.

elapsed · Aug 14, 2018

Sampei Nihira said: ↑

Update your browser:

1) Firefox ESR 52.9.0

2) about:config

security.tls.version.max set to 4

3) KB4019276 adds TLS 1.2 support to Windows XP POS READY2009.

TLS 1.3 support is not yet available for the OS POSReady 2009.

We confirm that Microsoft engineers are working on it.
Click to expand...

1) No version of Firefox supports Windows XP that also supports TLS 1.3
2) Firefox uses it's own implementation of TLS, not Windows, lol.
Even if your "POSReady" does get TLS 1.3 (which I can basically guarantee it won't because mainstream support for every version of POSReady has ended) that won't make Firefox work. You'd have to use IE.

Firefox 52 ESR ends in 3 weeks.

Sampei Nihira · Aug 15, 2018

After 3 weeks XP users will be able to use both Basilisk fork for XP and New Moon.

https://forum.palemoon.org/viewtopic.php?t=19881

Read MaryRose answers, from Microsoft support, to FranceBB:

https://msfn.org/board/topic/177693-tls13-xp-and-firefox/

elapsed · Aug 15, 2018

Sampei Nihira said: ↑

After 3 weeks XP users will be able to use both Basilisk fork for XP and New Moon.

https://forum.palemoon.org/viewtopic.php?t=19881
Click to expand...

Neither Pale Moon nor Basilisk support XP.
If you're relying on trusting unofficial forks then you should just go on random websites and start downloading and running random .exe files.

Sampei Nihira said: ↑

Read MaryRose answers, from Microsoft support, to FranceBB:

https://msfn.org/board/topic/177693-tls13-xp-and-firefox/
Click to expand...

LOL. Wow, you're right. A random support staff from web chat said it, so it must be true.

Good luck buddy.

sdmod · Aug 15, 2018

I run Windows XP sp3 32 bit
I have a Firefox Portable 52.4.0 which I tried with the settings below.
FirefoxPortableESR_52.4.0_English.paf.exe
I read on https://msfn.org/board/topic/177693-tls13-xp-and-firefox/
that I could enter about:config in my browser and change
security.tls.version.max setting from "3" to "4" in about:config
Although it didn't work for the person on the forum, it seems to have worked for me
As now I can go to the test sites like https://www.ssllabs.com/ssltest/analyze.html?d=tls13.cloudflare.com
and the paypal TLS 1.3 test site https://tlstest.paypal.com/ and get the green light A1 passes or an accept rather than a decline.
I think that he very last version of Firefox that you can get is Firefox Portable 52.9.0 for XP FirefoxPortableLegacy52_52.9.0_English.paf.exe

As I said it seems to work but I don't know much about these things.

ronjor · Sep 7, 2018

TLS 1.3 Won't Break Everything

Curtis Franklin Jr. 9/7/2018
The newest version of TLS won't break everything in your security infrastructure, but you do need to be prepared for the changes it brings.
Click to expand...

ronjor · Sep 11, 2018

OpenSSL 1.1.1 Released With TLS 1.3, Security Improvements

By Eduard Kovacs on September 11, 2018
The OpenSSL Project on Tuesday announced the release of OpenSSL 1.1.1, the new Long Term Support (LTS) version of the cryptographic software library.
Click to expand...

FanJ · Sep 12, 2018

ronjor said: ↑

OpenSSL 1.1.1 Released With TLS 1.3, Security Improvements
Click to expand...

Thanks Ron.
See also:
OpenSSL 1.1.1 Is Released
https://www.openssl.org/blog/blog/2018/09/11/release111/

Lots of info there.
Just these quotes:

Since 1.1.1 is our new LTS release we are strongly advising all users to upgrade as soon as possible. For most applications this should be straight forward if they are written to work with OpenSSL 1.1.0. Since OpenSSL 1.1.0 is not an LTS release it will start receiving security fixes only with immediate affect as per our previous announcement and as published in our release strategy. It will cease receiving all support in one years time.
Click to expand...

Our previous LTS release (OpenSSL 1.0.2) will continue to receive full support until the end of this year. After that it will receive security fixes only. It will stop receiving all support at the end of 2019. Users of that release are strongly advised to upgrade to OpenSSL 1.1.1.
Click to expand...

guest · Oct 13, 2018

TLS 1.3 updates from Chrome
October 12, 2018
https://www.ietf.org/mail-archive/web/tls/current/msg27066.html

The upcoming release of Google Chrome 70 is expected to enable the final version of TLS 1.3. As the release has progressed through our early release channels, we have learned about some deployment issues we would like to share with the community.

First, we are aware of some intolerance to the final TLS 1.3 code point, 0x0304. Prerelease versions of OpenSSL 1.1.1, namely -pre6 and earlier, implemented the draft versions of TLS 1.3 incorrectly. [...] These servers will respond to a TLS 1.3 ClientHello with a draft version, rather than TLS 1.2, and fail to interoperate.
Second, [...]

Due to the above, we will sadly be shipping TLS 1.3 in Chrome 70 with the server-random check temporarily disabled.
Click to expand...

Log in or Sign up

It's time to upgrade to TLS 1.3 already, says CDN engineer

ronjor Global Moderator

Minimalist Registered Member

Minimalist Registered Member

RockLobster Registered Member

guest Guest

guest Guest

Sampei Nihira Registered Member

itman Registered Member

Sampei Nihira Registered Member

guest Guest

Sampei Nihira Registered Member

guest Guest

ronjor Global Moderator

Sampei Nihira Registered Member

sdmod Shadow Defender Expert

sdmod Shadow Defender Expert

Attached Files:

TSLtest.jpg

Sampei Nihira Registered Member

elapsed Registered Member

Sampei Nihira Registered Member

elapsed Registered Member

sdmod Shadow Defender Expert

ronjor Global Moderator

ronjor Global Moderator

FanJ Updates Team

guest Guest

Log in or Sign up

It's time to upgrade to TLS 1.3 already, says CDN engineer

ronjor Global Moderator

Minimalist Registered Member

Minimalist Registered Member

RockLobster Registered Member

guest Guest

guest Guest

Sampei Nihira Registered Member

itman Registered Member

Sampei Nihira Registered Member

guest Guest

Sampei Nihira Registered Member

guest Guest

ronjor Global Moderator

Sampei Nihira Registered Member

sdmod Shadow Defender Expert

sdmod Shadow Defender Expert

Attached Files:

TSLtest.jpg

Sampei Nihira Registered Member

elapsed Registered Member

Sampei Nihira Registered Member

elapsed Registered Member

sdmod Shadow Defender Expert

ronjor Global Moderator

ronjor Global Moderator

FanJ Updates Team

guest Guest

Useful Searches