In our Acronym Series, Nexum’s expert engineers define the industry’s most popular topics.
Acronym: TLS – Transport Layer Security
Definition: TLS is a cryptographic protocol that provides end-to-end security between two internet-connected endpoints.
TLS 1.0 was first defined in Request for Change (RFC) 2246 by the Internet Engineering Task Force (IETF) in January 1999. It was created to replace (Secure Sockets Layer (SSL) 3.0, and though the differences were insignificant, it was enough that it would not be interoperable with 3.0. Because Netscape developed SSL, the name change was mainly for Microsoft, so it didn’t appear that the IETF was rubberstamping their protocol. A familiar analogy here would be where Cisco championed several technologies over the years that were eventually adopted as standards under a newly created name.
TLS 1.1 was defined in April of 2006 in RFC 4346. Protection against cipher-block chaining attacks and support for Internet Assigned Numbers Authority (IANA) registration of parameters were added. TLS 1.2 came out in August of 2008 via RFC 5246 and introduced significant changes:
- MD5-SHA-1 was replaced with SHA-256
- Enhancements were made to the client/server’s ability to specify the hashes and signature algorithms they accept
- Authentication encryption cipher support was expanded to include Galois/Counter Mode (GCM and CCM) of Advanced Encryption Standard (AES)
It is important to note at this point in the evolution, specifically in March of 2011, that RFC 6176 refined all TLS versions removing backward compatibility with SSL such that negotiation of a session down to SSL 2.0 would never occur (#safetyfirst). TLS 1.3 was introduced in August of 2018 with RFC 8446 and came with many enhancements. Here are the highlights:
- Separation of key agreement and authentication algorithms from the cipher suites
- Removed support for weak elliptic curves
- Removed MDF and SHA-224 hash functions
- Use of ephemeral keys during key agreement
- Integrated use of session hash
- Encryption of all handshake messages after ServerHello
TLS 1.3 was such a significant improvement that big companies like Apple, Google, Microsoft, and Mozilla announced they would deprecate TLS 1.0 and 1.1 in March of 2020 as the first step towards 1.3. Google Chrome and Firefox made TLS 1.3 available in October 2018, and Microsoft first added 1.3 support in Windows 11 and Server in 2022.
We still say SSL, but if all is configured correctly, we really mean TLS. Read more about this here.
Check Out More Resources
The Nexum team attended Black Hat 2023 and DEF CON 31 conferences in Las Vegas. Check out this post about their experiences and some guidance on the differences between the two events.