TLS: Transport Layer Security
Written by: Scott Hammond, Senior Security Engineer
Connect with Scott on LinkedIn
In our Acronym Series, Nexum’s expert engineers define the industry’s most popular topics.
Acronym: TLS – Transport Layer Security
Definition: TLS is a cryptographic protocol that provides end-to-end security between two internet-connected endpoints.
TLS 1.0 was first defined in Request for Change (RFC) 2246 by the Internet Engineering Task Force (IETF) in January 1999. It was created to replace (Secure Sockets Layer (SSL) 3.0, and though the differences were insignificant, it was enough that it would not be interoperable with 3.0. Because Netscape developed SSL, the name change was mainly for Microsoft, so it didn’t appear that the IETF was rubberstamping their protocol. A familiar analogy here would be where Cisco championed several technologies over the years that were eventually adopted as standards under a newly created name.
TLS 1.1 was defined in April of 2006 in RFC 4346. Protection against cipher-block chaining attacks and support for Internet Assigned Numbers Authority (IANA) registration of parameters were added. TLS 1.2 came out in August of 2008 via RFC 5246 and introduced significant changes:
- MD5-SHA-1 was replaced with SHA-256
- Enhancements were made to the client/server’s ability to specify the hashes and signature algorithms they accept
- Authentication encryption cipher support was expanded to include Galois/Counter Mode (GCM and CCM) of Advanced Encryption Standard (AES)
It is important to note at this point in the evolution, specifically in March of 2011, that RFC 6176 refined all TLS versions removing backward compatibility with SSL such that negotiation of a session down to SSL 2.0 would never occur (#safetyfirst). TLS 1.3 was introduced in August of 2018 with RFC 8446 and came with many enhancements. Here are the highlights:
- Separation of key agreement and authentication algorithms from the cipher suites
- Removed support for weak elliptic curves
- Removed MDF and SHA-224 hash functions
- Use of ephemeral keys during key agreement
- Integrated use of session hash
- Encryption of all handshake messages after ServerHello
TLS 1.3 was such a significant improvement that big companies like Apple, Google, Microsoft, and Mozilla announced they would deprecate TLS 1.0 and 1.1 in March of 2020 as the first step towards 1.3. Google Chrome and Firefox made TLS 1.3 available in October 2018, and Microsoft first added 1.3 support in Windows 11 and Server in 2022.
We still say SSL, but if all is configured correctly, we really mean TLS. Read more about this here.
Check Out More Resources
Wireless LAN Professionals Conference 2023
Nexum attended this year’s Wireless LAN Professionals Conference (WLPC) in Phoenix, AZ. Check out the recap!
SNOCC Quarterly Threat Update Q1 2023
Each quarter, the managed security team at Nexum shares insights from our first*defense SNOCCs. In this post, macro trends include vulnerabilities in Exchange, socially engineered phishing, IoT, Edge and infrastructure devices, and geo-blocking.
DNS Privacy (DoT & DoH) & Enterprise Security
DNS privacy and security are two considerations with competing goals. DoT and DoH undermine enterprise security for the benefit of privacy. ECS erodes privacy for distributed cloud-based resources. Let’s look at how these standards work and your options in defense or offense.