10 Oct: TLS v1.3 - What's New?
A bigger difference to the protocol than between 1.0 to 1.2 - here's the key changes:
- Removes a round trip during initial handshake by the client predicating the agreed ciphers and sending its key share in the initial message (see below)
- Fast resume session tickets are combined with DH for forward secrecy of resumed connections
- 0-RTT resumption - when resuming, send the first data (e.g. HTTP GET) along with the session ticket merging connection setup with the data transfer (but this initial HTTP GET does not benefit from Forward Secrecy because DH hasn't happened yet)
- No more support for RSA key exchange in initial handshake (initial handshake now always has Forward Secrecy)
- Lots of house cleaning - no more support for RC4, 3DES, MD5, SHA1, AES-CBC or compression
Here's an example showing the more efficient connection set up:
TLSv1.2:
Lets choose one of this list of ciphers ->
<- OK, here's the cipher I choose, and here's my key share
Great, here's my keyshare as well ->
<- Great, all set!
http get ->
<- http answer
TLSv1.3:
I reckon you'll be happy to use cipher X, here's my key share ->
<- Yep, cipher X sounds good, here's my key share, we're all set!
All set, http get ->
<- http answer
If the server doesn't agree on the cipher, TLSv1.3 can fall back to TLS1.2 style handshaking. Its worth highlighting that this improvment over TLSv1.2 is only during the first time connection. v1.2 already has a fast resumption mechanism to make a new connection to a server it has previously connected to by storing a session ticket for use next time. v1.3 introduces improvement to the security of fast resume.