Quicker handshake starts encrypting data sooner
Mozilla has decided it needs to lift its HTTPS game, and will default to TLS 1.3 in next year’s Firefox 52.
Mozilla principal engineer Martin Thomson let developers know about the decision in an e-mail last Friday.
“TLS 1.3 removes old and unsafe cryptographic primitives, it is built using modern analytic techniques to be safer, it is always forward secure, it encrypts more data, and it is faster than TLS 1.2,” Thomson’s note said.
So far, Thomson wrote, Mozilla’s limited tests haven’t turned up any incompatibilities with existing servers.
As the Mozilla ticket announcing the change notes, so the change doesn’t break things for users, Firefox 52 will “retain insecure fallback to TLS 1.2 … until we have broader information about server intolerance to the TLS 1.3 handshake”.
The developers have moved pretty quick on this one: the Internet Draft for TLS 1.3, by Eric Rescorla, is dated September 22, 2016 – and it’s described as a work in progress (the document is up to revision 17).
Cloudflare has a useful backgrounder on TLS 1.3 here.
Filippo Valsorda notes that the draft removes one round trip during the handshake process.
Not only does that make the setup quicker, Valsorda note that the client and server can make the switch to encrypted communications one step earlier.
Another important feature in TLS 1.3 is a feature called “0-RTT resumption” – that is, the ability for a client and server who already “know each other” to skip the handshake entirely.
Valsorda describes the process:
“When a 1.3 client connects to a 1.3 server they agree on a resumption key (or PSK, pre-shared key), and the server gives the client a Session Ticket that will help it remember it.
The Ticket can be an encrypted copy of the PSK—to avoid state—or a reference number.
“The next time the client connects, it sends the Session Ticket in the ClientHello and then immediately, without waiting for any round trip, sends the HTTP request encrypted with the PSK.
The server figures out the PSK from the Session Ticket and uses that to decrypt the 0-RTT data.”
Mozilla isn’t yet ready to support 0-RTT resume, but Thomson says it will happen later.
Last week, Mozilla announced its next step in eliminating SHA-1. ®