Popular browsers Firefox and Chrome have confirmed their support of Transport Layer Security (TLS) 1.3, the latest version of the standard behind the 'HTTPS' connectivity scheme, following its finalisation by the Internet Engineering Taskforce (IET) last week.
Building on TLS 1.2, the current most popular version of the standard but one which at ten years old is beginning to fray at the seams, TLS 1.3 - also known as Request for Comment (RFC) 8446 - is a major release with improvements in both security and performance. It enhances privacy by removing most of the previously clear-text handshake step prior to encryption beginning, it deprecates outdated cryptographic algorithms currently being actively exploited, and improves speed by dropping the handshake round-trip from two trips to one in standard mode and includes an optional zero-round-trip mode for still improved performance.
Having a standard is no good if nobody implements it, of course, and there's good news on that front: Both Firefox and Chrome, along with the open-source Chromium browser, have been working on support for TLS 1.3 based on draft versions of the standard. 'Firefox 61 is already shipping draft-28, which is essentially the same as the final published version (just with a different version number),' explains Mozilla's Eric Rescorla in a blog post published late last night. 'We expect to ship the final version in Firefox 63, scheduled for October 2018.'
Server support, meanwhile, is ongoing: Rescorla reports that Cloudflare, Google, and Facebook are among the services which have already made the switch, with around five percent of Firefox users and Cloudflare visitors already using TLS 1.3 connections - and Facebook reporting that a surprising half of its traffic, much of which likely comes from the company's mobile apps, is over TLS 1.3-protected connections.
January 24 2020 | 12:00