CDN77 Supporting TLS 1.3

CDN77 Now Supports TLS 1.3

2 minutes read

Just like with WebRTC and HTTP/2, our tech engineers have done it again! We’re always keeping up with the latest tech trends in order to bring you the coolest features on the market. 

Even though it’s still a draft, we are proud to announce that CDN77 is now supporting TLS 1.3!

If you’re looking for a way to improve your website speed performance, TLS 1.3 is a big deal for you. With TLS 1.3 you can reduce the handshake duration by 50% and secure each session individually.

Together with HTTP/2, TLS 1.3 lowers page load times even more. Every millisecond of latency reduced for your visitors is important, especially on mobile devices.

EDIT: CDN77 has already deployed the latest TLS 1.3 approved by IETF.

How do you start using TLS 1.3 beta?

TLS 1.3 beta is available to all our clients. If you’re new to CDN77, you can use our free 14-day trial to test TLS 1.3 too.

At the moment, only some of our PoPs and servers support this feature. We’re waiting for a final version of the protocol in order to safely deploy it on a larger scale.

The history & benefits of TLS 1.3

TLS (Transport Layer Security) is developed by the Internet Engineering Task Force (IETF) as a successor protocol to SSL. Both, TLS and SSL are cryptographic protocols that secure communications over the computer network.

We have been expecting the arrival of TLS 1.3 for a very long time since the last update of TLS, TLS 1.2, back in 2008. TLS 1.3 is a major protocol update for more secure and faster-encrypted connections.

Even though TLS 1.3 was first announced in 2014, it was released this April via OpenSSL. The distribution is still not global yet. There are millions of websites that need to upgrade to the latest version of OpenSSL 1.1.1.

The usage of TLS 1.3 also depends on the browser. Chrome and Firefox already support TLS 1.3. However, you have to manually turn it on in Firefox.

We’re confident it’s only a matter of time until we all start reaping benefits of using TLS 1.3. So, what kind of benefits are we talking about?

Faster connections

In the previous versions, two round-trips were needed to establish a secure connection. This process takes place before any actual data is transferred and lasts for hundreds of milliseconds.

With TLS 1.3 there is only one round-trip necessary to create the secure connection. This cuts the encryption latency by half!

TLS 1.2 and TLS 1.3 Comparison

TLS 1.3 speeds up the previously established connections even more with so-called “zero-round trip time” (0-RTT) mode. TLS 1.3 “remembers” previously shared keys and allows to send early data when resuming previous sessions.

Unfortunately, 0-RTT could be a potential threat. Attackers could access your 0-RTT communication and duplicate the flight of 0-RTT data. If your pre-shared keys are not expired, the server will accept attacker’s 0-RTT data and respond to it. This is especially dangerous for POST HTTP requests, e.g. “/buy-something”.

In order to prevent any harm, servers that allow 0-RTT should implement anti-replay mechanism and limit 0-RTT calls to only some requests. Currently, TLS 1.3 does not provide and even cannot provide inherent replay protections for 0-RTT.

For safety reasons, just like the majority of TLS 1.3 supporters, CDN77 is not utilizing 0-RTT mode at the moment.

Improved Security

With a “less is more” approach, TLS 1.3 removed broken and vulnerable pieces of the previous protocols. Having done this, TLS 1.3 enhances security and its implementation is much simpler for developers.

Moreover, TLS 1.3 improves the safety of previous connection by securing session resumption with a PFS (Perfect Forward Secrecy) mechanism. Therefore, an attacker won’t be able to decrypt previous traffic even if he gains access to the session encryption key. In other words, all sessions and even session resumptions are individually protected.

Let us know if you have questions, feedback, or came across any problem. Our tech support is ready 24/7. And don’t forget to sign up for the 14-day free trial if you haven’t tried CDN77 yet.

Leave a Reply

Your email address will not be published. Required fields are marked *