Just like with WebRTC and HTTP/2, our tech engineers have done it again! We’re always keeping up with the latest tech trends in order to bring you the coolest features on the market.
We are proud to announce that CDN77 is now supporting TLS 1.3!
If you’re looking for a way to improve your website speed performance, TLS 1.3 is a big deal for you. With TLS 1.3 you can reduce the handshake duration by 50% and secure each session individually.
Together with HTTP/2, TLS 1.3 lowers page load times even more. Every millisecond of latency reduced for your visitors is important, especially on mobile devices.
How do you start using TLS 1.3?
TLS 1.3 is available to all our clients. If you’re new to CDN77, you can use our free 14-day trial to test TLS 1.3 too.
At the moment, some of our PoPs support TLS 1.3 and we plan to deploy it on all our PoPs within Q3 2017. Please notice, you need to let our customer service know and they’ll turn it on for you.
The history & benefits of TLS 1.3
TLS (Transport Layer Security) is developed by the Internet Engineering Task Force (IETF) as a successor protocol to SSL. Both, TLS and SSL are cryptographic protocols that secure communications over the computer network.
We have been expecting the arrival of TLS 1.3 for a very long time since the last update of TLS, TLS 1.2, back in 2008. TLS 1.3 is a major protocol update for more secure and faster-encrypted connections.
Even though TLS 1.3 was first announced in 2014, it was released this April via OpenSSL. The distribution is still not global yet. There are millions of websites that need to upgrade to the latest version of OpenSSL 1.1.1.
The usage of TLS 1.3 also depends on the browser. Chrome and Firefox already support TLS 1.3. However, you have to manually turn it on in Firefox.
We’re confident it’s only a matter of time until we all start reaping benefits of using TLS 1.3. So, what kind of benefits are we talking about?
In the previous versions, two round-trips were needed to establish a secure connection. This process takes place before any actual data is transferred and lasts for hundreds of milliseconds.
With TLS 1.3 there is only one round-trip necessary to create the secure connection. This cuts the encryption latency by half!
TLS 1.3 speeds up the previously established connections even more with so-called “zero-round trip time” (0-RTT) mode. TLS 1.3 “remembers” previously shared keys and allows to send early data when resuming previous sessions.
Unfortunately, 0-RTT could be a potential threat. Attackers could access your 0-RTT communication and duplicate the flight of 0-RTT data. If your pre-shared keys are not expired, the server will accept attacker’s 0-RTT data and respond to it. This is especially dangerous for POST HTTP requests, e.g. “/buy-something”.
In order to prevent any harm, servers that allow 0-RTT should implement anti-replay mechanism and limit 0-RTT calls to only some requests. Currently, TLS 1.3 does not provide and even cannot provide inherent replay protections for 0-RTT.
For safety reasons, just like the majority of TLS 1.3 supporters, CDN77 is not utilizing 0-RTT mode at the moment.
With a “less is more” approach, TLS 1.3 removed broken and vulnerable pieces of the previous protocols. Having done this, TLS 1.3 enhances security and its implementation is much simpler for developers.
Moreover, TLS 1.3 improves the safety of previous connection by securing session resumption with a PFS (Perfect Forward Secrecy) mechanism. Therefore, an attacker won’t be able to decrypt previous traffic even if he gains access to the session encryption key. In other words, all sessions and even session resumptions are individually protected.
See the benefits for yourself!
We’re really excited to present this update to all our clients. With TLS 1.3 the encrypted connections will be faster and more secure.
Keep in mind, if you’d like to try TLS 1.3, let our customer service know.