Skip to main content
banner image
venafi logo

Scott Helme on TLS 1.3: Reasons for Rapid Gravitation May Surprise You [Interview]

Scott Helme on TLS 1.3: Reasons for Rapid Gravitation May Surprise You [Interview]

tls-1.3-rapid-adoption
December 13, 2021 | Brooke Crothers

In a report on the state of TLS in the Alexa 1 million, security researcher and TLS expert Scott Helme uncovers trends that have emerged over the last 18 months since he last prepared the report. One key finding was that the gravitation to TLS 1.3 has been swift—but for reasons that may not have been predicted a year or so ago. While the pandemic has driven some transformation, it’s not the most salient reason. It is a function of chasing other benefits, according to Helme.

Indeed, the uptick in TLS 1.3 was surprising. “Generally, I would not have expected people to chase a newer protocol version so quickly after release,” Helme said.

“If we look at the TLS 1.2 adoption, that was considerably slower in 2008. We really didn’t see a massive drive in adoption until 2013/2014 during the post-Snowden and post-Heartbleed era when people were chasing Forward Secrecy,” according to Helme.

 

Do you know enough about TLS machine identities? Get the Dummies Guide.
What follows is an interview with Scott Helme about the move to TLS 1.3 and its significance.

Q: What do you think is behind the move to TLS 1.3?

Scott Helme: The leap to TLS 1.3 happened during the pandemic. We saw a very significant spike in the adoption of TLS 1.3. But looking deeper into the data, it points to the fact that websites are using modern CDN (Content Delivery Network) providers and the fact that CDN providers have moved to newer protocol versions. That’s one of the main reasons for the big swing.

And it’s a good thing that we’re seeing an increase in adoption. Most people are very close to a cloud provider's edge node. So, between the browser and the local data center, there’s TLS 1.3 and modern ciphers. The “last mile” is where most of the threat typically resides. So, it's good that we are seeing that increase in adoption.

I think the performance aspect was probably a key contributing factor that drove this move to 1.3 at modern CDN and cloud providers. Customers needed to put their web services behind a modern CDN provider to make sure they're highly available. And the CDN provider will do all of this magic security stuff and we get it for free.

And while I think the pandemic has definitely driven some transformation, it’s perhaps not for the most obvious reason. That is, I don't think people were suddenly saying "Oh, we need to go and deploy TLS 1.3." That was more likely a byproduct of us chasing other benefits.

It’s about the ease of doing things. And not having to maintain and manage your own TLS and PKI configurations at your edge. Most of the CDN providers now will give a 10-year certificate for your origin. One cipher suite, one protocol, and you never have to reconfigure it again.

Q: What role did TLS performance play?

Scott Helme: Like I mentioned before, I think the thing that most people were probably chasing with 1.3 is performance. Because there's not really any security benefit in 1.3 that you can't replicate in 1.2 with a good configuration. So, it's not like people are jumping to 1.3 because there's some amazing new security things. I can make 1.2 basically just as secure with a good config.

And there's just so many other additional benefits. You can get HTTP/2. You get massive performance optimizations going to 1.3 from most CDN providers. They're going to do things like TLS session resumption, OCSP stapling to try and mitigate performance and privacy impacts. Again, back at the TLS layer.

Remember that TLS 1.2 was the first ever protocol version that focused a lot on performance. All of the versions of SSL, TLS 1.0, 1.1 never really had any focus on performance. They were all about improving the protocol and making it more secure.

And most people that eventually deployed 1.2 were chasing the performance optimizations. And I think within TLS 1.3, again, there are some fantastic performance improvements. And now, performance on the web is critical. You can directly map page load time to eCommerce conversions and sales.

So, TLS 1.3 comes along and says, "Hello. We can now go potentially down to zero round trips on a handshake, and we have more efficient ciphers." The protocol itself is more efficient.

So, I think with the combination of HTTP/2 being a secure connection-only upgrade with massive performance advantages and TLS 1.3 being a protocol upgrade with potentially massive performance advantages, the majority of people have pushed to TLS 1.3 and HTTPS so quickly in the last few years because it's so much faster now. Performance is critical. That’s why organizations like Cloudflare are pushing 1.3 so aggressively onto their edge. Because it's fast and not necessarily because it's more secure.

Q: What about the persistence of earlier versions of TLS?

Scott Helme: We’ve halved the usage pretty much of TLS V1. But half is not a lot. It's good to see 1.1 at zero though it’s not surprising given the complete lack of implementation and support for 1.1. But for 1.0, we found several hundred legacy websites out there that someone is just not maintaining anymore.

And it's odd that any of these are top one million sites and clearly not being maintained. Because when you look at the top one million sites, you must have at least some reasonable level of traffic volume in order to get there. So, it's very likely to be infrastructure that someone's operating that isn't being maintained.

For example, if you have Windows XP clients, you can keep those old protocol versions around for backwards compatibility. But that shouldn’t come at the sacrifice of supporting the new versions.

So technically, the numbers for V1 and 1.1 and 1.2 should all be zero. Now, someone might support 1.2, 1.1, and 1.0, for backwards compatibility. But that should never be the highest protocol version that you support.

Overall, I’m very happy to see the faster-than-expected transition to TLS 1.3. And because it’s likely that the move was driven by ease-of-use and automation, it’s a win-win for encryption as well as the adopting companies.

Related posts

Like this blog? We think you will love this.
acme-protocol-and-https
Featured Blog

What is the Automated Certificate Management Environment (ACME) Protocol?

How does it work?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Brooke Crothers
Brooke Crothers
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more