What started as important is now vital. Protecting end-to-end web-based communications was important in 1983 when networks began to talk to one another via the Internet. It became vital when personally identifiable information (PII), payment card information, and other sensitive data joined the two-way traffic on the highway of the World Wide Web.
Netscape released the encryption protocol Secure Socket Layer (SSL) in 1985 to protect data transmission between two systems from eavesdropping or tampering. The growth of the Internet led to the growth of attackers, worms, and viruses—and the development of antivirus programs and more proactive cybersecurity.
By 1999, SSL was an incomplete answer for protecting internet communications. The Internet Engineering Task Force (IEFT) established an improved standard protocol by releasing Transport Layer Security (TLS) 1.0.
The increasing risks and potential impact on users and organizations using web-based communications shifted browsers from the Hypertext Transfer Protocol (HTTP) for communication requests to Hypertext Transfer Protocol Secure (HTTPS) to apply TLS encryption for all communications between user clients and web servers.
Browser-based protection is used by most providers, only allowing direct connection to URLs with the HTTPS protocol in place. Many web hosting companies still sell SSL certificates, but what’s being purchased are TLS certificates.
Our red team identified web applications, APIs, and mobile applications as key avenues for exploitation over the past year. You can eliminate risks you don’t have to be exposed to by closing the security gaps of TLS 1.2.
Should you move to TLS 1.3?
TLS is a client-server handshake mechanism for establishing a secure, encrypted connection between two systems. TLS protocols have improved as data security needs have increased. Due to the distinct advantages, many enterprise deployments have replaced internet protocol Security (IPsec) with TLS.
TLS 1.3 has been available since late 2018/early 2019. This updated standard has distinct advantages over TLS 1.2, including faster negotiation, improved encryption, and fewer cipher suites. Both privacy and security are supported better in TLS 1.3 with an overall more efficient process.
The pros and cons of TLS 1.3
A large majority of enterprises still use TLS 1.2. Unless they shift to TLS 1.3, these organizations are sidelining some critical upgrades. But like all shifts from legacy to next-gen, there are considerations you need to know about and plan for before making the switch.
Our newly released whitepaper, Transport Layer Security (TLS): Comparing TLS 1.2 and 1.3, provides an overview of both protocols and helps you identify what you need to evaluate and address before making the move. The list of recommended actions can make for a smoother transition.
A smoother course to TLS 1.3
Shifting to TLS 1.3 can be complex. If the in-house expertise or time needed for this move is in short supply in your organization, connect with an experienced third-party partner to help guide your successful implementation.
When considering a partner for your TLS shift, look for security and network architectural design experience, tool and infrastructure proficiency with the TLS encryption processing, and expertise in implementing and troubleshooting downstream inspection tools.