|
Post by Polaris Seltzeris on Jul 14, 2017 4:53:28 GMT
blog.cloudflare.com/introducing-tls-1-3/This is interesting. I didn't even know there was a TLS 1.3 until today (shame on you for not popularizing this Internet companies). To summarize the changes with TLS 1.3, really it just removes some insecure cipher suites (who even uses them for websites?), the handshake is faster (this means if you enable it and websites support it, your connection is guaranteed to be faster). On sites that you have visited recently, it will even be faster because your old TLS session will be used (at least that's what I can gather, may be wrong). So that's very handy, although I admit the latter part can be considered an insecurity, but TLS is all about trust so wouldn't you trust the website you just had a successful session with to still be secure? As for the cipher suite changes, a couple changes stood out. CBC modes for ciphers were removed which surprised me considering I've seen quite a few websites use AES CBC, although I agree with it since CBC isn't appropriate for TLS. Then there's the big one: RSA. RSA was completely removed from TLS which is the biggest change out of all of this. RSA is still used for a lot if not most websites like GitHub (Google has switched though), but the problem with RSA is that it's becoming less reliable with governments continuing to progress towards breaking/cracking it, and it doesn't provide forward security. The more secure alternative is ECDSA (I prefer EdDSA, which is less popular but really more secure), which Google and a lot of other websites currently us. It's going to take some time for RSA to become the new RC4 (although RC4 is symmetric) and get scrapped and replaced, and then we can enjoy TLS 1.3. Now for those of you who don't understand what any of this is, TLS is basically SSL (or HTTPS), and is what secures you from Man in the Middle attacks which is where an entity is in the middle of the connection between you, and the website/server you are on. This means your data can be intercepted (like your password) and can be used against you, TLS provides authentication, encryption, and security against that and does it very efficiently. This is about the latest version of HTTPS and it's fairly important since it's what modern websites rely on for security, the slightest change to the protocol could result in a catastrophe. This specific update, TLS 1.3, is supposed to make you more secure by not allowing servers to use faulty encryption that can put your personal information in danger, and it's also supposed to make your connection to TLS servers faster. Now it's not just websites that use TLS, it could be the servers you go on to play online games or chat, which means that could be more secure or faster too. If you're interested, you can actually upgrade now for Firefox and Chrome using the instructions on the website I linked at the top. However, this will only affect your web browsing experience, as for the gaming/chat servers it's entirely up to them to upgrade to TLS 1.3. Keep in mind though, even if you upgrade, most websites will still be using TLS 1.2 because they haven't upgraded. Cloudflare has updated to TLS 1.3 and Cloudflare websites use it by default, so that's pretty good. Also here's the specific information on how the connection speed will change, straight from the article: "If the round-trip time for a connection is around 100ms, the speed boost from TLS 1.3 is enough to take sites that seem 'sluggish' (over 300ms), and turn them into sites that load comfortably fast (under 300ms)." Thoughts?
|
|
50In1
Veteran Member
Latest Status:
Posts: 312
|
Post by 50In1 on Jul 14, 2017 4:56:30 GMT
blog.cloudflare.com/introducing-tls-1-3/This is interesting. I didn't even know there was a TLS 1.3 until today (shame on you for not popularizing this Internet companies). To summarize the changes with TLS 1.3, really it just removes some insecure cipher suites (who even uses them for websites?), the handshake is faster (this means if you enable it and websites support it, your connection is guaranteed to be faster). On sites that you have visited recently, it will even be faster because your old TLS session will be used (at least that's what I can gather, may be wrong). So that's very handy, although I admit the latter part can be considered an insecurity, but TLS is all about trust so wouldn't you trust the website you just had a successful session with to still be secure? As for the cipher suite changes, a couple changes stood out. CBC modes for ciphers were removed which surprised me considering I've seen quite a few websites use AES CBC, although I agree with it since CBC isn't appropriate for TLS. Then there's the big one: RSA. RSA was completely removed from TLS which is the biggest change out of all of this. RSA is still used for a lot if not most websites like GitHub (Google has switched though), but the problem with RSA is that it's becoming less reliable with governments continuing to progress towards breaking/cracking it, and it doesn't provide forward security. The more secure alternative is ECDSA (I prefer EdDSA, which is less popular but really more secure), which Google and a lot of other websites currently us. It's going to take some time for RSA to become the new RC4 (although RC4 is symmetric) and get scrapped and replaced, and then we can enjoy TLS 1.3. Now for those of you who don't understand what any of this is, TLS is basically SSL (or HTTPS), and is what secures you from Man in the Middle attacks which is where an entity is in the middle of the connection between you, and the website/server you are on. This means your data can be intercepted (like your password) and can be used against you, TLS provides authentication, encryption, and security against that and does it very efficiently. This is about the latest version of HTTPS and it's fairly important since it's what modern websites rely on for security, the slightest change to the protocol could result in a catastrophe. This specific update, TLS 1.3, is supposed to make you more secure by not allowing servers to use faulty encryption that can put your personal information in danger, and it's also supposed to make your connection to TLS servers faster. Now it's not just websites that use TLS, it could be the servers you go on to play online games or chat, which means that could be more secure or faster too. If you're interested, you can actually upgrade now for Firefox and Chrome using the instructions on the website I linked at the top. However, this will only affect your web browsing experience, as for the gaming/chat servers it's entirely up to them to upgrade to TLS 1.3. Keep in mind though, even if you upgrade, most websites will still be using TLS 1.2 because they haven't upgraded. Cloudflare has updated to TLS 1.3 and Cloudflare websites use it by default, so that's pretty good. Also here's the specific information on how the connection speed will change, straight from the article: "If the round-trip time for a connection is around 100ms, the speed boost from TLS 1.3 is enough to take sites that seem 'sluggish' (over 300ms), and turn them into sites that load comfortably fast (under 300ms)." Thoughts? Hey bud, "20 Sep 2016 by Nick Sullivan." This isn't new.
|
|
|
Post by Polaris Seltzeris on Jul 14, 2017 5:04:41 GMT
Hey bud, "20 Sep 2016 by Nick Sullivan." This isn't new. That's great, thanks for the condescending 'bud'. Please, go up and ask people in real life if they have heard of this, I can guarantee 99.9% of them will have no clue what the fuck you're talking about, and the 0.1% would know what TLS is but probably not TLS 1.3. Did you specifically know about this? I honestly doubt it. I follow this type of shit all the time and work with it and I didn't even know this until now. I also have no idea where I said in the post that it was new (for TLS it is 'new' though, these updates don't happen twice a day, and most websites and services don't support it). Putting that shit aside though, the OpenSSL I compiled apparently supports TLS 1.3 so I can use it, so that's pretty good. Now this is where I would write a 10 paragraph rant about how Apple is a terrible company for no longer supporting OpenSSL and also forcing people to either compile their own OpenSSL or stick with an ancient version that doesn't even support TLS 1.2. Or of course use their brand but no one wants to so there's that. I don't use a Mac but I know people who do and how shit this is, especially when writing cross platform SSL code. On Windows OpenSSL is basically inaccessible unless you compile it yourself so that's always fun, compiling things on Windows is certainly a blast and I had quite a fun time doing it. EDIT: I lied. It doesn't support TLS 1.3, but Python's OpenSSL does so that's great. EDIT 2: I am now killing myself trying to compile OpenSSL 1.1.0 on Windows. EDIT 3: Successfully compiled. That was surprisingly trivial to do. EDIT 4: So I'm retarded. The OpenSSL version that will have TLS 1.3 is 1.1.1, which hasn't been released yet. I compiled 1.1.0 for nothing.
|
|
_Windows
Club 4000 Member
Posts: 7,881
| Likes: 9,611
|
Post by _Windows on Jul 14, 2017 11:25:40 GMT
|
|
Hockey
Club 4000 Member
Posts: 4,537
|
Post by Hockey on Jul 14, 2017 16:21:22 GMT
Most probably haven't switched due to browser compatibility. Everyone probably will, soon enough.
|
|
|
Post by Polaris Seltzeris on Jul 14, 2017 19:42:26 GMT
Most probably haven't switched due to browser compatibility. Everyone probably will, soon enough. Firefox and Chrome currently support it, but you have to manually set the max TLS version so that it works.
|
|
_Windows
Club 4000 Member
Posts: 7,881
| Likes: 9,611
|
Post by _Windows on Jul 15, 2017 0:47:16 GMT
Most probably haven't switched due to browser compatibility. Everyone probably will, soon enough. Firefox and Chrome currently support it, but you have to manually set the max TLS version so that it works. chrome://flags/#ssl-version-max I already have mine set to 1.3.
|
|
|
Post by Polaris Seltzeris on Jul 15, 2017 0:48:08 GMT
Firefox and Chrome currently support it, but you have to manually set the max TLS version so that it works. chrome://flags/#ssl-version-max I already have mine set to 1.3. You know if there's anyway to get OpenSSL 1.1.1 early? EDIT: Ignore that. It's on the master branch of the GitHub, duh. Gonna compile it now. Do you think there's a way to force this forum to use HTTPS, since it looks like it's available?
|
|
_Windows
Club 4000 Member
Posts: 7,881
| Likes: 9,611
|
Post by _Windows on Jul 15, 2017 0:50:43 GMT
chrome://flags/#ssl-version-max I already have mine set to 1.3. You know if there's anyway to get OpenSSL 1.1.1 early? EDIT: Ignore that. It's on the master branch of the GitHub, duh. Gonna compile it now. Do you think there's a way to force this forum to use HTTPS, since it looks like it's available? I assume you found it here then? github.com/openssl/openssl
|
|
|
Post by Polaris Seltzeris on Jul 15, 2017 0:55:38 GMT
You know if there's anyway to get OpenSSL 1.1.1 early? EDIT: Ignore that. It's on the master branch of the GitHub, duh. Gonna compile it now. Do you think there's a way to force this forum to use HTTPS, since it looks like it's available? I assume you found it here then? github.com/openssl/opensslYeah, right now nmake is still cl'ing OpenSSL lmao But as I asked before: Do you think there's a way to force this forum to use HTTPS, since it looks like it's available? I know that it's not fully secure, but partial TLS is better than no TLS.
|
|
_Windows
Club 4000 Member
Posts: 7,881
| Likes: 9,611
|
Post by _Windows on Jul 15, 2017 1:13:44 GMT
Yeah, right now nmake is still cl'ing OpenSSL lmao But as I asked before: Do you think there's a way to force this forum to use HTTPS, since it looks like it's available? I know that it's not fully secure, but partial TLS is better than no TLS. Not sure. You may want to ask PB staff that on the support forum.
|
|
Deleted
Deleted Member
Posts: 0
|
Post by Deleted on Jul 15, 2017 1:19:17 GMT
blog.cloudflare.com/introducing-tls-1-3/This is interesting. I didn't even know there was a TLS 1.3 until today (shame on you for not popularizing this Internet companies). To summarize the changes with TLS 1.3, really it just removes some insecure cipher suites (who even uses them for websites?), the handshake is faster (this means if you enable it and websites support it, your connection is guaranteed to be faster). On sites that you have visited recently, it will even be faster because your old TLS session will be used (at least that's what I can gather, may be wrong). So that's very handy, although I admit the latter part can be considered an insecurity, but TLS is all about trust so wouldn't you trust the website you just had a successful session with to still be secure? As for the cipher suite changes, a couple changes stood out. CBC modes for ciphers were removed which surprised me considering I've seen quite a few websites use AES CBC, although I agree with it since CBC isn't appropriate for TLS. Then there's the big one: RSA. RSA was completely removed from TLS which is the biggest change out of all of this. RSA is still used for a lot if not most websites like GitHub (Google has switched though), but the problem with RSA is that it's becoming less reliable with governments continuing to progress towards breaking/cracking it, and it doesn't provide forward security. The more secure alternative is ECDSA (I prefer EdDSA, which is less popular but really more secure), which Google and a lot of other websites currently us. It's going to take some time for RSA to become the new RC4 (although RC4 is symmetric) and get scrapped and replaced, and then we can enjoy TLS 1.3. Now for those of you who don't understand what any of this is, TLS is basically SSL (or HTTPS), and is what secures you from Man in the Middle attacks which is where an entity is in the middle of the connection between you, and the website/server you are on. This means your data can be intercepted (like your password) and can be used against you, TLS provides authentication, encryption, and security against that and does it very efficiently. This is about the latest version of HTTPS and it's fairly important since it's what modern websites rely on for security, the slightest change to the protocol could result in a catastrophe. This specific update, TLS 1.3, is supposed to make you more secure by not allowing servers to use faulty encryption that can put your personal information in danger, and it's also supposed to make your connection to TLS servers faster. Now it's not just websites that use TLS, it could be the servers you go on to play online games or chat, which means that could be more secure or faster too. If you're interested, you can actually upgrade now for Firefox and Chrome using the instructions on the website I linked at the top. However, this will only affect your web browsing experience, as for the gaming/chat servers it's entirely up to them to upgrade to TLS 1.3. Keep in mind though, even if you upgrade, most websites will still be using TLS 1.2 because they haven't upgraded. Cloudflare has updated to TLS 1.3 and Cloudflare websites use it by default, so that's pretty good. Also here's the specific information on how the connection speed will change, straight from the article: "If the round-trip time for a connection is around 100ms, the speed boost from TLS 1.3 is enough to take sites that seem 'sluggish' (over 300ms), and turn them into sites that load comfortably fast (under 300ms)." Thoughts? Hey bud, "20 Sep 2016 by Nick Sullivan." This isn't new. TLS 1.2 came out in 2008. Yeah, September 2016 is new in comparison.
|
|
StevenNL2000
Forum Admin
Posts: 6,415
| Likes: 6,936
IGN: StevenNL2000
Timezone: UTC+01:00
Member is Staff. Need immediate assistance? Send a PM
|
Post by StevenNL2000 on Jul 15, 2017 20:56:11 GMT
Yeah, right now nmake is still cl'ing OpenSSL lmao But as I asked before: Do you think there's a way to force this forum to use HTTPS, since it looks like it's available? I know that it's not fully secure, but partial TLS is better than no TLS. This is not website-specific, but you could use something like HTTPS Everywhere. I was honestly expecting you to already be using that considering your interest in cyber security.
|
|
|
Post by Polaris Seltzeris on Jul 15, 2017 21:09:08 GMT
Yeah, right now nmake is still cl'ing OpenSSL lmao But as I asked before: Do you think there's a way to force this forum to use HTTPS, since it looks like it's available? I know that it's not fully secure, but partial TLS is better than no TLS. This is not website-specific, but you could use something like HTTPS Everywhere. I was honestly expecting you to already be using that considering your interest in cyber security. I had HTTPS everywhere before it started throttling certain websites.
|
|