Transport Layer Security (TLS) 1.3 Released

Transport Layer Security (TLS) is one of the most important fundamental Internet technologies todays. It allows secured end-to-end connections, supporting both security and identity. It has become a key part of the Web, with more and more sites switching from HTTP to HTTPS (which is HTTP layered on top of TLS).

In the API world, TLS es equally important, since only few APIs are available over unsecured HTTP. For security and identity purposes, the vast majority of APIs is only available through secured connections, and in most cases TLS is the security layer that is being used.

TLS started more than 20 years ago, it was introduced by Netscape as Secure Sockets Layer (SSL) in 1995. Since then, TLS has evolved from 1.0 (1999) to 1.1 (2006), then 1.2 (2008), and now the newest 1.3 version has been released as RFC 8446 by the IETF. Here's a brief excerpt from IETF's TLS 1.3 announcement:

"Securely sending information over the Internet is a foundation of online commerce, medicine, and other sensitive transactions. For these and many other uses it is critical that transmitted information not be tampered with, forged, or read by anyone other than the sender and receiver. These features have been a key part of the Internet’s growth and are critical to many innovative uses.

While the most widely used technology providing transport layer security for the Internet traces its origins back to SSL more than 20 years ago, the recently completed TLS 1.3 is a major revision designed for the modern Internet. The protocol has major improvements in the areas of security, performance, and privacy."

Version 1.3 is a major upgrade, and many of the changes are around updating the cryptographic core of the specification (by adding new algorithms, removing outdated algorithms, and tweaking and adding protocol operations). The list of major differences from TLS 1.2 is relatively short and is interesting to read for everybody.

Beyond that, except for developers with a specific security focus, it might be sufficient to be aware that a new version is available, and to factor this into long-term planning in terms of supporting TLS 1.3, and possibly phasing out older versions at some point.

The Author

Erik Wilde

Lead API Technologist

An expert in protocol design and structured data, Erik Wilde consults with organizations to help them get the most out of APIs and microservices. Erik has been involved in the development of innovative technologies since the advent of the Web and is active in the IETF and W3C communities. He obtained his PhD from ETH Zurich and served as Associate Adjunct Professor at Berkeley before working at EMC, Siemens and now CA Technologies.

Join the Conversation