APRIL 6, 2020
By Sebastien Synold, Product Manager, Qosmos Probe, Enea
As the world witnesses a sudden and massive shift to telecommuting, our customers have been working overtime to ensure we all have reliable and safe access to the information and communications networks we are depending on now more than ever. And we’ve been working overtime in turn to support them.
You see, our customers make the products used to secure and manage telecom, enterprise and government networks. And we make the embedded traffic intelligence software that helps them succeed. Together, we’ll meet the challenges of this exceptional time, and come out at the end with stronger, more resilient systems.
One evolution already in motion that would enhance network security is the shift to the new, vastly stronger TLS 1.3 encryption standard. TLS (Transport Layer Security) is the encryption protocol used most prominently to secure connections between our web browsers and websites. With so many connecting to business systems remotely today, I found it reassuring that the 1.3 standard was already so widely propagated.
At present, 97% of websites support TLS 1.2, and 27% support TLS 1.3. All the major browser makers – Mozilla (Firefox), Google (Chrome), Apple (Safari) and Microsoft (Edge) – vowed in 2018 to disable support for weaker TLS 1.0 and TLS 1.1 standards, meaning they would block connections to websites using the older standards. Mozilla (Firefox) was the first to implement this policy, and the others were set to do so early this year.
But, I’ve been surprised to learn that Mozilla has reverted to its old policy, re-enabling connections to websites using TLS 1.0 and TLS 1.1. Likewise, Google and Microsoft have delayed the rollout of browser updates that would have enforced 1.2 and 1.3 connections as well.
The reasons Google and Microsoft gave for delaying this enforcement have been somewhat vague. The Google Chrome team simply stated in a blog post that “Due to adjusted work schedules at this time, we are pausing upcoming Chrome and Chrome OS releases.” In a post to its developer community blog, Microsoft simply announced “In light of current global circumstances, we will be postponing this planned change”.
Mozilla, the maker of the one browser that was already enforcing the higher standard, was more specific, stating on its Release Notes page that “We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID19 information”.
Ah. That made sense. Tech giants like Google and Microsoft should have no problem keeping release schedules on track while working remotely, but delaying in order to ensure the broadest possible access to government websites makes perfect sense. I haven’t seen a statistical breakdown on TLS versions used in public versus private websites, but government agencies generally try to get more wear out of legacy systems than businesses as part of their fiduciary duty.
There’s no doubt that this is a temporary delay, one that I hope will be very short, because that would mean the awful suffering and tragic loss of life this pandemic has provoked has finally come to an end.
I have to admit that before this crisis, I viewed TLS 1.3 more as a challenge to be overcome than a security benefit. It’s a standard that enforces very strong, end-to-end encryption, which is fantastic. But, network traffic visibility is essential for troubleshooting, performance management, and detecting and analyzing security threats.
Finding ways to preserve the visibility needed for such vital tasks while safeguarding privacy has occupied much of our R&D effort of late (see our press release about the latest tools we developed to maintain visibility, or our brief on the same subject).
But, the necessary mass adoption of remote work shifted my attention back to just how valuable this new standard is, as are all the other technologies that support and protect our communications infrastructure.
Learn More About TLS 1.3
If you’re interested in learning more about the TLS 1.3 encryption standard and what it means for cybersecurity, I highly recommend the same resource I shared in my last blog post: Cybersecurity Insiders’ CEO Holger Schulze interview with Kurt Neumann, Security Architect for Cisco Threat Analytics & Co-Founder of Antsle, Inc.