The long-simmering battle over the future of the internet’s most important security protocol is over: TLS 1.3 was approved by the Internet Engineering Task Force after over four years and 28 drafts.
TLS — short for Transport Layer Security — secures a huge swath of the internet. HTTPS-enabled websites, like the one you’re visiting, are possible thanks to TLS. The protocol is also used to secure email, voice, video and messaging. The newest version is the biggest change in the standard’s two decades of existence.
The biggest battle of note over TLS 1.3 was prompted by the Financial Services Roundtable, which wanted to include and standardize ways that banks and other data center owners could more easily decrypt connections in order to comply with regulations, implement data loss protection, detect intrusions and malware, capture packets, and mitigate denial-of-service attacks.
Opponents called it an intentional weakness that could put the entire internet at risk. The proposal provoked intense criticism especially from tech giants who pointed out the new protocol was designed to prevent eavesdropping.
“The bank industry is pushing the TLS working group to create a decryption option as part of the specification, and of course the tech sector is saying ‘That’s not going to happen,’” Janet Jones, a Microsoft senior security program manager, told CyberScoop. “Can you imagine us supporting something that gave an API with a decrypt button? We can’t do that.”
Critics of the banks’ proposal say they can accomplish their goals without an interception standard by updating their networks and buying new hardware. On the contrary, the banks’ supporters say, it’s easier said than done to change entire networks — the result might be that some institutions don’t upgrade at all. The new protocol will require work and money from the financial sector.
The years-long fight was a big part of the recent IETF meeting in London. Although most did not expect it, backers of the banks’ proposal showed up in numbers to argue against a draft that excluded standardized interception, cryptographer Kenny Patterson told CyberScoop.
Despite that dramatic push, TLS 1.3 was approved and will be implemented widely in the future.
You can read IETF’s full announcement here.