Security Experts:

CloudFlare Adds Support for TLS 1.3

CloudFlare announced on Tuesday the introduction of three new encryption features, including support for TLS 1.3, automatic HTTPS rewrites and opportunistic encryption.

The Transport Layer Security (TLS) protocol, the successor of Secure Sockets Layer (SSL), is a critical component for the protection of online communications. Version 1.2 of TLS has been around since 2008 and while it’s still fairly secure, researchers have started identifying some vulnerabilities. Another problem with TLS 1.2 is that it’s often not configured properly, leaving websites vulnerable to attacks.

TLS 1.3 is still under development, but a final version is expected soon. The new version of the protocol eliminates the problematic features that have been leveraged in many of the attack methods disclosed over the past years, including RSA key transport, the SHA-1 hash function, arbitrary Diffie-Hellman groups, and various ciphers (e.g. CBC, RC4, export ciphers). This makes it less likely for administrators to misconfigure the protocol.

Another advantage of TLS 1.3 is improved speed. In the case of TLS 1.2, completing a handshake when the connection is initiated can have a significant impact on the load time, particularly on mobile networks. TLS 1.3 cuts the initial handshake in half, significantly improving load times.

CloudFlare is offering TLS 1.3 support by default to both Free and Pro customers. Mozilla and Google have already implemented preliminary versions of the new protocol in Firefox Nightly and Chrome Canary, and CloudFlare has promised to keep up with the updates rolled out to these browsers until TLS 1.3 is finalized.

CloudFlare has been offering HTTPS to all customers through Universal SSL, but many websites still use HTTP due to mixed content (i.e. HTTPS sites that serve some sub-resources over HTTP). Sites with mixed content cause web browsers to display warnings, which is why many administrators choose HTTP over HTTPS.

According to CloudFlare, content served over HTTP is often also available over HTTPS, which means that changing http:// links to https:// in the page source can address the mixed content issue. Automatic HTTPS rewrites is a feature that automatically replaces “http” with “https” for all sub-resources available over HTTPS.

In some cases, sub-resources are served from domains that don’t support HTTPS (e.g. ads), which prevents websites from using it. CloudFlare has decided to help these sites become more secure via a feature called opportunistic encryption.

Opportunistic encryption ensures that the connection between the browser and CloudFlare’s systems is encrypted, enabling websites to take advantage of the significant performance improvements provided by HTTP/2. For the time being, the opportunistic encryption feature is only supported by Mozilla Firefox.

Related Reading: CloudFlare Launches Security-Focused Domain Registrar

Related Reading: Tor, CloudFlare Spar Over Malicious Traffic

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.