Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

CloudFlare Adds Support for TLS 1.3

CloudFlare announced on Tuesday the introduction of three new encryption features, including support for TLS 1.3, automatic HTTPS rewrites and opportunistic encryption.

CloudFlare announced on Tuesday the introduction of three new encryption features, including support for TLS 1.3, automatic HTTPS rewrites and opportunistic encryption.

The Transport Layer Security (TLS) protocol, the successor of Secure Sockets Layer (SSL), is a critical component for the protection of online communications. Version 1.2 of TLS has been around since 2008 and while it’s still fairly secure, researchers have started identifying some vulnerabilities. Another problem with TLS 1.2 is that it’s often not configured properly, leaving websites vulnerable to attacks.

TLS 1.3 is still under development, but a final version is expected soon. The new version of the protocol eliminates the problematic features that have been leveraged in many of the attack methods disclosed over the past years, including RSA key transport, the SHA-1 hash function, arbitrary Diffie-Hellman groups, and various ciphers (e.g. CBC, RC4, export ciphers). This makes it less likely for administrators to misconfigure the protocol.

Another advantage of TLS 1.3 is improved speed. In the case of TLS 1.2, completing a handshake when the connection is initiated can have a significant impact on the load time, particularly on mobile networks. TLS 1.3 cuts the initial handshake in half, significantly improving load times.

CloudFlare is offering TLS 1.3 support by default to both Free and Pro customers. Mozilla and Google have already implemented preliminary versions of the new protocol in Firefox Nightly and Chrome Canary, and CloudFlare has promised to keep up with the updates rolled out to these browsers until TLS 1.3 is finalized.

CloudFlare has been offering HTTPS to all customers through Universal SSL, but many websites still use HTTP due to mixed content (i.e. HTTPS sites that serve some sub-resources over HTTP). Sites with mixed content cause web browsers to display warnings, which is why many administrators choose HTTP over HTTPS.

According to CloudFlare, content served over HTTP is often also available over HTTPS, which means that changing http:// links to https:// in the page source can address the mixed content issue. Automatic HTTPS rewrites is a feature that automatically replaces “http” with “https” for all sub-resources available over HTTPS.

In some cases, sub-resources are served from domains that don’t support HTTPS (e.g. ads), which prevents websites from using it. CloudFlare has decided to help these sites become more secure via a feature called opportunistic encryption.

Opportunistic encryption ensures that the connection between the browser and CloudFlare’s systems is encrypted, enabling websites to take advantage of the significant performance improvements provided by HTTP/2. For the time being, the opportunistic encryption feature is only supported by Mozilla Firefox.

Related Reading: CloudFlare Launches Security-Focused Domain Registrar

Related Reading: Tor, CloudFlare Spar Over Malicious Traffic

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Orca Security published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility