At Trustico®, a lot of people ask if the SSL certificates we sell are TLS 1.3 compliant.
This is a fair question, as many are understandably unaware of the differences between SSL and TLS, and how security certificates work with these protocols.
What is TLS?
TLS (Transport Layer Security) evolved out of SSL (Secure Sockets Layer) as a more advanced version of cryptographic protocol.
Put simply, TLS has two major functions.
It provides a secure connection through the Record Protocol, and allows a server and client to authenticate each other’s identity and mutualize encryption for data exchange through the aptly named Handshake Protocol.
TLS is superior to SSL due to being vulnerable to far less attacks, making a hacker’s job a lot harder.
Are all SSL certificates TLS compliant?
There is actually no such thing as an SSL certificate or TLS certificate.
The protocol utilized by your certificate is dependent on your server configuration.
If your server is configured with SSL, your certificate will function with SSL; if your server is configured with TLS, your certificate will function with TLS.
So technically, they should be, and are often called, SSL/TLS certificates.
But as SSL certificate is the far more widely known name, many vendors prefer to stick with that to try to avoid confusion.
Though, as previously mentioned, SSL/TLS certificates is commonly used too.
Why you should upgrade your server to support TLS 1.3
Configuring your servers to support the latest protocol versions and disabling old versions should be standard practice.
This ensures you are using the latest, most secure algorithms.
Only supporting the latest protocols, without removing the old, leaves you vulnerable to downgrade attacks.
A downgrade attack is where a hacker forces connections to your server to enable old versions of protocols that have known, often simple exploits.
The PCI Security Standards Council says this means it is critical that organizations configure their servers for the latest protocol versions as soon as possible while disabling any fallback to SSL and older TLS versions.
“There are many serious vulnerabilities in SSL and early TLS that left unaddressed put organizations at risk of being breached.” the PCI Security Standards Council says.
“The widespread POODLE and BEAST exploits are just a couple examples of how attackers have taken advantage of weaknesses in SSL and early TLS to compromise organizations.
“According to NIST, there are no fixes or patches that can adequately repair SSL or early TLS.”
As of June 30th, 2018, a website needs to be on TLS 1.1 or higher to comply with the PCI Data Security Council’s Data Security Standards (DSS).
Clearly, it is in the interest of organizations, server technicians, customers, and global online security at large that TLS 1.3 sees near full adoption as soon as possible.
Mitchell has a Bachelor of Arts with Majors in Journalism and Foreign Relations; and a Diploma of Digital Design.