Enhancing Security with TLS 1.3

— Marcus Aurelius

 

I wrote an article last week that introduced “The Great SIP Security Challenge.” In case you felt it was all for show, believe me when I say it was not. I’m dead serious about my desire for SIP consumers and providers to share their security needs and deliverables. Empowering both parties will not only contribute to overall security awareness, it will help create stronger, more resilient configurations and solutions.

 

In my list of asks, there were three items concerning TLS. For those of you not familiar with the term, TLS stands for Transport Layer Security. It is the de facto protocol for providing privacy and data security between two or more communicating computer applications. It is the protocol that allows https to encrypt your browser-to-web packets (and vice versa). It is also the protocol that secures SIP communication. Without something like TLS, IP data would be transmitted in clear text and subject to all kinds of malicious activity.

 

Like all things Internet-related, TLS has gone through significant changes since it was first introduced in 1999. It began its life as an upgrade to Secure Socket Layer (SSL), which Netscape created five years earlier. Over time, SSL was deprecated, and TLS has become the only recognized/approved way to secure Internet packets.

 

The current version of TLS, TLS 1.3, has been around for about two years, but the previous version, TLS 1.2, is still widely used. Sadly, TLS 1.0 and TLS 1.1 can still be found, but their use is strongly discouraged, and they are no longer considered to be secure protocols.

 

The most recent TLS 1.3 usage statistics I could find came from the IETF (Internet Engineering Task Force — the people who create and maintain the web protocols). In a blog article dated Dec. 2019, they claim that a year after its introduction, approximately one-third of all traffic from the Chrome, Firefox, and Safari web browsers is secured using TLS 1.3. Considering that it took TLS 1.2 five years to reach those numbers, this is considered to be a great success. With the recent emphasis on security (thank you, COVID-19), I expect that the adoption rate is much greater today.

 

If you are curious about the use of all TLS versions, ssltest is a cool online tool that will tell you that and much more. I ran it against some very popular domains (I won’t tell which ones) and was surprised by the results. I found too many sites that don’t support 1.3 while supporting the outdated, and downright dangerous, TLS versions 1.0 and 1.1. I won’t even begin to talk about all the weak ciphers I encountered out there, but I discovered more than I want to think about.

 

Enough with the history lesson. Why does TLS, and specifically TLS 1.3, matter? First, security must be of the highest concern of anyone who uses IP protocols to access, provide, and store data. Inadequate security leads to fraud, theft, and general Internet chaos. If you can protect your communications and data in a better way, why aren’t you?

 

Second, TLS 1.3 is a better way. Not only does it throw out legacy, less secure algorithms, but it also secures aspects of a TLS conversation that were previously not secured. For example, previous versions of TLS didn’t completely secure the entire handshake process — TLS 1.3 does.

 

Third, TLS 1.3 has been streamlined, which saves on time and processor resources. This creates a more efficient protocol while removing vulnerable, attack-prone ciphers. The list of supported ciphers has been reduced to the following three:

Fourth, TLS 1.3 is simpler for administrators and developers to use. This means that configuration errors are less likely, and a misconfigured protocol is a potentially unsafe protocol.

 

There is a good chance that you are already using TLS 1.3 without realizing it. Chrome included a draft version of TLS 1.3 in Chrome 65, and Chrome 70 introduced support for the final, released version. Firefox follows a very similar timeline, and Microsoft Edge and Safari are both currently supporting TLS 1.3. If you are still using Internet Explorer, stop. Seriously, stop it right now.

 

Note: Even though your web browser supports TLS 1.3, it may be disabled by default. Make sure you manually enable it to take advantage of better security.

 

Of course, web traffic is a two-way street. Not only does the web browser need to support TLS 1.3, the servers it talks to need to do the same. Since there is no comprehensive list of which domains support which web servers, ssltest can be used to test the sites you are most concerned with. Don’t be afraid to speak up when you find sites that fail to meet your expectations.

 

If you manage a website, check the web platform you are using. Current versions of Apache Web Server are TLS 1.3 capable. Until recently, Microsoft IIS lacked support, but that was resolved in Windows 10 Insider Preview Build 20170.

 

TLS 1.3 applies to more than just web traffic and can also be used to secure SIP traffic in and out of an enterprise’s communication system, including carrier trunks, hard and soft endpoints, Session Border Controllers (SBCs), proxy servers, voicemail servers, IVRs, and any other entity that speaks SIP. Unfortunately, since SIP solutions contain many different services from different vendors, it’s a bit of a challenge to find which ones support TLS 1.3 and the ones that don't. I did a quick Internet search and found several vendors that publicly declare support (e.g., AudioCodes, Avaya CPaaS, and Microsoft Skype for Business). However, I’m still scratching my head about many of the major SIP vendors, which is why I put out my SIP Security Challenge. I would prefer to not work hard to find answers to obvious questions.

 

Security is a moving target and what worked yesterday may not be adequate today. It is essential that you constantly examine and update your policies and practices. TLS is required to secure web and SIP traffic, and if TLS 1.3 is not an arrow in your security quiver, you need to ask yourself why not.

 

I know this much to be true. Hackers are becoming more sophisticated with every hack. Thankfully, so are the tools to stymie them. TLS 1.3 isn’t the only answer to your security questions, but it is an important one.