TLS 1.3 and post-quantum cryptography are subjects of much debate. Upgrade or wait—this is the big question facing administrators and users alike.
There are quite a few reasons to jump onto the TLS 1.3 bandwagon immediately, with or without quantum cryptography. Here is why.
Perfect forward secrecy
First and foremost, the current state of TLS security is far from satisfactory. Without forward secrecy—not to mention perfect forward secrecy that only comes with TLS 1.3—, an adversary can capture web traffic at will and archive it for later “perusal”. One compromised key is all it takes to decrypt everything.
For a chilling introduction to TLS vulnerabilities that threaten your data and infrastructure, see the post: “Attack vectors against TLS, implementation bugs, and how to mitigate TLS vulnerabilities“.
It has been known for some time that state-sponsored adversaries attempt to decrypt prerecorded communications on a regular basis. Why else would they be pushing so hard for worldwide dominance in supercomputing?
Pushing they are indeed.
The #1 and #2 on the TOP500 supercomputers list are owned by the Chinese government. No. 1 is run by the National Supercomputing Center in Wuxi. No. 2 crunches numbers in the National Super Computer Center in Guangzhou. Both are located in China, behind its Great Firewall.
UPDATE: The No. 1 trophy returned to America.
The other global superpowers can no longer pretend it’s business as usual.
Given the recent aggressive stance of China in the South China Sea, there is no reason to expect anything less hostile in the domain of cyber security. Any data traffic which relies on the decade-old TLS 1.2 standard (not to mention even earlier versions of the protocol which are still quite prevalent) will sooner rather than later fall prey to decryption attempts by state-sponsored adversaries—and that might hurt a lot. TLS 1.3 at least buys you some time (see the spec here).
TLS 1.3 and post-quantum cryptography
Second, for a handful of superpowers, quantum computing can facilitate the decryption of previously protected web traffic. Pre-quantum ciphers are no match for quantum computers.
TLS 1.3 offers some hope when deployed with quantum-resistant cipher suites. Microsoft’s supersingular isogeny-based cryptography and the corresponding SIDH v3.0 crypto library come to mind.
But we are not there yet. Perfect forward secrecy is the first prerequisite and TLS 1.3 delivers.
Protect the GDPR downside
Third and last but not least, the GDPR is currently rearing its ugly head on a worldwide scale. The first lawsuits are on their way to court hearings. For example, an Austrian privacy activist Maximillian Schrems filed four lawsuits on Day One. He is seeking fines from Facebook with 3.9 billion Euro and Google with 3.7 billion Euro. That’s 8.9 billion US Dollars and change.
While it might take more than a year for the European Court to come up with its final verdict, the case could set another precedent. After all, with his prior lawsuit, Mr. Schrems singlehandedly took down the US-EU Safe Harbor regulation.
The general consensus among legal scholars dictates that it applies to any company, which handles the data of EU citizens, even to a U.S. company that has no physical presence in the EU.
The GDPR gives draconian fines a whole new meaning. Authorities may punish a business for a data breach, resulting in penalties of either 4% of its worldwide turnover in the prior year or a lump sum of 20 million Euros, whichever is higher. Don’t believe it? Feel free to read the full text of the regulation; it’s on the books right here.
The GDPR might be a not-so-veiled attempt of the European Union to make up for its own budget shortfalls. Be as it may, it’s the law of the land (and then some).
All in all, there are three good reasons to act: China’s supercomputing supremacy, the quantum computing revolution and the GDPR.
In context of the above developments, tightening the cyber security screws has more merit than ever. A switch to TLS 1.3 with TLS 1.2 as a fallback seems to be worthy of an immediate pursuit.
For advice on TLS implementation, please read: “TLS 1.3 (with AEAD) and TLS 1.2 cipher suites demystified: how to pick your ciphers wisely“. To protect the end users on your network, please refer to “TLS tune-up: how to restrict Firefox to TLS v1.3 and v1.2 to protect from phishing attacks“.