Security Strategy, Plan, Budget

Cloudflare looks to TLS 1.3 to secure internet

Cloudflare is looking to have as much of the internet encrypted as possible with a slew of new features to help make websites more secure.

Among the features are TLS 1.3, opportunistic encryption, and automatic HTTPS rewrites. It said in a blog post that the measures should put an end to unencrypted websites and help organisations make the leap from being unencrypted to encrypted.

The firm has adopted Transport Layer Security (TLS) version 1.3. This not only mitigates attacks possible against TLS 1.2 but also should be faster too as it speeds up the connections between a browser and a web server.

"This update, the first since 2008, is a major overhaul that provides both increased security and enhanced speed, especially on mobile networks," said Nick Sullivan, head of cryptography at CloudFlare. "TLS 1.3 improves request speeds by requiring one less round-trip to connect to an internet application, compared to previous versions, and can decrease page load times by 20 percent."

Mozilla Firefox and Google Chrome currently offer preliminary versions of TLS 1.3, with all major browsers committed to implementing the protocol in the future.

The second feature on offer from Cloudflare is opportunistic encryption.  This brings encryption and the fastest web protocol, HTTP/2, to sites that have yet to upgrade to SSL, by encrypting the connection between the browser and CloudFlare.

"Opportunistic Encryption will help encryption reach more of the web, but it's up to browsers and platforms to support this emerging standard," said Patrick McManus, principal engineer at Mozilla and lead developer of the Firefox HTTP stack.

The final improvement is automatic HTTP rewrites. Two years ago, Cloudflare started to offer Universal SSL to all customers. Despite the availability of unrestricted SSL, some websites were still unable to go secure because of 'mixed content' problems, according to the firm. Automatic HTTPS Rewrites eliminates the mixed content problem, it claimed.

The firm said that if a secure site references insecure content, such as a third-party image, video or ads, it is no longer secure and web browsers won't show a green lock icon for the site. Automatic HTTPS Rewrites upgrades all insecure content on a page ensuring that it is encrypted and reinstates the green lock.

"There has been a crazy chicken-and-egg problem holding up the deployment of secure encryption on the web," said Peter Eckersley, chief computer scientist at the Electronic Frontier Foundation and co-founder of the Let's Encrypt project.

"Browsers tried to protect users by blocking insecure parts of secure HTTPS pages, but that made it impossible to deploy encryption incrementally. CloudFlare's new Automatic HTTPS Rewrites will help sites encrypt everything all at once, and fix this deadlock in web security."

Ian Kayne, head of the cyber-security practice at Mason Advisory, told SC Magazine that more websites aren't encrypting web traffic as the issue is with the consequences of encryption.

“Mixed content websites, where elements within a web page are loaded from other sources that may not support HTTPS, will create issues and errors for users of the website – impacting user experience. Some content cannot be encrypted, and enforcing HTTPS can cause issues with Search Engine Optimisation (SEO) – one of the key mechanisms publishers use to drive traffic to their website,” he said.

“There is also a performance overhead. Encryption is an intensive process: it adds overhead to both the delivery of the website, and the volume of network traffic required. The current widely used TLS 1.2 adds a noticeable and measurable overhead, requiring companies to invest in more equipment and network capacity to support the same number of users. Although the overhead is small for an individual user, when this scales up to thousands of users accessing a website concurrently, the impact is significant.”

Kevin Bocek, VP of Security Strategy at Venafi, told SC Magazine that turning on HTTPS – encryption is hard for even the most sophisticated IT operations.

“Turning on the browser padlock is easier said than done: the realm of encryption has far too long been the domain of just a handful of experts in most organisations. Plus, organisations don't want to hand over the keys and certificates that turn on encryption to third-party service provides for fear bad guys or governments can get their hands on them,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.