TLS 1.3 | Cloudflare SSL/TLS docs (2024)

FAQs

Why TLS 1.3 is not used? ›

While TLS 1.3 is more secure, not all devices, browsers, and servers support it. This means that if you are using TLS 1.3, some users may not be able to access your website or service, which can lead to decreased user engagement and potentially lost business.

Enable TLS 1.3 in the browser

In the address bar, enter chrome://flags and press Enter. Scroll to locate the TLS 1.3 Early Data entry, and set it to Enabled. A message saying that the change will take effect the next time you relaunch Chrome will appear. Select RELAUNCH NOW to restart Chrome.

In a nutshell, TLS 1.3 is faster and more secure than TLS 1.2. One of the changes that makes TLS 1.3 faster is an update to the way a TLS handshake works: TLS handshakes in TLS 1.3 only require one round trip (or back-and-forth communication) instead of two, shortening the process by a few milliseconds.

TLS 1.3 offers several improvements over earlier versions, most notably a faster TLS handshake and simpler, more secure cipher suites. Zero Round-Trip Time (0-RTT) key exchanges further streamline the TLS handshake. Together, these changes provide better performance and stronger security.

IT'S OFFICIAL: THE TLS UPGRADE IS HERE

TLS 1.3 has been approved by the Internet Engineering Task Force (IETF).

The internet standards and regulatory bodies have deprecated or disallowed TLS versions 1.0 and 1.1 due to several security issues.

First, check if the URL of the website begins with HTTPS, where S indicates it has an SSL certificate. Second, click on the padlock icon on the address bar to check all the detailed information related to the certificate.

TLS is the direct successor to SSL, and all versions of SSL are now deprecated. However, it's common to find the term SSL describing a TLS connection. In most cases, the terms SSL and SSL/TLS both refer to the TLS protocol and TLS certificates.

Thus the minimum commonly supported TLS version is 1.1; however, PCI-DSS and NIST strongly suggest the use of the more secure TLS 1.2 (and, as seen above, NIST recommends adoption of TLS 1.3 and plans to require support by 2024).

We have learned that TLS is a more recent version of SSL, and it has been deprecated for more than 10 years and contains known security vulnerabilities. Those of you who are wondering why it's called an SSL certificate instead of a TLS certificate might find the answer here. Because TLS is a modern, secure protocol.

Is SSL still used? ›

SSL has not been updated since SSL 3.0 in 1996 and is now considered to be deprecated. There are several known vulnerabilities in the SSL protocol, and security experts recommend discontinuing its use. In fact, most modern web browsers no longer support SSL at all.

Use online tools like SSL Labs, ImmuniWeb, or testssl.sh to scan your SSL/TLS setup for known vulnerabilities, misconfigurations, and weaknesses. Disable weak or obsolete cipher suites. Support the latest TLS versions, ideally TLS 1.3 or 1.2, for optimal security. Disable older, insecure protocols like SSL 2.0 and 3.0.

TLS 1.0 and 1.1 are vulnerable to downgrade attacks since they rely on SHA-1 hash for the integrity of exchanged messages.

It uses asymmetric encryption (i.e., a public key to encrypt data and a private key to decrypt it) at the start of a connection between the client and the server, and switches to symmetric encryption (i.e., the same key is used for encryption and decryption) after having exchanged session keys data.

TLS 1.3 is supported starting in Windows 11 and Windows Server 2022. Enabling TLS 1.3 on earlier versions of Windows is not a safe system configuration.

TLS can be vulnerable to downgrade attacks

The problem with this approach is that the entire connection isn't encrypted. Only the data between the sending and receiving servers is encrypted—and those servers may not have strong security.