SSLTrust

TLS 1.3, HTTP/3 and DNS over TLS - 2019 Highlights

2019 has been a big year for digital cryptography. The privacy minded should be very excited about changes on the horizon.


Specifically, some of the biggest changes around the corner are:

TLS 1.3

RFC 8446 finalized the specification of TLS 1.3.With it includes faster connection times, deprecation of insecure ciphers, simplified negotiation of parameters, and better digital signatures. Unlike the minor changes introduced between TLS 1.1 and TLS 1.2, TLS 1.3 has been rebuilt from the ground up.

While many major webservers such as Apache, Nginx support TLS 1.3 with their bleeding-edge releases, Microsoft’s IIS does not. Additionally, many reverse proxies and load balancers will need software updates before being able to terminate TLS 1.3 traffic. TLS 1.3 allows for clients to send encrypted data along with their first request. This new mode is called 0-RTT (zero round trip time). It is important for administrators to be aware of how this feature is used, as it is inherently vulnerable to replay attacks. Developers should be careful to only allow data which does not change application state during this first early communication. Hopefully 2020 will bring about more widespread support for this protocol.


HTTP/3

HTTP/3 is the formalization of Google’s QUIC protocol. In order to achieve some seriously impressive performance optimizations, QUIC builds its own retransmission and re-ordering mechanisms on top of UDP. Typically, this sort of behavior is accomplished by TCP. QUIC however, by breaking these barriers, is able to optimize the protocol for secured traffic. In fact, SSL/TLS is a requirement of HTTP/3, unlike any HTTP specification before.

2019 is the year SSL/TLS became a first class citizen on the internet. HTTP/3 improves upon HTTP/2 in that it fixes one of its most vocal criticisms – that there are some significant “head of line” penalties due to how TCP breaks up segments for potential retransmission. It also replaces HTTP 2’s QPACK with HPACK, an advanced compression algorithm that takes advantage of the fact that HTTP headers consist of a relatively small set of possible values. Since every HTTP packet contains these headers, the amount of traffic no longer needing to flow every second across the world wide web is staggering.


Widespread support for DNS over TLS

DNS traffic has historically been transmitted in the clear. After all, DNS is used to resolve human-readable URLs into computer-optimized IP addresses. Practically, this means an attacker listening on the wire (or more likely the user’s own ISP) can see what site the user is connecting to, even if SSL/TLS is preventing them from seeing what’s being transmitted. This has made DNS a common target for network administrators and governments to target in order to block communication.
DNS over TLS solves this problem by introducing client and server-side support for DNS lookups to happen over SSL/TLS. BIND, the internet’s most popular DNS server does not provide native support for DNS over TLS, but can be made to work with the use of a reverse proxy.

Android 9 paves the way for this technology by introducing support client-side in the OS. Cloudflare supports DNS over TLS on its infamous 1.1.1.1 resolver.
Still, as much of an advance in secure name resolution as DNS over TLS is, it is not without its problems. For one, it’s easy to block entirely, as the traffic by default runs over port 853, and more importantly, can be heuristically matched by layer 7 firewalls (Next Generation Firewalls). Notably, DNS over TLS means that the traffic is sent over TCP and not UDP. (DTLS exists to encrypt connections over UDP, but TLS requires a reliable transport method.) Historically, plain text DNS supported both TCP and UDP, but the vast majority of DNS traffic in the wild is UDP.



You may notice that these changes are complementary. In isolation, all these things are groundbreaking, but combined, we start to see a shift towards a more privacy focused internet. As webservers and browsers work towards supporting these latest standards, it is important for IT professionals to keep up to date on what these changes mean for how their environment should be configured. TLS 1.3 is the first major change to TLS in 10 years. While HTTP/3 is coming in right on the coat tails of HTTP/2, most of the internet is still on HTTP/1.1, and it’s very likely that HTTP/2 will be glossed over in favor of HTTP/3 in the coming months and years. It is exciting to see what the year 2020 will bring to digital cryptography.


Discussions and Comments

Click here to view and join in on any discussions and comments on this article.

Written by
Jeremy Schatten


SSLTrust Blog

View our blog covering news and topics in security, certificate authorities, encryption and PKI.

Learning Center

View more resources on cyber security, encryption and the internet.