Heavy Networking 594: TLS 1.3 Down Deep With Ed Harmoush

If you are communicating securely over a network between two endpoints, what’s that mean to you, that you’re “communicating securely”? It should mean at least three things. * That you confidently know who you’re talking to. * That your conversation is private–indecipherable to third parties. * That no one’s messed with the conversation while it was in-flight. If you’re using Transport Layer Security (TLS), you get all of these things. TLS can verify the validity of a certificate that identifies who you are talking to. TLS ensures that the conversation wasn’t messed with. TLS also encrypts the conversation between, say, your browser and an HTTP server. If all is well, you get that padlock in the address bar. Like anything in the world of IT, TLS has gone through various versions. TLS 1.1 and 1.2 are still commonly used, but TLS 1.3 is really where it’s at. TLS 1.3 is a big deal, and we’re going to discuss why on today’s Heavy Networking. Our guest is Ed Harmoush. Ed’s a professional instructor who’s researched TLS 1.3 and more as he’s prepped for his latest course offering, Practical TLS, which you can find at practicalnetworking.net. Use coupon PacketPushers100 to get $100 off this deep dive course from Ed. In This Podcast, We Discuss… Is TLS an HTTP-only thing? Or do other protocols use it, too? Wait…are TLS and SSL the same thing? What’s wrong with TLS 1.1 & 1.2 that drove TLS 1.3? Is there going to be a TLS 1.4? Maybe I should just skip TLS 1.3… Will TLS 1.1 and 1.2 be phased out? Is there a timeline? What major web browsers and HTTP servers support TLS 1.3? Is TLS 1.3 well-supported today? I heard that TLS 1.3 can break proxy servers. Is that true? If so, what’s going on there? Are there proxies that support TLS 1.3? TLS 1.3 favors security & simplicity over backwards compatibility. What’s this mean to me? Cipher suites are different in TLS 1.3. How? Forward secrecy is now mandatory in TLS 1.3. What does this do to TLS/SSL decryption? So how DO we decrypt/inspect SSL traffic in TLS 1.3? AEAD ciphers are now mandatory. Why is that a good thing? TLS 1.3 can be more efficient. How? Let’s talk about handshakes. TLS 1.3 offers 0 Round Trip session resumption. What is this, and why do we care? What is the TLS 1.3 replay vulnerability with 0RTT, and how can this be mitigated? Sponsor: InterOptic InterOptic makes high quality optical modules you can rely on. Plus, they are far cheaper than OEM optics. Save big money without compromising quality. Visit interoptic.com/packet-pushers. More Ed! Practical TLS Course – Use coupon PacketPushers100 to get $100 off this deep dive course. This podcast was just a taste of the knowledge Ed can impart on TLS. Get his course to go ever deeper with more lecture and hands-on labs. Ed’s Site For Networking Nerds Ed On YouTube Ed On LinkedIn

Om Podcasten

Heavy Networking is an unabashedly nerdy dive into all things networking. Described by one listener as "verbal white papers," the weekly episodes feature network engineers, industry experts, and vendors sharing useful information to keep your professional knowledge sharp and your career growing. Hosts Greg Ferro, Ethan Banks and Drew Conry-Murray cut through the marketing spin to explore what works—and what doesn't—in networking today, while keeping an eye on what's ahead for the industry. On air since 2010, Heavy Networking is the flagship show of the Packet Pushers podcast network.