TLS 1.3 Internet security protocol was approved

[Brink]

The long-simmering battle over the future of the internet’s most important security protocol is over: TLS 1.3 was approved by the Internet Engineering Task Force after over four years of work and 28 draft versions of the standard.

TLS — short for Transport Layer Security — secures a huge swath of the internet. HTTPS-enabled websites, like the one you’re visiting, are possible thanks to TLS. The protocol is also used to secure email, voice, video and messaging. The newest version is the biggest change in the standard’s two decades of existence...

Read more: TLS 1.3 approved: The internets most important security protocol is finally moving forward - CyberScoop

See also: Introducing TLS 1.3

Official announcement: https://www.ietf.org/mail-archive/web/ietf-announce/current/msg17592.html

 

[Botard]

Wonderful, banks have to upgrade in order for the new protocol will work for them, and if the decryption specification is added as the want, the TLS 1.3 might be slower than TLS 1.2 because of additional load.

 

[Alejandro85]

TLS 1.3 might be slower than 1.2, but that's not really too much relevant in real life. As many people already researchd on the topic current TLS implementations are quite fast and add a negligible overhead over plain-text connections, but carry a massive security increase. Today having HTTPS is a no-brainer, and plain HTTP should already be considered obsolote by all means.

I would expect banks, credit card processors and anything that requires high confidenciality and security to be the first adopters of this new standard, as those are the ones that'll profit the most. And its users can really also feel safer than before. Just imagine if your bank doesn't offers the latest possible security, would you consider continue working with them? In the long run, I would expect not to.

 

[Botard]

Theoretically, "carrying massive security or adding negligible overhead" will increase the number of levels to be transmitted. And, increasing the number of levels will also increase the information capacity (bits/second). Furthermore, increasing the capacity will decrease the number of channels allocated in a medium. The problem is we have a limited bandwidth and is congested. To explain this, If the medium is wired the bandwidth is fix. The same goes to a wireless medium in mobile phones that operates designated frequencies but lower bandwidth than the wired cable use. The tremendous bandwidth we have in communication are those frequencies operated in microwave region and above, the infrared region or light spectrum (fiber optics) but these are use as a backbone communication. Still, our home is wired connected and have wireless interface. These are things to consider in implementing protocols ...

Another thing I like to mention if you allow me which happened in the past, during the 2nd generation of mobile phone had problem with drop calls during peak hours because the channels in cell site were busy. But if we recall it, this was resolved by a Swedish engineer A. K. Erlang that formulated an idea to combine all the channels to use. (That's why the phone traffic is defined erlangs, E). Those days, the authoritative body made agreement to use the same basic standard with additional complexity for browsing Internet for the 3rd generation and so on, and to minimize the amount of data or keeping the channel bandwidth low.

And by the way, when the committee approved a new protocol, it will passed/revised it in congress and signed to the senate or whatever body represents for this in a country. In effect, there will be implementing rules and regulation to financing institution that strictly manage by a government organization in the long run.

 

[Alejandro85]

Still, our home is wired connected and have wireless interface. These are things to consider in implementing protocols ...

Why do you think those things aren't taken into account?
Security is always a tradeoff of usability/convenience vs security/privacy. And also involves some level of complication in software and overhead. When that overhead is minimal and the benefit is huge, implementing the protocol is a no-brainer. That's the case with TLS and its usage in the web as HTTPS.

You mention trafic congestion unable to add any bit of overhead, but have you measured how much overhead is it? In my quick test, loading this topic on SevenForums consume around 200KB of data, while the overhead of TLS is just around 7KB. That's around 3% of overhead, and this site is quite lightweight. Take a YouTube video for example, maybe 10MB of data, 10KB of overhead can easily be ignored.
A good website I found to explain that is this one:
TLS overhead - netsekure rng

Realitiy is, TLS overhead is real, but minimal. Congestion on some lines can be happen because of raw data size, but TLS contribution is negligible, you won't stop having congestion without HTTPS, nor you will start having adding it. On the other hand, the security it brings is immense, to the point of many internet bussineses depending on it for operation.

And by the way, when the committee approved a new protocol, it will passed/revised it in congress and signed to the senate or whatever body represents for this in a country. In effect, there will be implementing rules and regulation to financing institution that strictly manage by a government organization in the long run.

Governments are irrelevant here, protocols are discussed among security experts and evaluated based on its technical characteristics, and standards are created/modified/revoked because of those finding. Those organizations are who ultimately decide about the fate of protocols, not politicians.
Adoption, on the other hand, is determined by each one using it, based on his own need. Government decides over implementing those protocols on its own systems, just like any other individual does.

 

[Botard]

Why do you think those things aren't taken into account?

These are the things that I'd like to point out about protocols implementation, without a proper protocol the device interface whether in physical or wireless won't work each other, but still they're connected.

Realitiy is, TLS overhead is real, but minimal. Congestion on some lines can be happen because of raw data size, but TLS contribution is negligible, you won't stop having congestion without HTTPS, nor you will start having adding it. On the other hand, the security it brings is immense, to the point of many internet bussineses depending on it for operation.

Yes the overhead is minimal considering the fact not all protocols are send at once to the server. The raw data (video/audio/messages) here is another protocol waiting to send when this overhead protocol is set. When it's set, the raw data will route to another channel as usually the case. In other words, there's a delay in respect with different channel use. Plus, this hashing algorithm, encryption, decryption take longer to execute creating significant delay on transmission. -tradeoff

Governments are irrelevant here, protocols are discussed among security experts and evaluated based on its technical characteristics, and standards are created/modified/revoked because of those finding. Those organizations are who ultimately decide about the fate of protocols, not politicians.

They had already decided and was approved. So, the next step is to implement it. The doubts that others might not follow is not an issue because there are government organization will impose the new protocol. What do you think the central bank's guidelines, regulation, and supervision for?