September 22, 2020

TLS 1.3 will make the review more difficult

1 min read

The Internet Engineering Steering Committee (IETF) released the official version of TLS 1.3 last week to enhance the security of network encrypted connections. TLS 1.3 is a significant update to encryption technology that fundamentally changes the way services, and websites handle encryption services.

The IETF is also working on Encrypted Server Name Indication, but it has not yet been finalised. Developer Derek Zimmer wrote that if cloud service providers popularise TLS 1.3 and SNI, the review will become more difficult.

TLS 1.3 RFC 8446

Because SNI makes it impossible for third-party network reviewers to know the real domain names that clients access, it can’t block websites that they think are illegal. The SNI under TLS 1.2 has a vulnerability that allows reviewers to distinguish between “true” and “false” servers. SNI under TLS 1.3 fixes this issue, allowing VPN services and Tor anonymous networks to bypass the review with Google, Amazon, or Microsoft servers. However, it seems that Google and Amazon’s cloud services do not support domain fronting, and only Microsoft’s Azure supports the function.