Innovate. Accelerate. Win.
September 18-19 | Las Vegas and Virtual
#MIMSummit2023 Join top security leaders looking to redefine what’s possible at the must-see industry event of 2023.
It's 2020, and the two-year-old TLS 1.3 is still the best encryption protocol out there. Why aren’t we all using it? A few more reminders on the finer points of TLS 1.3 and why it’s successfully replaced all former protocols as the security standard of the internet. Whether we upgrade or not is a different story. And, at a time when privacy and civil rights are called into question by proposed legislation, data handovers and tracking techniques, we offer up for review a plagued history of the digital consumer privacy rights movement. And where it is now.
TLS 1.3 – The best thing we still haven’t done
Pegged pants. Formica tabletops. HTTP. And now, TLS 1.2.
These things are out of date, but while curating your lava lamp collection won’t hurt anybody, not using TLS 1.3 just might.
We all rise together
With TLS 1.3 deriving its value from widespread adoption, we may have yet to realize the full safety of the internet as not everyone has made the transition. And, even those who have upgraded to TLS 1.3 may still be susceptible to downgrade attacks when dealing with other browsers, technologies, endpoints that haven’t. So we should all step up and adopt the latest standard.
What TLS 1.3 brings to the table
- TLS 1.3 does not use RSA key exchanges, which are vulnerable because they don’t support forward secret. "If the attacker acquires its key at any point, even years later, they can then decrypt that ciphertext,” explains Kim Crawley.
- TLS 1.3 exclusively uses Diffie-Hellman, a forward secret protocol, utilizing asymmetric encryption to ensure that only the message receiver can decrypt the intended message with their private key.
- TLS 1.3 ditched weaker technologies such as the RC4 cipher and CBC-mode ciphers, (present in TLS 1.2) which are susceptible to plaintext recovery and “Lucky 13” attacks.
- TLS 1.3 is compatible with DNS over HTTPS (DoH)
In addition, TLS 1.3 is faster and smoother than previous TLS iterations at authenticating the asymmetric “handshake” between client and server, and it may help circumvent censorship laws, as ISPs can no longer block access to certain websites. For more on the benefits of TLS 1.3, read up on Kim Crawley’s “Why TLS 1.3 is a huge improvement”.
Now that safer internet protocols are out there (TLS 1.3 has been around since 2018), it’s up to us to use them. Like shelter in place, we’re all safer if we do it.
- How Do Encryption Protocols Work?
- What Are the Best Use Cases for Symmetric vs Asymmetric Encryption?
- How is Diffie-Hellman Key Exchange Different than RSA?
Could hese be your privacy rights?
In 2012, the Obama administration released “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Economy,” which included the Consumer Privacy Bill of Rights. A good idea, the issue was largely ignored until the White House drafted up its own version in 2015. The Federal Communications Commission passed internet data regulations in 2016, only to get them repealed in 2017 by a Congressional Review Act. Telecoms said it treated them unfairly against large social platforms. Upon leaving the White House, President Obama left a review and recommendation to the incoming President Trump regarding furthering of the initiative, which was promptly discarded. A year later, Ro Khanna (D-CA) released his Internet Bill of Rights in another attempt to seal data protections into law.
Bringing the issue to Congress, Senator Edward J. Markey (D-MA) introduced his Privacy Bill of Rights Act last year, and it was “Read twice and referred to the Committee on Commerce, Science, and Transportation.” As far as we know, it’s still there.
While the fight may be ongoing, it’s not over yet. Both the EARN IT Act and Sen. Markey’s Bill of Rights are still up for debate.
Just to remind us, these were the principles behind the original 2012 Privacy Bill of Rights, as summarized by the Electronic Privacy Information Center (EPIC).
- “Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
- Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.
- Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
- Security: Consumers have a right to secure and responsible handling of personal data.
- Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
- Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
- Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.”
The more you know.
In 2018, Senator Markey and fellow Massachusetts Senator Richard Blumenthal both sponsored the CONSENT Act, a pro-privacy reaction to the Cambridge Analytica scandal.
Now, Sen. Markey is leading the Privacy Bill of Rights and Sen. Blumenthal is on the opposing side, sponsoring the pro-backdoor EARN IT Act.
A poetic plot twist in a twisted saga.