Removing the 'Blind Spots' from SSL/TLS

It was a long time coming but TLS 1.3 is now the official standard in high security network encryption.  The 28th and final draft version was approved earlier in the Spring and the international standards board – the IETF – added the final touches and released the protocol on August 10, 2018.

The fact is, TLS 1.3 has been with us for a while.  Draft versions of the protocol have been enabled by many web browsers, and popular sites are supporting near-final versions of the protocol too.  In its draft form, TLS 1.3 still manages to offer security advantages. 

Those who have followed our blog should know that Symantec is excited about the security and performance benefits that TLS 1.3 promises and we’re strong advocates for rapid adoption. However, we’ve also been at the forefront of preparing customers so they avoid any negative fallout should their security tools lack visibility into encrypted traffic. 

Symantec, along with other network security vendors, removes the SSL/TLS “blind spots” caused when tools cannot inspect SSL/TLS encryption with solutions that fall under the category of Encrypted Traffic Management.  Whether you call the devices a TLS Interception Application (TIA), a Middlebox, a SSL interception tool, or anything else; these are the industry’s go-to devices to solve the problem.

What makes Symantec stand out is that as of August 29, we’re proud of being able to provide inspection of native TLS 1.3 sessions (the final, approved version); and do not require downgrading to an earlier TLS version.  We have supported Draft 28 as far back as last March, and earlier drafts going back to last October. But don’t be confused, while Draft 28 was very close to the final, it isn’t exactly the same.

This means that Symantec can act as a controlled man-in-the-middle device to intercept TLS 1.3 traffic, enable inspection, and re-encrypt the traffic with the same protocol version and encryption strength.  As far as we know, all other solutions on the market will need to knock the session down to something older and weaker.

TLS 1.3 is now official - and with the most recent launch of the Symantec SSL Visibility Appliance in late August - we support it. If you were waiting for this change to make a move and upgrade your infrastructure to TLS 1.3, now is the time to act. Many of technology’s biggest names are going to move fast to implement TLS 1.3 for the performance and security benefits that come with it.

A quick internal test shows that Facebook, Mozilla, and Cloudflare are using TLS in the Draft 28 form.  Google Search may be using TLS1.2, but Gmail is also showing TLS 1.3 Draft 28.  It’s highly likely that these internet giants will be using the final version soon. When they are ready, we’re here and waiting. 

If Google, Facebook, Mozilla or Cloudflare traffic is hitting your network, shouldn’t it be protected with TLS 1.3 and inspected for malware and other hidden threats? We think you should.  Now you have a choice: wait for your middlebox solution to catch up to us in support of TLS 1.3, or give us a shout and let us show you how quickly we can help.