Jump to content

TLS 1.3 might be renamed TLS 2.0


Batu69

Recommended Posts

I occasionally see people ask why we're calling it TLS 1.3 when so much has changed, and I used to simply think that it was too bikesheddy to bother changing at this point. However, now that we've redone negotiation, we have new TLS 1.3+ only cipher suites. The old are not compatible with the new (new codepoints needed for old ciphers) and the new are not backwards compatible with the old (they'll just be ignored). We actually risk misconfiguration in the future if the distinction isn't made clear. I think it's time we just renamed TLS 1.3 to TLS 2.0. There are major changes, so labeling it a major version seems more appropriate.

 

Note that contrary to what some people seem to think, version numbers are not completely without meaning. To someone who doesn't really know/care that much what TLS is, making sure to use the latest major version of a security protocol carries more weight than a minor version. It also makes it clear that there are new features here (e.g. 0-RTT). There's some de facto standardization in versioning which does carry some useful information. We're not just dealing with programmers here; this stuff needs to be clear for managers and non-professionals. If we want to get everyone upgraded eventually, messaging is important.

 

Specific proposed changes:

* Mass rename TLS 1.3 to TLS 2.0 in all places (or TLS 2)

* Keep the version ID as { 3, 4 } (already weird counting; changing risks more intolerance)

* Rename the new cipher suites to have a "TLS2_" prefix to be less confusing for the registry & end configuration

* Add a sentence noting the development history here, and that all documents that refer to TLS 1.3 refer to TLS 2.0 (e.g. HTTP/2)

 

This is a relatively simple set of changes to make that I think can be beneficial in the long run, and is essentially just editorial. Rebranding might not be something everyone really wants to bother with, but if we expect this to be in use for a decade or more (whether we like it or not), we should probably make sure to be as clear as possible at the start.

 

Article source

Link to comment
Share on other sites


  • Replies 1
  • Views 555
  • Created
  • Last Reply
  • Administrator

This is a good move.

 

Always wondered it myself. If the security changes are so big and important, why not give it a full version number.

 

I also think our browsers have been quite fast when it comes to implementing such features in them.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...