Over the nearly 13 years of this blog’s existence, I’ve tried hard to make it both fast and secure. Four years ago, the blog began accepting only TLS connections. Also in 2015, ThinkingAloud first implemented SPDY (now HTTP/2), mandated that browsers connect only using TLS via HSTS and was among the first to implement Let’s Encrypt site verification certs. I was only too happy to ditch TLS 1.0 and 1.1 exactly a year ago today.
Now, I am pleased to share with you the news that this blog now will negotiate TLS 1.3 (RFC 8446) connections if you are using a current browser. I’ve tested with both recent Chrome and Firefox releases on Windows and macOS, which represent the bulk of the traffic to this site. And it all seems to work well — and fast.
TLS 1.3 is the first version of the protocol to have been developed since we’ve all come to realize how important security and privacy are.
Since 2008 when TLS 1.2 was ratified an endless stream of security breaches has begun to make its mark on users. Non-technical internet users are becoming (and have had to become) much more security-aware. And, major service providers like Google, Microsoft and Apple have begun implementing changes in their products that nudge the internet — unwillingly sometimes and always painfully slowly — into increasingly secure ways of connecting. TLS 1.3 is a major step towards making the internet — at least the web browsing part of the network — much more secure.
One of the first things we tell non-techies to be sure to do is to “look for the padlock” when browsing. It’s too hard to explain to them what TLS is and what it does. It was just there, in the background, and all people had to know was where to look for the icon. Now, with TLS 1.3, some internet users may never know it but the lock has been strengthened. Let’s hope the broader web — not just my humble blog — moves to TLS 1.3 rapidly.
Leave a Reply