​Fizzing Up The New TLS Security Protocol

You may have noticed that the Google Chrome web browser has marked all unsafe TLS (Transport Layer Security) websites as unprotected. You need to use TLS to protect your site. Try Facebook's TLS 1.3 open source library, Fizz A, as long as you do.

TLS 1.3 is the latest version of TLS. TLS replaces Secure-Socket-Layer (SSL). It is designed to be superior to ancestors to prevent attacks. TLS 1.3 supports this by enabling stronger encryption and eliminating support for many older encryption algorithms and safe encryption algorithms anymore.

TLS 1.3 is a step beyond TLS 1.2, but it is not widely deployed. Cloudflare Study, which enabled TLS 1.3 by default on the server side last year, discovered that in December 2017, only 0.6% of the traffic is secure with TLS 1.3.

If Facebook now supports TLS 1.3 and releases an open source implementation, TLS 1.3 probably will be more common.

According to Facebook, Fizz is a robust, high-performance TLS library written in C ++ 14. In addition to the built-in security benefits of Tiz 1.3, Fizz offers an improved solution to Middlebox handshake failure You can manage E / Asynchronous S distribution / Gather I / O so that you do not need to add additional copies of data.

In order to realize this, Facebook standardized TLS 1.3 in cooperation with IETF (Internet Engineering Task Force). Previously, Facebook introduced Zero Protocol to improve TLS. This is a custom protocol that allows you to try establishing a secure 0-RTT connection. Using 0-RTT data reduces the delay on TLS-based queries and the delay overhead required for TLS deployment. The speed of Fizz TLS 1.3 is tied to the Zero protocol, but Facebook replaced the TLS 1.3 protocol with the zero protocol.

Facebook also said that Fizz will reduce the use of memory and processors. The net reduction is the fact that the Facebook load balancer's synthesis benchmark shows about 10% higher flow than the previous stack.

The Fizz TLS 1.3 implementation significantly reduces the latency in establishing a secure connection compared to TLS 1.2. This will improve the user experience when launching the application, especially when there is no connection for reuse.

Fizz was also able to improve the performance of large scale network of distributed servers such as Facebook by offloading certificate manipulation and decrypting tickets to remote service. Fizz uses this to provide a simple asynchronous application programming interface (API). Therefore, the Fizz callback from Fizz can return an asynchronous response without preventing the service from processing other contacts.

The new Fizz also supports an API that can send the first data immediately after a TCP connection is established. The first data shortens the query latency. This is especially important when the mobile application first starts up.

Of course, using the first data, the door of the attacker is opened. The implementation of Fizz by Facebook solves this problem using a replay cache with a load balancer. This will detect the replayed data and reject it. Fizz provides a simple API for deciding whether a transport can be used to send secure and unsafe data.

Another reason the company avoided TLS 1.3 is that the network security appliance vendor made it impossible to update the firmware. This is a bad choice for security, but many companies rely on it. This is an error. For example, the Symantec BlueCoat appliance simply disconnected the Chromebook's TLS 1.3 connection in February 2017.

Facebook solved this problem in Fizz by making the first part of the TLS 1.3 handshake look like a TLS 1.2 recovery handshake. With this approach, TLS 1.3 is definitely deployable without returning to TLS 1.2.

I can do it. According to Facebook, "This will continue to expand as more than 50% of Internet traffic is secured with TLS 1.3, as browsers and applications add support for TLS 1.3 TLS 1.3 as an Internet standard RFC 8446 will be available soon.

Now that Facebook can deploy TLS 1.3 on a large scale and demonstrate that Google is de facto requirement for TLS, it is time to switch sites, applications and servers to TLS 1.3. Also, when using Fizz 's open source under BSD license, you need to consider using Fizz open source for professional deployment. I am glad that you did.