Why TLS 1.3 Was Necessary

TLS 1.2 works. It’s been securing the internet since 2008. So why redesign it?

Imagine a house that’s been renovated a dozen times over 20 years. Each renovation added a room, patched a wall, or fixed a leak. The house still stands, but the wiring is a mess, there are doors that lead nowhere, and some of the patches are held together with duct tape. At some point, it’s easier to tear it down and build a new one with a clean design.

Because TLS 1.2 accumulated years of baggage. It supported dozens of cipher suites, many of them weak. It allowed RSA key exchange without forward secrecy. Its handshake was slower than necessary. And its complexity created a large attack surface that led to a parade of vulnerabilities: BEAST, CRIME, Lucky Thirteen, POODLE, Heartbleed, FREAK, Logjam.

TLS 1.3 (RFC 8446, finalized in 2018) was a ground-up redesign with three goals: faster, simpler, more secure.

What Was Removed

RSA key exchange: No forward secrecy. Gone.
Static DH key exchange: Same problem. Gone.
CBC mode ciphers: Padding oracle attacks. Gone.
RC4, DES, 3DES: Known weaknesses. Gone.
Compression: CRIME attack. Gone.
Renegotiation: Complex, attack-prone. Gone.
Custom DHE groups: Weak groups led to Logjam. Gone.
ChangeCipherSpec message: Unnecessary. Gone.
DSA signatures: Rarely used. Gone.

What’s left: ECDHE key exchange (forward secrecy mandatory), AEAD ciphers only (AES-GCM, ChaCha20-Poly1305), and five total cipher suites.

What Was Added

1-RTT handshake: One round trip instead of two.
0-RTT resumption: Optional zero round trip for repeat connections.
Encrypted handshake: Server certificate and most handshake messages are encrypted.
Simplified key derivation: HKDF replaces the custom PRF.
Mandatory forward secrecy: Every connection uses ephemeral keys.

Next: The 1-RTT Handshake

← Previous Chapter Next Chapter →