Welcome to part 3 of my three-part series on TLS. In the previous two articles I briefly introduced TLS, and showed how Corelight would produce logs for a clear-text HTTP session. I then performed the same transaction using TLS 1.2, and compared the logs with those seen earlier. In this final post I will repeat the experiments again, except I will use TLS 1.3.
Finally we reproduce our experiment using TLS 1.3. Remember that we have been visiting the Web site enabled.tls13.com, first without encryption, then later with TLS 1.2.
We only have the ssl.log to work with. It reports the TLS 1.3 cipher, and a server name. We do not have certificate details as with TLS 1.2. This is probably the biggest concern in the cyber threat intelligence community, as analysts have lost the ability to profile and link intruders using details in the certificates. The Curl output reported that information, but only because it was in verbose mode for troubleshooting. Finally we have the ja3 and jas3 hashes, which you will notice are not the same as those from the TLS 1.2 experiment. The difference is caused by the client wishing to negotiate a TLS 1.3 session, and the server responding in kind.
TLS 1.3 certainly presents a challenge from the strictly passive network security monitoring point of view. Analysts will have to pay more attention to the identities on either end of the conversation, rather than the information reported by the server during the certificate exchange process. For those who want to introduce middleboxes, it will still be possible to essentially “man-in-the-middle” (MITM) TLS 1.3 connections by installing certificates on endpoints and terminating TLS 1.3 connections at inspection devices. Such a heavy-handed approach introduces its own privacy and resiliency challenges, however.
By showing the changes introduced by TLS 1.3 in logs, I hope readers can try replicating these experiments for themselves, and prepare tools and techniques to capture the data they need to protect their networks. Corelight’s engineers have been working on ways to continue innovating to provide customers the data they need to protect their enterprise and its users. Additionally, we have plans to document and speak on various ways to leverage other aspects of Corelight data to cope with a TLS 1.3 world. Stay tuned!