Browser TLS 1.3 activated and your Firewall can’t handle it?

TLS 1.3

https://tools.ietf.org/html/rfc8446

Some modern Browser switch to TLS 1.3 automatic if the Web server on the other side supports this. Like Version 72 of Chrome.exe or even your OS is like Windows 10 Buildnummer 20170 upwards (That means the OS itself). So it's all safer and faster?

https://blogs.windows.com/windows-insider/2020/07/15/announcing-windows-10-insider-preview-build-20170/

The problem is that some Next Generation Web Filter (Firewall) can't look into the SSL-encryption anymore and find malware/Ransomware. With Browser self updating mechanism like in Chrome or Edge Chromium you suddenly have a constellation that you did not want. While you approved IE11/EDGE Updates in WSUS and mostly checked each new Release of the Browser before releasing it this has changed.

The interesting point is that also some Load Balancer are only able to break (Deep Inspect) traffic with really new Firmware releases. Customers demanded that feature since 2017 we see in diverse blogs and feature request portals of producers. So if you want to sniff into SSL (Break SSL Stream) and you're Firewall can't handle TLS 1.3 special you currently have a problem.

Check if your browser has TLS 1.3 active is easy

CHROME:

chrome://flags/#tls13-variant (Since Version 72 TLS 1.3 default)

MICROSOFT EDGE CHROMIUM:

edge://flags/

As example Type edge://flags/ in the Browser URL window.

Or jump direct to the TLS 1.3 setting with edge://flags/#enable-tls13-early-data

Open following URL / Test Website to see what's supported:

https://browserleaks.com/ssl

 

https://news.sophos.com/en-us/2020/08/18/report-firewall-best-practices-to-block-ransomware/

https://www.fortinet.com/blog/business-and-technology/tls-is-here-what-this-means-for-you

https://www.f5.com/c/landing/encrypted-threats/article/tls-1-3-are-you-ready-for-the-update

https://community.checkpoint.com/t5/General-Topics/CheckPoint-TLS-1-3-support-When/td-p/63672

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/understanding_traffic_decryption.html

https://www.sonicwall.com/support/knowledge-base/ssl-tls-protocols-supported-by-sonicos-matrix/170615123553371/

 

 

Read more:

https://devblogs.microsoft.com/premier-developer/microsoft-tls-1-3-support-reference/

https://www.imperial.ac.uk/media/imperial-college/faculty-of-engineering/computing/public/1819-pg-projects/Detecting-Malware-in-TLS-Traf%EF%AC%81c.pdf

https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/

https://www.heise.de/security/meldung/Verschluesselung-TLS-1-3-Fauxpas-gefaehrdet-Embedded-Systeme-mit-wolfSSL-4883741.html

https://www.heise.de/hintergrund/Was-TLS-1-3-ist-und-wie-Sie-davon-profitieren-4248740.html

https://www.sans.org/reading-room/whitepapers/vpns/paper/39715

https://nakedsecurity.sophos.com/2020/02/18/malware-and-https-a-growing-love-affair/