ETS Isn't TLS and You Shouldn't Use It

The good news: TLS 1.3 is available, and the protocol, which powers HTTPS and many other encrypted communications, is better and more secure than its predecessors (including SSL). The bad news: Thanks to a financial industry group called BITS, there’s a look-alike protocol brewing called called ETS (or eTLS) that intentionally disables important security measures in TLS 1.3. If someone suggests that you should deploy ETS instead of TLS 1.3, they are selling you snake oil and you should run in the other direction as fast as you can. ETS vs. TLS / SSL ETS removes forward secrecy, a feature that is so widely used and valued in TLS 1.2 that TLS 1.3 made it mandatory. This invisibly undermines security and has the potential to seriously worsen data breaches. As the ETS / eTLS spec says: "eTLS does not provide per-session forward secrecy. Knowledge of a given static Diffie-Hellman private key can be used to decrypt all sessions encrypted with that…

Read more detail on Recent Intellectual Property Law posts –

Related news:

This entry was posted in Intellectual Property and tagged , . Bookmark the permalink.

Leave a Reply