Tracking the deployment of TLS 1.3

Transport Layer Security is a key part of the protocol stack. During the last years, a lot of effort have been invested in creating version 1.3 of this important protocol. TLS 1.3 RFC8446 was published in August 2018. In contrast with some protocols that are specified and then implemented, the TLS 1.3 implementations were written in parallel with the specification work and several operational issues influenced the protocol design. When RFC8446 was published, several TLS 1.3 implementations were available and large companies have quickly deployed it on clients and servers. On server side, RedHat has enabled TLS 1.3 in their latest Linux distribution. On the client side, Apple has enabled TLS 1.3 in March 2019 on both iOS and macOS.

The next step for TLS 1.3 is to be deployed at a large scale. Two recent studies show that this deployment has already started. At IETF 105, Tommy Pauly summarised some measurements collected by Apple. They captured a random sample of 0.05% of the TLS connections established by clients and identified the percentage that used TLS 1.3. Their results show that the fraction of TLS 1.3 connections doubled between April’19 and June’19. More than 22% of the TLS connections used by Apple devices use TLS 1.3. Their measurements also show that the TLS connections used over IPv6 are more likely to use TLS 1.3 than those to IPv4 servers. This is probably because the IPv6 servers use more frequently updated stacks than their IPv6 counterparts.

TLS 1.3 Apple

A more recent measurement study appeared in a paper written by Ralph Holz and his colleagues. This paper uses active scans, passive monitoring and data from a measurement app to provide a more accurate viewpoint of the deployment of TLS. By scanning the Internet, they show that about 18% of the top one million DNS domains according to Alexa support TLS 1.3. However, this deployment is largely driven by a small number of very large CDN providers that have enabled TLS 1.3. They also look at the deployment of TLS 1.3 on servers in different countries.

TLS 1.3 per country

Another interesting data is the fraction of the clients that offer TLS 1.3 in their handshakes. This was negligible in 2017. The fraction jumped to about 30% in early 2018 and has remained at this level since.

TLS 1.3 clients

For additional information, see:

Ralph Holz, Johanna Amann, Abbas Razaghpanah, Narseo Vallina-Rodriguez, [The Era of TLS 1.3: Measuring Deployment and Use with Active and Passive Methods](https://arxiv.org/abs/1907.12762), July 30th, 2019, https://arxiv.org/abs/1907.12762 

This blog post was written to inform the readers of Computer Networking: Principles, Protocols and Practice about the evolution of the field. You can subscribe to the Atom feed for this blog. These notes are also posted on the ebook’s Facebook page

Written on August 22, 2019