Improving performance and security with TLS 1.3

Jami now makes use of the recently released TLS 1.3, reducing connection time and improving security !

Securely sending information on a network in a way that minimizes the risk to be tampered, forged or read by anyone other than the sender and the receiver is necessary for a lot of use cases. For example, when you do an online transaction, send a file to a co-worker or just talk with your friends. To protect your conversations, Jami uses a well known security protocol whenever you are in a call or when you are sending a file that is called TLS. It got a major revision (TLS 1.3) last year, greatly improving its security and performance since the last version (TLS 1.2).

What is TLS 1.3

TLS is a  protocol designed to negotiate the type of encryption used between two peers for their communications (i.e. your browser and a website’s server), allowing them to ensure data integrity and privacy. The recent upgrade in TLS addresses several vulnerabilities that where present in the previous version by preventing issues related to a bad configuration, removing depreciated or non-secure features and fixing some Common Vulnerabilities and Exposures (CVE) such as this.

The performance of TLS 1.3 has also greatly improved. This speed-up is mainly due to features like TLS false start and Zero Round Trip Time, reducing the number of back and forth necessary between the two peers for the negotiation of the encryption algorithm that is going to be used.

TLS 1.3 in Jami

TLS requires a TCP connection, which wasn’t used by Jami until recently for reasons that we previously explained in this article. We had to rely on DTLS 1.2, an adaptation of the protocol for UDP connections. Now that we have implemented ICE over TCP in PJSIP, we are able to take advantage of the performance and security improvements of TLS 1.3 for file transfers since last December and for calls since July.

TLS 1.3 also provides native encryption of exchanged certificates during connection establishment. This is especially useful to protect user certificates from prying eyes in Jami. With TLS 1.2, we used to have to perform an additional negotiation with certificate exchange to achieve this result, which is now avoided In TLS 1.3, further reducing the connection time.

By Sebastien Blin - Jami developer