Banks are trying to weaken a new security protocol

The technology industry and financial industry aren’t seeing eye to eye on the new security protocol TLS 1.3. The most recent implementation that is deployed is TLS 1.2 that was released in 2008, so an update to the TLS specification is due for an update.

TLS stands for Transport Layer Security and encrypts the data that is transferred between you and whichever web server you have requested a website from and is used for virtual private networks so that remote workers can access company data securely.

TLS 1.3 has been under development since 2013 and is nearing completion, but that hasn’t stopped the Financial Services Roundtable, a financial services advocacy group,  from submitting an Internet draft called “TLS 1.3 Option for Negotiating of Visibility in the Datacenter” three years after development had begun. The draft requests that the RSA algorithm to remain in the TLS 1.3 standard and an opt-in mechanism baked into the standard for easier decrpytion so banks can scan for malware.

These are some of the banks represented by FS Roundtable

The Financial Services Roundtable have good intentions, but they’re requesting a feature and a component that weakens the protocol that is the backbone for secure communication on the Internet and is essentially a backdoor. There are three states of encryption: no encryption, weakened encryption, uncompromised encryption. The only effective encryption is uncompromised.

The RSA algorithm is preferred over Elliptical Curve Diffie-Hellman (ECDH) because RSA is weaker and allows for a simple solution that performs a man-in-the-middle that decrypts the data to allow for scanning. There’s an active exploit for TLS 1.2 called the Robot Attack that allows for passive decryption for a connection that uses RSA, meaning, active interception and decryption isn’t needed. The data can be captured then decrypted offline.

The solution to the bank’s dilemma is to deploy new hardware or firmware at a cost that is far less than putting all Internet users at risk.