The TLS 1.3 Handshake: A Closer Look

Transport Layer Security (TLS) is the bedrock of secure internet communication, encrypting data exchanged between clients and servers. While TLS 1.3 significantly enhances security and performance over its predecessors, an on-path observer can still glean valuable information during the initial handshake phase before full encryption is established. Understanding these visibility gaps is crucial for network security professionals and developers alike.

The TLS 1.3 handshake is a complex dance of packets exchanged to establish a secure connection. Unlike older versions, TLS 1.3 aims to minimize the handshake round trips, improving latency. However, the very nature of establishing a secure channel requires some unencrypted or minimally protected data to be exchanged first. This initial exchange is where an eavesdropper can potentially gather intelligence.

Information Visible During the Handshake

Before the encryption keys are negotiated and applied, several pieces of information are transmitted in plain text or are otherwise observable. The primary protocol involved is TCP, which provides the reliable byte stream upon which TLS operates. The first packet sent by the client is the Client Hello, which contains critical information:

  • Client IP Address: This is inherently visible as it is the source IP of the TCP connection.
  • Server IP Address: This is the destination IP of the TCP connection.
  • TLS Version: The client explicitly states it wishes to use TLS, and often signals the version it supports (e.g., TLS 1.3).
  • Cipher Suites: The client advertises a list of cryptographic algorithms it supports, allowing the server to choose the strongest common option. This list can reveal the client's capabilities and preferences.
  • Extensions: TLS extensions provide additional parameters. Some common ones, like Server Name Indication (SNI), are sent in cleartext. SNI reveals the hostname the client is trying to reach, which can be highly sensitive, especially in shared hosting environments or when accessing multiple services on a single IP.
  • Client Random: A piece of data used in key generation. While not secret, it's part of the handshake process.
  • Key Share: In TLS 1.3, the client sends its public key share for the chosen Diffie-Hellman group. This is sent in the clear as part of the key exchange process.

The server's response, the Server Hello, also contains observable information:

  • Server IP Address: The source IP of the server.
  • Selected TLS Version: The version the server agrees to use.
  • Selected Cipher Suite: The algorithm chosen from the client's list.
  • Server Random: The server's counterpart to the client random.
  • Server Key Share: The server's public key share.
  • Certificate: The server sends its digital certificate, which is itself unencrypted. While it contains cryptographic material, it also reveals the server's identity (common name, organization, issuer) and the public key associated with it.

Even after the initial handshake, during the encrypted part of the connection, some metadata remains visible. Packet sizes, timing, and the frequency of communication can still leak information about the nature of the traffic, a field known as traffic analysis. However, the core content of the communication is protected.

The Significance of SNI

The Server Name Indication (SNI) extension is particularly noteworthy. It allows a single IP address to host multiple secure websites. Without SNI, the server wouldn't know which certificate to present to the client. Because SNI is sent in cleartext, it means an eavesdropper can identify which specific website or service a user is attempting to connect to, even before the encrypted application data starts flowing. This can be a significant privacy concern, as it reveals user intent and browsing habits.

Efforts are underway to encrypt SNI (ESNI) and its successor, Encrypted Client Hello (ECH), which aim to hide this information. However, these are not universally deployed and introduce their own complexities.

Implications for Network Observers

For an on-path observer, such as an ISP, a network administrator, or a malicious actor positioned between the client and server, the handshake phase offers a window of opportunity. They can reliably determine:

  • The IP addresses of the client and server.
  • The specific hostname (domain name) the client is trying to reach (via SNI).
  • The TLS version being used.
  • The cryptographic algorithms being negotiated.
  • The server's identity through its certificate.

This information, while not the actual content of the communication, is far from trivial. It can be used for network monitoring, traffic shaping, or even targeted attacks if combined with other intelligence. For instance, knowing a user is connecting to a specific financial institution's website (via SNI) before encryption starts could inform subsequent, more sophisticated attack vectors.

The Protocol Lab series, from which this analysis originates, uses hands-on labs to demystify such protocols. By actively building and breaking network setups, participants gain a deeper, practical understanding of how these technologies function and where their vulnerabilities lie. This approach underscores that while TLS 1.3 offers robust encryption for the bulk of data transfer, the initial handshake remains a point of observation.

What's Next for TLS Visibility

The ongoing development of technologies like Encrypted Client Hello (ECH) signals a move towards greater privacy during the TLS handshake. ECH aims to encrypt not just the application data but also the initial Client Hello message, including SNI. However, widespread adoption is a slow process, and challenges remain in DNS resolution and certificate management.

Until ECH becomes the standard, understanding the information leaked during the TLS 1.3 handshake is essential for anyone concerned with network privacy and security. It highlights that even with strong encryption in place, metadata can tell a story. The question isn't whether eavesdroppers can see anything, but rather how much, and what we can do to minimize that visibility.

Diagram illustrating the TLS 1.3 handshake packets and visible information