HAMAHAMA
UZ RU EN
KNOWLEDGE BASE

What is TLS 1.3 and why it matters?

TLS 1.3 is the latest version of the protocol that encrypts the connection between an app and a server. It is faster, simpler and more secure than earlier versions — and it is what all transport in HAMA runs over.

In short

TLS 1.3 is the protocol that encrypts data "in transit" between a client and a server, protecting it from interception. Compared to TLS 1.2 it sets up the connection in fewer round trips, drops outdated weak ciphers and makes forward secrecy mandatory. This is transport protection; end-to-end (E2E) encryption is a separate layer, and the two complement each other.

What TLS is and why you need it

TLS 1.3 (Transport Layer Security) is a protocol that encrypts data as it travels across a network between two parties, typically between a client application and a server. When you see the padlock in your browser's address bar or use a secure app, TLS is almost always working under the hood. Its job is to make sure that no one sitting between you and the server — your ISP, the operator of a Wi-Fi hotspot, the owner of intermediate equipment — can read or silently tamper with the data being sent.

TLS solves three problems at once: confidentiality (the traffic is encrypted), integrity (any change to the data in transit is detected) and authentication (you can be sure you are connecting to the genuine server, not an impostor). Authentication is built on certificates and public-key infrastructure.

What TLS 1.3 improved over TLS 1.2

TLS 1.2 was published in 2008 and accumulated a lot of historical baggage over a decade and a half: many optional features, outdated algorithms and compromises made for compatibility. TLS 1.3 (RFC 8446, 2018) is a rethink of the protocol with a focus on security by default and on speed.

Fewer round trips

Setting up a secure connection requires a "handshake" — an exchange of messages in which the parties agree on keys. In TLS 1.2 this took two round trips (2-RTT). TLS 1.3 fits it into one (1-RTT), and when reconnecting to an already-known server, into zero (0-RTT). In practice this noticeably speeds up opening connections, especially over high-latency networks.

Weak and outdated algorithms removed

  • RSA key exchange and static Diffie-Hellman were dropped — only ephemeral variants (ECDHE) remain, which provide forward secrecy.
  • The RC4 stream cipher, CBC modes with known weaknesses, and MD5 and SHA-1 in signatures were removed.
  • Only proven AEAD ciphers (such as AES-GCM and ChaCha20-Poly1305) are supported, which encrypt and verify integrity in a single step.
  • The dangerous ability to "downgrade" to older algorithms — exploited by several attacks — was eliminated.

Forward secrecy became mandatory

Where forward secrecy was optional in TLS 1.2, it is built into the foundation of TLS 1.3: a separate temporary key is created for every session.

What forward secrecy is and why it is critical

Imagine an attacker recording encrypted traffic for years, hoping that someday they will obtain the server's key. Without forward secrecy, a single long-term key would be enough to decrypt the entire accumulated archive after the fact.

Forward secrecy breaks this scheme: each session is protected by its own ephemeral key, which is not derived from the server's long-term key and is deleted once the session ends. A future leak of the server's key does not reveal past traffic. This matters especially for organizations whose data retains value for years.

TLS (transport) vs E2E (end-to-end) — different layers

A common misconception: "we use TLS, so our messages are fully protected." That is not the case — these are two different layers of protection.

  • TLS protects data in transit. The channel between the client and the server is encrypted, but on the server itself the data is decrypted in order to be processed or stored. A server administrator can in principle access it.
  • E2E protects data from sender to recipient. A message is encrypted on the sender's device and decrypted only on the recipient's device. The server merely relays the encrypted "package" and never sees the plaintext.

These layers don't compete — they complement each other. TLS protects the channel itself and the transport metadata, verifies the server's authenticity and prevents connection hijacking. E2E additionally guarantees that even a compromised or curious server cannot read the content. A robust system uses both layers.

How HAMA handles this

In HAMA all transport runs over TLS 1.3 only — older versions are not used. This means the connection between the desktop client and the server is protected by modern encryption, mandatory forward secrecy and a fast handshake.

But HAMA does not stop at transport. On top of TLS, message content is protected by end-to-end encryption using the Signal protocol (X3DH + Double Ratchet), with AES-256-GCM used for groups. This means even the server has no access to the plaintext of messages. The local database on the device is encrypted with SQLCipher, and keys are kept in the operating system's secure store.

In addition, the server itself is hosted on a secure facility in Uzbekistan or on-premise within the organization's infrastructure, and HAMA is preparing for compliance with O'z DSt ISO/IEC 27001:2023 and the PP-167 requirements for critical information infrastructure. TLS 1.3 here is the foundation of the transport layer, not the entire defense on its own.

Frequently asked questions

How is TLS 1.3 better than TLS 1.2?

TLS 1.3 establishes a connection faster (one round trip instead of two), removes outdated and insecure algorithms (RC4, RSA key exchange, SHA-1, static key exchange) and makes forward secrecy mandatory. The result is a connection that is both faster and more secure.

Is TLS the same as end-to-end encryption?

No. TLS protects data in transit between the client and the server, but the data is decrypted on the server. End-to-end (E2E) encryption protects data so that only the sender and recipient can read it, and the server never can. They are different layers that complement each other.

What is forward secrecy?

Forward secrecy means a separate temporary key is generated for every session. Even if the server's long-term key is compromised in the future, previously recorded traffic still cannot be decrypted. In TLS 1.3 this is a mandatory property.

Does HAMA use TLS 1.3?

Yes. All transport in HAMA runs over TLS 1.3 only. On top of that, message content is additionally protected by end-to-end encryption using the Signal protocol, so the server never has access to the plaintext of messages.

Related articles

HAMA

What is End-to-End encryption?

 HAMA

On-premise vs Cloud: which is more secure?

 HAMA

Data protection in a corporate messenger

Need secure communication for your organization?

HAMA is a single secure platform for businesses and government bodies in Uzbekistan: messenger, video conferencing, monitoring and HR. Transport over TLS 1.3, messaging with E2E encryption, data stored in Uzbekistan.

Contact us