TLS 1.2 vs TLS 1.3: Security, Performance and What Was Removed

TLS 1.3 was the first major rewrite of the protocol in nearly a decade, and it changed more than the version number suggests. It is faster, removes a stack of weak algorithms and provides forward secrecy by default. Here is what concretely separates the two versions, and what you should do on your servers.

Short answer

TLS 1.3 is faster and more secure than TLS 1.2. It cuts the handshake from two round-trips to one, removes static RSA key exchange, RC4, 3DES, CBC-mode ciphers and MD5/SHA-1 signatures, and makes forward secrecy mandatory. TLS 1.2 is still secure if configured correctly, but requires active hardening. Offer both, prioritise 1.3, and disable everything below 1.2.

Performance: one fewer round-trip

In TLS 1.2 the client must wait for the server's hello before it can send its key-exchange contribution — two round-trips before data flows. TLS 1.3 sends the client's key share already in the Client Hello, so the server can reply completely in one go. On a network with 50 ms latency that saves around 50 ms per new connection — noticeable on mobile. How both handshakes look step by step is covered in the TLS handshake explained.

Security: fewer ways to get it wrong

TLS 1.2's biggest weakness is flexibility: it still permits insecure choices, so a poorly configured server can negotiate a weak cipher. TLS 1.3 cut that possibility away. Only five AEAD-based cipher suites remain, all with forward secrecy, and the entire Server Hello and the certificate are sent encrypted. The removed algorithms:

Static RSA key exchange — had no forward secrecy.
CBC-mode ciphers — the source of Lucky13 and similar attacks.
RC4 and 3DES — obsolete, broken or too weak.
MD5 and SHA-1 as signature hashes — vulnerable to collisions.
Renegotiation and compression — the source of CRIME/renegotiation attacks.

Comparison

Property	TLS 1.2	TLS 1.3
Released	2008	2018
Handshake	2-RTT	1-RTT (0-RTT possible)
Forward secrecy	Optional (ECDHE)	Mandatory
Cipher suites	37+, many weak	5, all AEAD
Encrypted certificate	No	Yes
RSA/CBC/RC4/3DES	Allowed	Removed

Configuration: offer both, harden TLS 1.2

Most sites should offer both 1.2 and 1.3 — 1.3 for modern clients, 1.2 for older ones that do not yet support 1.3. The important thing is to turn off everything below 1.2 and only allow strong ciphers on 1.2. In nginx:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
# TLS 1.2 only — TLS 1.3 automatically picks its five strong ciphers
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;

Note that ssl_ciphers only controls TLS 1.2; TLS 1.3's cipher suites are fixed in the protocol. To understand what a cipher suite actually contains, see what is a cipher suite.

Should I disable TLS 1.2 entirely?

Rarely, yet. Although 1.3 is widely supported, there are still older clients, API integrations and IoT devices that only speak 1.2. Turning off 1.2 entirely risks locking them out. What you must turn off is TLS 1.0 and 1.1 — see why you should disable TLS 1.0 and 1.1.

How CertControl helps

CertControl negotiates a real handshake against each endpoint and reports exactly which protocol versions and cipher suites the server offers. If a server still offers TLS 1.0/1.1 or a weak 1.2 cipher, it is flagged as a finding — so you can harden systematically instead of guessing server by server.

Frequently asked questions

Is TLS 1.2 still secure?

Yes, if configured correctly: only strong ECDHE-based AEAD ciphers and no CBC, RC4 or 3DES. The difference is that TLS 1.2 permits insecure choices, while TLS 1.3 has removed them entirely. That is why 1.2 requires active hardening.

Why is TLS 1.3 faster?

Because the handshake is reduced from two round-trips to one. The client sends its key share already in the Client Hello, so encrypted data can flow after a single back-and-forth. On resumed connections 1.3 can even achieve 0-RTT.

What was removed in TLS 1.3?

Static RSA key exchange, CBC-mode ciphers, RC4, 3DES, MD5 and SHA-1 signatures, compression and renegotiation. What remains is five AEAD cipher suites, all with forward secrecy.

Do I have to choose between 1.2 and 1.3?

No. Servers typically offer both, and the client negotiates the highest common version. So you offer 1.3 to modern clients and 1.2 to older ones — without choosing.

What is an AEAD cipher?

AEAD (Authenticated Encryption with Associated Data) combines encryption and an integrity check in a single operation, e.g. AES-GCM or ChaCha20-Poly1305. It eliminates whole classes of attacks that the old CBC ciphers were exposed to.

Do all browsers support TLS 1.3?

All modern browsers have supported TLS 1.3 for several years. It is mainly older devices, embedded systems and certain API clients that still speak only 1.2 — which is why 1.2 is typically kept as a fallback.

See the platform Book a demo