TLS 1.3 Deep Dive: How Your Files Stay Safe in Transit
— Written by Brendan, Founder of FileShot.io • 17 min read
Every time you drag a file into a browser window and click “Upload,” a remarkable cryptographic ceremony takes place in under 100 milliseconds. Before a single byte of your file leaves your machine, your browser and the remote server negotiate a shared secret using mathematics that would take every computer on earth billions of years to crack by brute force. That ceremony is TLS—Transport Layer Security—and its latest version, TLS 1.3, represents the most significant overhaul of internet transport encryption in over a decade.
For anyone who transfers files online—whether it’s a confidential legal contract, a medical record, or a family photo album—understanding TLS 1.3 isn’t optional. It’s the difference between knowing your files are protected and hoping they are. In this guide, we’ll break down exactly how TLS 1.3 works, what changed from TLS 1.2, why those changes matter specifically for file sharing, and why transport encryption alone is necessary but not sufficient for true file security.
A Brief History: From SSL to TLS 1.3
Transport encryption has a troubled history. SSL 2.0, released by Netscape in 1995, was broken almost immediately. SSL 3.0 followed in 1996 and lasted nearly two decades before the POODLE attack rendered it insecure in 2014. TLS 1.0 (1999) and TLS 1.1 (2006) patched some of SSL’s design flaws but inherited others, including support for weak cipher suites, vulnerable renegotiation mechanisms, and a handshake design that leaked metadata.
TLS 1.2, released in 2008, was a major improvement. It introduced authenticated encryption with associated data (AEAD) cipher suites, supported SHA-256, and allowed servers to negotiate stronger key exchange algorithms. But TLS 1.2’s fatal flaw was optionality. The protocol allowed servers to negotiate weak configurations—RSA key exchange without forward secrecy, CBC cipher suites vulnerable to padding oracle attacks, and legacy hash algorithms that an attacker could downgrade to.
TLS 1.3, finalized as RFC 8446 in August 2018, took a fundamentally different approach. Instead of adding new features, it removed dangerous ones. The result is a protocol that is faster, simpler, and dramatically more secure than any of its predecessors.
What TLS 1.3 Changed—and Why It Matters for File Sharing
TLS 1.3 isn’t an incremental update. It’s a ground-up redesign of the cryptographic negotiation that protects every file you upload or download. Here are the changes that matter most.
RSA Key Exchange: Eliminated
In TLS 1.2 and earlier, the most common key exchange mechanism was RSA: the client generates a random pre-master secret, encrypts it with the server’s public RSA key, and sends it over the wire. The server decrypts it with its private key, and both sides derive session keys from this shared secret.
The problem? If an attacker records the encrypted traffic and later obtains the server’s private key—through a breach, a court order, a compromised backup, or a retired hard drive that wasn’t wiped—they can decrypt every recorded session retroactively. This is the core problem that forward secrecy solves, and TLS 1.3 enforces it for every connection by removing RSA key exchange entirely.
TLS 1.3 requires ephemeral Diffie-Hellman key exchange (either ECDHE or DHE). Each session generates a unique key pair that is used once and then discarded. Even if the server’s long-term private key is compromised years later, past sessions remain encrypted. For file sharing, this means that a file you uploaded three years ago cannot be retroactively decrypted by compromising the server’s private key today.
CBC Cipher Suites: Removed
Cipher Block Chaining (CBC) mode cipher suites have been a persistent source of vulnerabilities. The BEAST attack (2011), Lucky Thirteen (2013), and POODLE (2014) all exploited timing side channels or padding oracle flaws in CBC-based cipher suites. Despite patches and workarounds, CBC’s fundamental design makes it intrinsically vulnerable to these classes of attacks.
TLS 1.3 eliminates CBC entirely. The only permitted cipher suites use Authenticated Encryption with Associated Data (AEAD)—specifically AES-128-GCM, AES-256-GCM, and ChaCha20-Poly1305. AEAD ciphers combine encryption and authentication into a single operation, eliminating the encrypt-then-MAC vs. MAC-then-encrypt ambiguity that created padding oracle vulnerabilities. For file transfers, this eliminates an entire class of attacks that could have been used to recover plaintext from encrypted uploads.
The 1-RTT Handshake
TLS 1.2 requires two full round trips between client and server before application data can flow. For a file sharing platform where users need to upload or download files quickly, those extra round trips add latency—especially on mobile networks or when transferring files over long distances.
TLS 1.3 completes the handshake in a single round trip (1-RTT). The client sends its key share in the very first message (ClientHello), along with the list of supported cipher suites and key exchange groups. If the server supports one of the offered key shares, it can immediately compute the shared secret and send encrypted data back in its first response (ServerHello + EncryptedExtensions + Certificate + Finished). The client can start sending encrypted application data after receiving this single response.
The practical impact for file sharing: the time between clicking “Upload” and the first encrypted byte leaving your browser is reduced by roughly 100–300 milliseconds compared to TLS 1.2. On a 4G mobile connection with 80ms round-trip latency, that’s a 20–40% reduction in connection setup time.
0-RTT Resumption: Speed with Caveats
TLS 1.3 also introduces 0-RTT (zero round trip time) resumption. If a client has previously connected to a server, it can send application data in the very first packet—before the handshake even completes—using a pre-shared key (PSK) from the previous session.
For file sharing, 0-RTT could mean that a returning user’s file upload begins transmitting immediately, with zero handshake latency. However, 0-RTT comes with a critical caveat: replay vulnerability. An attacker who captures a 0-RTT packet can replay it, causing the server to process the same request twice. For idempotent operations like GET requests, this is benign. For non-idempotent operations like file uploads or API calls that modify state, replay can be dangerous.
Well-designed file sharing platforms mitigate this by restricting 0-RTT to idempotent requests only, using server-side replay detection mechanisms, or disabling 0-RTT entirely for upload endpoints. At FileShot, we carefully evaluate the trade-off between latency and replay safety for each endpoint.
The TLS 1.3 Handshake: Step by Step
Understanding the handshake is essential for understanding how your files are protected. Here’s what happens in the roughly 50–100 milliseconds between when you click “Upload” and when the first encrypted byte leaves your browser.
Step 1: ClientHello. Your browser sends a ClientHello message to the server containing: a list of supported cipher suites (e.g., TLS_AES_256_GCM_SHA384), a list of supported key exchange groups (e.g., x25519, secp256r1), one or more key shares (the client’s ephemeral public keys for the offered groups), and a random 32-byte nonce. Critically, in TLS 1.3 the client speculatively generates key shares before knowing which group the server will choose. This is what enables the 1-RTT handshake.
Step 2: ServerHello. The server selects a cipher suite and key exchange group from the client’s offered list, generates its own ephemeral key pair, and sends back its public key share. At this point, both sides have everything they need to compute the shared secret using Elliptic Curve Diffie-Hellman (ECDH). The server computes the handshake keys and immediately sends the rest of the handshake—EncryptedExtensions, Certificate, CertificateVerify, and Finished—encrypted under the handshake keys. This is another TLS 1.3 improvement: the server’s certificate is encrypted, preventing passive observers from seeing which site the client is connecting to.
Step 3: Key derivation. Both sides use HKDF (HMAC-based Key Derivation Function) to derive the actual traffic encryption keys from the shared ECDH secret. HKDF runs the shared secret through multiple rounds of extraction and expansion, producing separate keys for client-to-server and server-to-client traffic, along with separate IVs (initialization vectors). This key separation ensures that even if one direction’s key is somehow compromised, the other direction remains protected.
Step 4: Finished and application data. The client verifies the server’s certificate chain (checking that it’s signed by a trusted Certificate Authority, that it hasn’t expired, and that it matches the expected hostname), verifies the CertificateVerify signature (proving the server actually holds the private key for its certificate), and sends its own Finished message. At this point, the handshake is complete and the client begins sending your file, encrypted with AES-256-GCM or ChaCha20-Poly1305.
From your browser’s perspective, all of this happened in under 100 milliseconds. From the file’s perspective, it was broken into TLS records (up to 16,384 bytes each), each record was encrypted and authenticated with an AEAD cipher, each record received a unique nonce derived from the record sequence number and the traffic IV, and the records were transmitted over TCP to the file sharing server.
Forward Secrecy: Why It’s Non-Negotiable for File Sharing
Forward secrecy (sometimes called perfect forward secrecy, or PFS) is not just a nice-to-have feature—it’s a fundamental requirement for any file sharing platform that handles sensitive data. The concept is simple but powerful: even if an adversary obtains the server’s long-term private key at some point in the future, they cannot use it to decrypt traffic that was recorded in the past.
Without forward secrecy, an adversary can execute a “record now, decrypt later” strategy. Intelligence agencies, sophisticated attackers, and even ISPs can store encrypted traffic at scale. If the server’s private key is later compromised—through a breach, a legal demand, or a retired server that wasn’t properly decommissioned—years of recorded file transfers can be decrypted at once.
TLS 1.3 eliminates this risk by design. Because every session uses a fresh ephemeral key pair generated in memory and discarded after the session ends, there is no long-term key that can retroactively unlock past sessions. For file sharing specifically, this means a confidential document you uploaded in 2024 remains encrypted even if the server’s private key is leaked in 2027.
This is also critically important in the context of post-quantum threats. Quantum computers may eventually break the elliptic curve mathematics that underpin ECDHE. Forward secrecy limits the blast radius: even if a future quantum computer can break ECDHE, it can only attack sessions for which it has recorded ciphertext. Sessions whose ciphertext was never captured remain safe regardless of future cryptographic advances.
Why Older Protocols Are Dangerous
Despite TLS 1.3’s availability since 2018, some file sharing platforms and enterprise file transfer solutions still support—or even default to—older protocol versions. This is dangerous for several reasons.
TLS 1.0 and TLS 1.1 were officially deprecated by the IETF in RFC 8996 (March 2021). They support cipher suites with known vulnerabilities, lack AEAD encryption, and are susceptible to downgrade attacks (where an attacker forces the use of a weaker protocol version). PCI DSS has prohibited TLS 1.0 since June 2018, and all major browsers disabled TLS 1.0/1.1 by default in 2020.
SSL 3.0 is comprehensively broken. The POODLE attack allows an attacker to decrypt individual bytes of an SSL 3.0 session using a padding oracle. Any file sharing service that still accepts SSL 3.0 connections is fundamentally insecure.
TLS 1.2 without AEAD is also problematic. A TLS 1.2 server that negotiates AES-CBC with SHA-1 HMAC is vulnerable to Lucky Thirteen timing attacks and offers no forward secrecy if it accepts RSA key exchange. Even TLS 1.2 with strong configuration (ECDHE + AES-GCM) lacks TLS 1.3’s encrypted handshake, reduced round trips, and simplified state machine. If a file sharing platform supports TLS 1.2 at all, it should only be as a fallback with a strict cipher suite whitelist.
When evaluating any file sharing service, check not only that it supports TLS 1.3, but that it disables TLS 1.0, TLS 1.1, and ideally enforces TLS 1.3 as the minimum version. A padlock icon in the browser does not mean the connection is using a modern protocol—it only means some version of TLS or SSL is in use.
Certificate Transparency: Stopping MITM on File Sharing
TLS encryption is only as trustworthy as the certificates it relies on. If an attacker can obtain a valid certificate for fileshot.io from any of the hundreds of Certificate Authorities trusted by browsers, they can perform a man-in-the-middle (MITM) attack, intercepting and decrypting all traffic between users and the server. This isn’t theoretical: it happened to Google in 2011 when the Dutch CA DigiNotar issued fraudulent certificates that were used to intercept Gmail traffic in Iran.
Certificate Transparency (CT) addresses this by requiring all Certificate Authorities to publicly log every certificate they issue in tamper-evident, append-only logs. When a CA issues a certificate for fileshot.io, it must submit the certificate to at least two independent CT logs before the certificate is considered valid. Browsers (Chrome, Safari, and others) reject certificates that lack CT proof, called Signed Certificate Timestamps (SCTs).
For file sharing users, CT provides a crucial guarantee: if someone obtains a fraudulent certificate for your file sharing provider’s domain, the certificate will be publicly visible in CT logs. Domain owners can monitor these logs using tools like crt.sh or Google’s CT search to detect unauthorized certificates within hours. This doesn’t prevent the fraudulent certificate from being issued, but it ensures it cannot be used covertly for an extended period.
HSTS and Certificate Pinning
Even with TLS 1.3 and Certificate Transparency, there are still attack vectors that can undermine transport security. Two additional mechanisms provide defense in depth.
HSTS (HTTP Strict Transport Security) instructs browsers to always use HTTPS for a given domain, even if the user types http:// or clicks an HTTP link. Without HSTS, an attacker on the same network (e.g., a malicious Wi-Fi access point) can intercept the initial unencrypted HTTP request and redirect the user to a spoofed site before HTTPS is established. This is called an SSL stripping attack. HSTS eliminates it by ensuring the browser never makes an unencrypted request to the domain after the first visit. For file sharing, HSTS prevents an attacker from downgrading your connection to HTTP and capturing your files in plaintext.
HSTS can be further strengthened with HSTS preloading, where the domain is hardcoded into the browser’s source code so that even the first visit uses HTTPS. FileShot uses both HSTS and HSTS preloading to ensure that no connection to our servers is ever unencrypted.
Certificate pinning (also called public key pinning) restricts which certificates a browser will accept for a given domain. Instead of trusting any certificate issued by any CA, pinning says “only trust certificates with this specific public key or this specific issuer.” While HTTP Public Key Pinning (HPKP) was deprecated in browsers due to the risk of self-denial-of-service (if you pin the wrong key, your site becomes permanently inaccessible), certificate pinning remains valuable in mobile apps and desktop clients where the risk can be managed more carefully.
Transport Encryption vs. At-Rest Encryption: The Critical Distinction
Here is where most discussions of TLS and file sharing go wrong. TLS protects your files in transit—between your browser and the server. Once the TLS connection terminates at the server, your file exists in plaintext in the server’s memory. What happens after that depends entirely on the platform’s architecture.
Most file sharing platforms handle this by re-encrypting the file at rest using server-side encryption. Amazon S3, Google Cloud Storage, and Azure Blob Storage all offer server-side encryption that encrypts files on disk. But there’s a critical problem: the server holds both the encrypted file and the key to decrypt it. Server-side encryption protects against physical theft of hard drives, but it offers zero protection against a compromised server, a malicious insider, a subpoena, or a supply chain attack that gives an attacker access to the running server.
Think of it this way: TLS is like an armored truck that transports your valuables from your house to a vault. Server-side encryption is like locking the vault door. But if the vault owner has a copy of the key, anyone who compromises the vault owner has access to your valuables. True security requires that only you hold the decryption key.
Why You Need Both: TLS and Client-Side Encryption
The answer is client-side, zero-knowledge encryption—where your files are encrypted on your device before TLS even enters the picture. In this model, TLS protects the already-encrypted ciphertext during transit, and the server only ever sees encrypted blobs that it cannot decrypt because the key never leaves your browser.
At FileShot, this is exactly how we operate. When you upload a file, the following happens in sequence:
- Client-side encryption: Your browser generates a random 256-bit AES key, encrypts your file using AES-256-GCM, and produces an encrypted blob plus a file-specific key. This happens entirely in your browser using the Web Crypto API. The key is embedded in the shareable link’s URL fragment (the part after the
#), which is never sent to the server. - TLS transport: Your browser opens a TLS 1.3 connection to FileShot’s servers. The encrypted blob (not the original file) is transmitted over this connection, encrypted again by TLS. This creates a double layer of encryption during transit.
- At-rest storage: The server stores the encrypted blob. It never sees the original file. It never receives the decryption key. Even if the server is fully compromised, the attacker obtains only encrypted ciphertext.
This architecture means that TLS protects against eavesdropping on the wire, while zero-knowledge encryption protects against server compromise, insider threats, legal compulsion, and supply chain attacks. Neither layer alone is sufficient. Together, they provide defense in depth that addresses threats at every point in the file’s lifecycle.
TLS Configuration Pitfalls in File Sharing Platforms
Even platforms that support TLS 1.3 can undermine their own security through misconfiguration. Here are the most common pitfalls we see in file sharing services:
Mixed content: Serving the main page over HTTPS but loading JavaScript, CSS, or API endpoints over HTTP. An attacker can modify the HTTP resources to inject malicious code, effectively bypassing TLS entirely. This is particularly dangerous for file sharing platforms where the client-side encryption code is loaded via <script> tags—if even one script loads over HTTP, the entire encryption model can be subverted.
Weak cipher suite ordering: Supporting TLS 1.3 but preferring TLS 1.2 cipher suites in the server configuration, or allowing weak TLS 1.2 ciphers alongside strong TLS 1.3 ones. A downgrade attack can force the connection to use the weaker configuration.
Missing HSTS: Without HSTS headers, the first request to the domain can be intercepted and stripped to HTTP. For file sharing, this means a user’s first visit could be hijacked even if all subsequent requests use HTTPS.
Short-lived sessions without key rotation: Using the same TLS session ticket keys for extended periods reduces the effective forward secrecy of the connection. Session ticket keys should be rotated at least every 24 hours.
TLS termination at the load balancer with unencrypted backend traffic: Many file sharing platforms terminate TLS at a load balancer or reverse proxy, then forward traffic to backend servers over unencrypted HTTP. This means that anyone with access to the internal network—or any compromised internal service—can capture files in plaintext.
Practical Tips: How to Verify TLS on Any File Sharing Site
You don’t need to be a security engineer to verify that a file sharing site is using modern TLS. Here’s how to check:
1. Browser check: Click the padlock icon in your browser’s address bar. In Chrome, click “Connection is secure” → “Certificate is valid” and check the protocol version. You want to see “TLS 1.3.” In Firefox, click the padlock → “More Information” → “Technical Details” to see the full cipher suite string (e.g., TLS_AES_256_GCM_SHA384, 256 bit keys, TLS 1.3).
2. SSL Labs test: Visit ssllabs.com/ssltest and enter the file sharing site’s domain. SSL Labs provides a detailed report including protocol versions, cipher suites, certificate chain, HSTS status, and an overall grade. Look for an A or A+ rating. Any file sharing platform scoring below A should be treated with caution.
3. DevTools Security tab: Open your browser’s DevTools (F12), navigate to the Security tab, and load the file sharing site. The Security tab shows the protocol version, key exchange algorithm, and cipher used for the connection, as well as whether all subresources were loaded securely.
4. Check for Certificate Transparency: Visit crt.sh and search for the file sharing site’s domain. This shows all certificates that have been issued for that domain and logged in CT logs. If you see certificates from unexpected CAs or certificates you didn’t expect, that’s a red flag.
5. Test with curl or openssl: For a more technical check, run openssl s_client -connect fileshot.io:443 -tls1_3 from a terminal. This attempts a TLS 1.3 connection and displays the negotiated cipher suite, certificate chain, and session details. If the connection fails, the server does not support TLS 1.3.
TLS in the Context of Regulatory Compliance
If you’re transferring files that fall under regulatory frameworks, TLS configuration isn’t just a best practice—it’s a legal requirement. HIPAA requires encryption of electronic Protected Health Information (ePHI) in transit. PCI DSS 4.0 mandates TLS 1.2 or higher with strong cipher suites for payment card data. GDPR Article 32 requires “appropriate technical and organisational measures” including encryption during transmission. SOC 2 Type II audits evaluate TLS configuration as part of the encryption in transit control.
For organizations subject to these frameworks, using a file sharing platform with weak TLS configuration isn’t just risky—it’s a compliance violation. TLS 1.3 with ECDHE key exchange and AEAD ciphers satisfies current requirements across all major regulatory frameworks. Platforms that still support TLS 1.0 or 1.1 are actively non-compliant with PCI DSS and increasing risk for HIPAA and GDPR.
The Future: TLS and Post-Quantum Cryptography
The biggest looming threat to TLS—and by extension, to every file transfer that relies on it—is quantum computing. Shor’s algorithm, run on a sufficiently powerful quantum computer, can break both RSA and elliptic curve cryptography in polynomial time. This means the ECDHE key exchanges that TLS 1.3 relies on for forward secrecy will eventually be vulnerable.
The threat is not hypothetical. Adversaries are already executing “harvest now, decrypt later” attacks—recording encrypted traffic today with the expectation of decrypting it once quantum computers become available. For file sharing, this means a sensitive file uploaded today under TLS 1.3 could potentially be decrypted in 10–20 years if the ciphertext was recorded.
The industry response is post-quantum cryptography. NIST finalized its first post-quantum standards in 2024: ML-KEM (formerly CRYSTALS-Kyber) for key encapsulation and ML-DSA (formerly CRYSTALS-Dilithium) for digital signatures. Chrome and other browsers have already begun deploying hybrid key exchange (X25519 + ML-KEM) that combines classical and post-quantum algorithms, providing security even if one of them is broken. TLS will evolve to incorporate these algorithms, and file sharing platforms that adopt them early will provide the strongest protection against both current and future threats.
Key Takeaways
TLS 1.3 is the most significant upgrade to transport encryption in a decade. It eliminates RSA key exchange, removes CBC cipher suites, enforces forward secrecy, completes the handshake in a single round trip, and encrypts the server certificate to prevent passive fingerprinting. For file sharing, these changes mean faster uploads, stronger encryption, and protection against retroactive decryption.
But TLS alone is not enough. TLS protects your files between your browser and the server. Once they arrive at the server, their security depends entirely on the platform’s architecture. Server-side encryption with server-held keys provides marginal protection. Only client-side, zero-knowledge encryption—where your files are encrypted before they enter the TLS tunnel and the decryption key never reaches the server—provides true end-to-end security.
When choosing a file sharing platform, verify that it uses TLS 1.3 (check with SSL Labs or your browser’s DevTools), enforces HSTS, supports Certificate Transparency, and—most importantly—encrypts your files on the client before upload. That’s the difference between a service that protects your files in transit and one that protects your files everywhere.
Ready to experience file sharing with both TLS 1.3 transport security and zero-knowledge encryption? Upload your first encrypted file on FileShot or learn how our security model works.