Securing the Long Haul: Challenges with Long-Lived TLS 1.3 and QUIC Sessions

TLS 1.3 and QUIC lack native mechanisms for refreshing cryptographic keys or certificates during long-lived sessions which creates challenges for applications like always-on VPNs, IoT, or real-time streaming. This talk explores the security risks of long-lived sessions and reviews recent IETF work (Extended Key Update and Certificate Update) that aim to address these gaps. We’ll compare with TLS 1.2 renegotiation, highlight how other protocols like Wireguard, SSH and IKEv2 approach key rotation, and examine existing workarounds used in practice. The session is targeted at implementers, protocol designers, and security practitioners interested in evolving TLS and QUIC for modern use cases.