SSL & TLS Movement [Part 1]
This is what William Shakepeare thought about SSL :) !!!
For establishing an encrypted link between web server and browser, Secure Socket Layer is the standard security technology. SSL protect all the data passed between the web server and ensures browsers remain private and integral from attackers. This link is an industry standard and is used by millions of websites for protect the transactions between websites and their customers.
Secure Socket Layer allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. Normally, browsers and web servers’ data transmitted using plain text-leaving you vulnerable to eavesdropping. If an attacker can intercept all data being sent between browser and the web servers, it will affect the user confidentiality.
Specifically, SSL is a secure protocol. Protocol describe how algorithms should be used. In SSL, protocols determine variables of the encryption for both the link and the data being transmitted.
The users cannot see how complex is the SSL protocol. Instead their browser provides the users a key indicator to let the users know they are currently protected by SSL encrypted session. By clicking the lock icon in the browser, you can see the SSL Certificate and the details about it.
All browsers have the capability to interact with secures web servers using SSL protocols. To establish a secure connection between browser and web servers, browser and the servers need SSL certificate.
Secure socket Layer secures millions of peoples’ data on the internet every day. Specially during online transactions or when transmitting confidential information.
What is WIldcard SSL ?
The wild card SSL is another type of secure certificates that helps to enable the SSL encryption on the several sub domains with the use of one certificate, unless the domains are still in control by the similar organization and they are sharing same domain second-level name. For example, a wildcard certificate released to SSL Company using the same name as “SSL.com” will be used to keep it secure with following possible domains such as “login.ssl.com”, “support.ssl.com” or “payment.ssl.com” and more. A wildcard notification come with an asterisk then a period before the chosen domain name. These are wildcards to broaden the SSL encryption to its sub domains. In case of ww.ssl.com as example, the *.ssl.co will also secure its other sub domains such as “login.ssl.com” and more.
Benefits of Wildcard SSL.
· A great advantage is that is not much expensive compared to other types.
· SSL Wildcard Certificate easy to manage and some types of SSL certificates and PKI interfaces that manage it require intimidating task compared to wildcard SSL that work faster.
· The greatest benefit with using type is because of its maximum security.
SSL Version 1
Secure socket layer version one is never publicly published because of the security flaws. Netscape developed the SSL to handle encryption over the web server links. They used SSL inside the Netscape and it was able to crack down in 10 minutes’ period. Then Netscape communications didn’t publish the SSL version 01.
SSL Version 2
Secure socket layer version 2 protocols also developed and released by Netscape. After about two months they discovered significant flaws in SSL version 2as well. Then Netscape officially withdrawn the SSL version 2 less than a year.
There were some security flows in this version -
· SSL 2.0 uses Identical cryptographic keys for message authentication and encryption.
· It also uses weak MAC construction that uses the MD5 hash function with secret prefix. It is vulnerable to length extension attack.
· SSL 2.0 didn’t use any security or protection for the handshake, so it was vulnerable to the Man in the Middle attack.
· SSL 2,0 used TCP Connection Close to indicate the end of data. So, it was made possible of the truncation attacks. Attackers can use TCP FIN which leaves the recipient unaware about the unauthorized end of data message.
SSL Version 3
Netscape released Secure Socket Layer 3.0 by solving the flaws found in the Secure Socket Layer 2.0. They add SHA-1 that support for certificate authentication and based ciphers.
Here are the flows -
· Version 3 of the SSL is having the weak key derivation process. Half of the Master Key creation is completely depending on the MD5 hash function. MD5 hash function is not a collision resistant and considered as less secured.
· SSL 3.0 Master key is completely based on the MD5 and SHA-1 as SSL 1.0.
How SSL Works?
When an internet browser attempts to access an SSL secured website, the browser and the web server establish an SSL connection using a process called “SSL Handshake”. This SSL handshake is not visible to the users.
SSL uses three keys to set up SSL connection. Those three keys are named public key, private key and session key. If anything encrypted with the public key can only decrypt with the private key.
To encrypt and decrypt using public and private keys took lot of processing power, they are only using during the SSL Handshake to create a symmetric session key. After the secure connection established, the session key is used to encrypt all transmitted data.
1. Browser connects with the web server that secured with SSL. Then browser send a request to identify itself.
2. Server sends an SSL Certificate copy of it including the server’s public key.
3. Then the Browser check the certificate root against a list of trusted CAs. Also, the browser checks if the Certificate unexpired, unrevoked and its domain name is valid for the website that it is connecting to. If the browser trusts the certificate, it creates, encrypt, and sends back a symmetric session key using the server’s public key.
4. Server decrypts the symmetric session key using its private key and sends back an acknowledgement (ACK) encrypted with session key to start the encrypted session.
5. Server and the Browser now encrypt all transmitted data with the session key. And now secure connection is established.
Transferring to TLS
Secure Socket Layer version 2.0 and 3.0 have been deprecated by the Internet Engineering Task Force (IETF). Over the years’ lot of vulnerabilities discovered from deprecated SSL Protocols. For example, POODLE and DROWN vulnerabilities. So Netscape upgraded the Secure Socket Layer protocols to Transport Layer Protocols.
What is TLS? …. Check Part 2 ….
Written By/ K R M M B Rajapakshe | Dissanayaka D.M.A.S -3rd Year 2nd Semester -Cyber Security Student SLIIT