Introduction to the TLS/SSL cryptography protocol
SSL stands for Secure Socket Layer. First version of SSL was developed by Netscape in 1995. SSL is the industry standard to establish secure internet connection when any data is being transmitted between two or more computers.Thus, SSL prevents attackers from intercepting/reading and modifying any data which is being sent over the internet.
SSL basically makes use of encryption to ensure the data being transmitted is safe and cannot be accessed by an attacker, thus preventing attackers from reading and changing the data.
Following versions of SSL have been released along with the year as mentioned below:
- SSL 1.0 – This was not released because of inherent security issues.
- SSL 2.0 – Released in 1995. It had many security flaws present in it. Deprecated in 2011.
- SSL 3.0 – Latest version of SSL. Released in 1996 to address security issues in SSL 2.0, deprecated in 2015. SSL 3.0 had the ability to roll back to SSL 2.0 when a client supporting 2.0 was encountered.
TLS stands for Transport Layer Security. First version of TLS was developed by the Internet Engineering Task Force (IETF) in 1999. In simple words, TLS is an updated and more secure version of SSL.
Following versions of TLS have been released along with the year as mentioned –
- TLS 1.0 – Defined in RFC 2246 and was released in January 1999. It is an upgrade from SSL 3.0 and there isn’t much difference between SSL 3.0 & TLS 1.0,but they don`t interoperate with each other.
- TLS 1.1 – TLS 1.1 has been defined in RFC 4346 and was released in April 2006. TLS 1.1 is an update to TLS 1.0
- TLS 1.2 – TLS 1.2 has been defined in RFC 5246 and was released in Aug 2008. TLS 1.2 is an update to TLS 1.1
- TLS 1.3 – TLS 1.3 has been defined in RFC 8446 and was released in Aug 2018. TLS 1.3 is an update to TLS 1.2
Primary use case of both SSL and TLS is encrypting the data being sent between the web applications and servers. SSL/TLS can also be used for encrypting other communications such as messaging, email and voice over IP (VoIP)
Many times when you connect to a website from a browser, the browser displays a small padlock to the left of the web address. This padlock notifies that the website is using SSL/TLS to encrypt the data being sent between the website and the server. This is one of the ways to identify whether the communication is happening over HTTP or HTTPS.
SSL and TLS differences
Below table highlights major difference between SSL and TLS
|Stands for Secure Socket Layer.||Stands for Transport Layer Security.|
|First version was developed by Netscape in 1995.||First version was developed by the Internet Engineering Task Force (IETF) in 1999.|
|SSL supports the Fortezza algorithm.||TLS doesn’t support the Fortezza algorithm.|
|Latest version – 3.0||Latest version – `1.3|
|Message digest is used for creating master secrets.||Pseudo-random function is used for creating master secrets.|
|Message Authentication Code protocol is used.||Hashed Message Authentication Code protocol is used.|
|SSL is more complex than TLS||TLS is simple.|
|SSL is less secure as compared to TLS||TLS provides high security.|
|All versions of SSL have vulnerabilities, thus all have been deprecated.||TLS 1.0 & 1.1 have been “broken” and have been deprecated as of March 2020. TLS 1.2 is the most widely deployed protocol version in use.|
SSL/TLS Cipher suites are lists of algorithms which help secure a network by encrypting the data between two systems. It is of the form:
PROTOCOL_KEY EXCHANGE ALGORITHM_DIGITAL SIGNATURE ALGORITHM_BULK ENCRYPTION ALGORITHM_HASHING ALGORITHM
Example – TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
SSL/TLS make use of various cipher suites. Some of the ciphers are vulnerable while some are safe to use. List of ciphers which are safe to use have been listed below –
TLS certificate cipher check
Many times during penetration testing there arises a scenario where we have to check whether the TLS certificate does not run any vulnerable ciphers. It is not feasible to check this manually, thus we need some automation or tool to get this done. There are many tools to get this done.
An alternative to this is to use a website called ssllabs by Qualys. The URL is https://www.ssllabs.com/ssltest/ . One just has to pass the HTTPS URL to the website and it automatically does all the job of verifying the ciphers and other details which need to be done in a certificate.