Transport Layer Security (TLS) and Secure Socket Layer (SSL)
are cryptographic protocols meant to secure the communications from client to
server over either internal or external networks. This is meant to ensure that
the privacy and security of data being transferred over a network is secure
from tampering or theft. We see these protocols used heavily in web browsers to
connect to web servers offering the ability to perform transaction securely on
their webpages.
The TLS protocol is the predecessor to the now aged SSL
protocol and has variants that are widely used to encrypt and transfer secure
data across the internet. The SSL protocol v3.0 is still used on certain systems,
due to old hardware/operating systems, etc., but it’s been extensively disabled
due to inherent security risks within the protocol. The newer TLS protocol has
three versions, v1.0, v1.1 and v1.2 with versions 1.1 and 1.2 being deemed most
secure. As of earlier this year the PCI council deemed that both SSL 3.0 and
TLS 1.0 have been classified as insecure protocols and should be disabled on
all services offering the ability to select this protocol. It’s not enough to
have it dropped in priority, since it’s still possible that it could be chosen
by older browsers, or by attackers using threats like BEAST/POODLE/DROWN that
could attempt downgrade attacks to misuse the vulnerable SSL 2.0 & 3.0
protocol. At this point, the recommendation is to enable only TLS v1.1 and v1.2
due to security concerns with the lower versions.
After a network protocol is agreed upon by both client and
server a cipher is determined next. This all happens with the negotiation
between client and server and based off which network protocol will be in use
will also assist with determining the cipher lists available for selection
between client and server. Most of the secure ciphers that offer the best
security are within TLS 1.1 and TLS 1.2 and in regards to TLS 1.2, it’s the
only protocol that has the ability to run the secure GCM ciphers. These ciphers
are more secure than their CBC predecessors. As with all things in encryption,
the larger the key the better encryption, so looking at the ciphers this way
helps too. These ciphers will be used going forward to encrypt data from client
to server.
Using these technologies with certificates allows for
authentication of another party to validate that the server the client is
attaching to is who they say they are. The certificate itself doesn’t have
anything to do with the selection of the network protocol (SSL 3.0, or TLS 1.2,
etc.), or the cipher suite that will be used afterwards. These are selected by
the client and server, normally the client browser and the server’s operating
system agreeing on how to secure the data in transit. When certificates are
involved it’s verifying, normally via a third party certificate authority (like
Verisign or GoDaddy) that the website you’re accessing is the actual server
you’re intending on viewing. Certificates are used as a way of your browser
trusting that you’re going to a legitimate website. The encryption happens
based off the machine negotiation, not with the presence of a certificate. Data
can still be sent securely, but you’re never sure from a client perspective if
you’re sending data to the “real” server unless it’s been verified by a third
party certificate.
All these aspects, network protocols, ciphers and
certificates, when used in tandem, give us the ability to have secure
communications over the internet and protect the security and privacy of our
data.