Transport Layer Security

Source: Wikipedia, the free encyclopedia.
(Redirected from
TLS 1.0
)

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

The TLS protocol aims primarily to provide security, including privacy (confidentiality), integrity, and authenticity through the use of cryptography, such as the use of certificates, between two or more communicating computer applications. It runs in the presentation layer and is itself composed of two layers: the TLS record and the TLS handshake protocols.

The closely related Datagram Transport Layer Security (DTLS) is a

communications protocol that provides security to datagram-based applications. In technical writing, references to "(D)TLS" are often seen when it applies to both versions.[1]

TLS is a proposed

Netscape Communications for adding the HTTPS protocol to their Netscape Navigator
web browser.

Description

tampering
.

Since applications can communicate either with or without TLS (or SSL), it is necessary for the

HTTP traffic while port 443 is the common port used for encrypted HTTPS traffic. Another mechanism is to make a protocol-specific STARTTLS request to the server to switch the connection to TLS – for example, when using the mail and news
protocols.

Once the client and server have agreed to use TLS, they negotiate a

symmetric cipher
. During this handshake, the client and server agree on various parameters used to establish the connection's security:

This concludes the handshake and begins the secured connection, which is encrypted and decrypted with the session key until the connection closes. If any one of the above steps fails, then the TLS handshake fails and the connection is not created.

TLS and SSL do not fit neatly into any single layer of the OSI model or the TCP/IP model.[4][5] TLS runs "on top of some reliable transport protocol (e.g., TCP),"[6]: §1  which would imply that it is above the transport layer. It serves encryption to higher layers, which is normally the function of the presentation layer. However, applications generally use TLS as if it were a transport layer,[4][5] even though applications using TLS must actively control initiating TLS handshakes and handling of exchanged authentication certificates.[6]: §1 

When secured by TLS, connections between a client (e.g., a web browser) and a server (e.g., wikipedia.org) will have all of the following properties:[6]: §1 

  • The connection is private (or has confidentiality) because a symmetric-key algorithm is used to encrypt the data transmitted. The keys for this symmetric encryption are generated uniquely for each connection and are based on a shared secret that was negotiated at the start of the session. The server and client negotiate the details of which encryption algorithm and cryptographic keys to use before the first byte of data is transmitted (see below). The negotiation of a shared secret is both secure (the negotiated secret is unavailable to eavesdroppers and cannot be obtained, even by an attacker who places themselves in the middle of the connection) and reliable (no attacker can modify the communications during the negotiation without being detected).
  • The identity of the communicating parties can be authenticated using public-key cryptography. This authentication is required for the server and optional for the client.
  • The connection is reliable (or has integrity) because each message transmitted includes a message integrity check using a message authentication code to prevent undetected loss or alteration of the data during transmission.

TLS supports many different methods for exchanging keys, encrypting data, and authenticating message integrity. As a result, secure configuration of TLS involves many configurable parameters, and not all choices provide all of the privacy-related properties described in the list above (see the tables below § Key exchange, § Cipher security, and § Data integrity).

Attempts have been made to subvert aspects of the communications security that TLS seeks to provide, and the protocol has been revised several times to address these security threats. Developers of web browsers have repeatedly revised their products to defend against potential security weaknesses after these were discovered (see TLS/SSL support history of web browsers).

Datagram Transport Layer Security

Datagram Transport Layer Security, abbreviated DTLS, is a related

tampering, or message forgery. The DTLS protocol is based on the stream-oriented Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees. However, unlike TLS, it can be used with most datagram oriented protocols including User Datagram Protocol (UDP), Datagram Congestion Control Protocol (DCCP), Control And Provisioning of Wireless Access Points (CAPWAP), Stream Control Transmission Protocol (SCTP) encapsulation, and Secure Real-time Transport Protocol
(SRTP).

As the DTLS protocol datagram preserves the semantics of the underlying transport—the application it does not suffer from the delays associated with stream protocols, however the application has to deal with

packet reordering, loss of datagram and data larger than the size of a datagram network packet. Because DTLS uses UDP or SCTP rather than TCP, it avoids the "TCP meltdown problem",[9][10]
when being used to create a VPN tunnel.

The original 2006 release of DTLS version 1.0 was not a standalone document. It was given as a series of deltas to TLS 1.1.[11] Similarly the follow-up 2012 release of DTLS is a delta to TLS 1.2. It was given the version number of DTLS 1.2 to match its TLS version. Lastly, the 2022 DTLS 1.3 is a delta to TLS 1.3. Like the two previous versions, DTLS 1.3 is intended to provide "equivalent security guarantees [to TLS 1.3] with the exception of order protection/non-replayability".[12]

Many

Edge VPN Client,[17] and Citrix Systems NetScaler[18] use DTLS to secure UDP traffic. In addition all modern web browsers support DTLS-SRTP[19] for WebRTC
.

History and development

SSL and TLS protocols
Protocol Published Status
Old version, no longer maintained: SSL 1.0 Unpublished Unpublished
Old version, no longer maintained: SSL 2.0 1995 Deprecated in 2011 (RFC 6176)
Old version, no longer maintained: SSL 3.0 1996 Deprecated in 2015 (RFC 7568)
Old version, no longer maintained: TLS 1.0 1999 Deprecated in 2021 (RFC 8996)[20][21][22]
Old version, no longer maintained: TLS 1.1 2006 Deprecated in 2021 (RFC 8996)[20][21][22]
Older version, yet still maintained: TLS 1.2 2008 In use since 2008[23][24]
Current stable version: TLS 1.3 2018 In use since 2018[24][25]

Secure Data Network System

The Transport Layer Security Protocol (TLS), together with several other basic network security platforms, was developed through a joint initiative begun in August 1986, among the National Security Agency, the National Bureau of Standards, the Defense Communications Agency, and twelve communications and computer corporations who initiated a special project called the Secure Data Network System (SDNS).[26] The program was described in September 1987 at the 10th National Computer Security Conference in an extensive set of published papers. The innovative research program focused on designing the next generation of secure computer communications network and product specifications to be implemented for applications on public and private internets. It was intended to complement the rapidly emerging new OSI internet standards moving forward both in the U.S. government's GOSIP Profiles and in the huge ITU-ISO JTC1 internet effort internationally. Originally known as the SP4 protocol, it was renamed TLS and subsequently published in 1995 as international standard ITU-T X.274|ISO/IEC 10736:1995.

Secure Network Programming (SNP)

Early research efforts towards transport layer security included the

Simon Lam at UT-Austin in 1991.[29] Secure Network Programming won the 2004 ACM Software System Award.[30][31] Simon Lam was inducted into the Internet Hall of Fame for "inventing secure sockets and implementing the first secure sockets layer, named SNP, in 1993."[32][33]

SSL 1.0, 2.0, and 3.0

Netscape developed the original SSL protocols, and

man-in-the-middle attacks
could go undetected. Moreover, SSL 2.0 assumed a single service and a fixed domain certificate, conflicting with the widely used feature of virtual hosting in Web servers, so most websites were effectively impaired from using SSL.

These flaws necessitated the complete redesign of the protocol to SSL version 3.0.

RFC 6101
.

SSL 2.0 was deprecated in 2011 by

.

TLS 1.0

TLS 1.0 was first defined in

RFC 2246 in January 1999 as an upgrade of SSL Version 3.0, and written by Christopher Allen and Tim Dierks of Certicom. As stated in the RFC, "the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to preclude interoperability between TLS 1.0 and SSL 3.0". Tim Dierks later wrote that these changes, and the renaming from "SSL" to "TLS", were a face-saving gesture to Microsoft, "so it wouldn't look [like] the IETF was just rubberstamping Netscape's protocol".[40]

The

in March 2021.

TLS 1.1

TLS 1.1 was defined in RFC 4346 in April 2006.[43] It is an update from TLS version 1.0. Significant differences in this version include:

Support for TLS versions 1.0 and 1.1 was widely deprecated by web sites around 2020, disabling access to Firefox versions before 24 and Chromium-based browsers before 29.[45][46][47]

TLS 1.2

TLS 1.2 was defined in RFC 5246 in August 2008.[23] It is based on the earlier TLS 1.1 specification. Major differences include:

All TLS versions were further refined in

RFC 6176
in March 2011, removing their backward compatibility with SSL such that TLS sessions never negotiate the use of Secure Sockets Layer (SSL) version 2.0. There is currently no formal date for TLS 1.2 to be deprecated.

TLS 1.3

TLS 1.3 was defined in RFC 8446 in August 2018.[6] It is based on the earlier TLS 1.2 specification. Major differences from TLS 1.2 include:[48]

  • Separating key agreement and authentication algorithms from the cipher suites[44][6]: §11 
  • Removing support for weak and less-used named elliptic curves
  • Removing support for MD5 and SHA-224 cryptographic hash functions
  • Requiring digital signatures even when a previous configuration is used
  • Integrating HKDF and the semi-ephemeral DH proposal
  • Replacing resumption with PSK and tickets
  • Supporting 1-
    RTT
  • Mandating perfect forward secrecy, by means of using ephemeral keys during the (EC)DH key agreement
  • Dropping support for many insecure or obsolete features including compression, renegotiation, non-AEAD ciphers, null ciphers,[49] non-PFS key exchange (among which are static RSA and static DH key exchanges), custom DHE groups, EC point format negotiation, Change Cipher Spec protocol, Hello message UNIX time, and the length field AD input to AEAD ciphers
  • Prohibiting SSL or RC4 negotiation for backwards compatibility
  • Integrating use of session hash
  • Deprecating use of the record layer version number and freezing the number for improved backwards compatibility
  • Moving some security-related algorithm details from an appendix to the specification and relegating ClientKeyShare to an appendix
  • Adding the
    ChaCha20 stream cipher with the Poly1305
    message authentication code
  • Adding the
    Ed448
    digital signature algorithms
  • Adding the
    x448
    key exchange protocols
  • Adding support for sending multiple OCSP responses
  • Encrypting all handshake messages after the ServerHello

Firefox 60.0.[52]

Google Chrome set TLS 1.3 as the default version for a short time in 2017. It then removed it as the default, due to incompatible middleboxes such as Blue Coat web proxies.[53]

The intolerance of the new version of TLS was

Greasing' an extension point, where one protocol participant claims support for non-existent extensions to ensure that unrecognised-but-actually-existent extensions are tolerated and so to resist ossification, was originally designed for TLS, but it has since been adopted elsewhere.[56]

During the IETF 100 Hackathon, which took place in Singapore in 2017, the TLS Group worked on adapting open-source applications to use TLS 1.3.[57][58] The TLS group was made up of individuals from Japan, United Kingdom, and Mauritius via the cyberstorm.mu team.[58] This work was continued in the IETF 101 Hackathon in London,[59] and the IETF 102 Hackathon in Montreal.[60]

wolfSSL enabled the use of TLS 1.3 as of version 3.11.1, released in May 2017.[61] As the first commercial TLS 1.3 implementation, wolfSSL 3.11.1 supported Draft 18 and now supports Draft 28,[62] the final version, as well as many older versions. A series of blogs were published on the performance difference between TLS 1.2 and 1.3.[63]

In , the popular OpenSSL project released version 1.1.1 of its library, in which support for TLS 1.3 was "the headline new feature".[64]

Support for TLS 1.3 was first added to Schannel with Windows 11 and Windows Server 2022.[65]

Enterprise Transport Security

The Electronic Frontier Foundation praised TLS 1.3 and expressed concern about the variant protocol Enterprise Transport Security (ETS) that intentionally disables important security measures in TLS 1.3.[66] Originally called Enterprise TLS (eTLS), ETS is a published standard known as the 'ETSI TS103523-3', "Middlebox Security Protocol, Part3: Enterprise Transport Security". It is intended for use entirely within proprietary networks such as banking systems. ETS does not support forward secrecy so as to allow third-party organizations connected to the proprietary networks to be able to use their private key to monitor network traffic for the detection of malware and to make it easier to conduct audits.[67][68] Despite the claimed benefits, the EFF warned that the loss of forward secrecy could make it easier for data to be exposed along with saying that there are better ways to analyze traffic.

Digital certificates

Example of a website with digital certificate

A digital certificate certifies the ownership of a public key by the named subject of the certificate, and indicates certain expected usages of that key. This allows others (relying parties) to rely upon signatures or on assertions made by the private key that corresponds to the certified public key. Keystores and trust stores can be in various formats, such as .pem, .crt, .pfx, and .jks.

Certificate authorities

TLS typically relies on a set of trusted third-party certificate authorities to establish the authenticity of certificates. Trust is usually anchored in a list of certificates distributed with user agent software,[69] and can be modified by the relying party.

According to

Sectigo are the top 3 certificate authorities in terms of market share since May 2019.[72]

As a consequence of choosing

2013 mass surveillance disclosures made it more widely known that certificate authorities are a weak point from a security standpoint, allowing man-in-the-middle attacks (MITM) if the certificate authority cooperates (or is compromised).[73][74]

Importance of SSL Certificates

  • Encryption: SSL certificates encrypt data sent between a web server and a user’s browser, ensuring that sensitive information is protected throughout transmission. This encryption technology stops unauthorized parties from intercepting and interpreting data, so protecting it from possible risks such as hacking or data breaches.
  • Authentication: SSL certificates also offer authentication, certifying the integrity of a website and that visitors are connecting to the correct server rather than a malicious impostor. This authentication method helps consumers gain trust by ensuring that they are dealing with a trustworthy and secure website.
  • Integrity: Another important role of SSL certificates is to ensure data integrity. SSL uses cryptographic techniques to verify that data communicated between the server and the browser is intact and unmodified during transit. This keeps malevolent actors from interfering with the data, ensuring its integrity and trustworthiness.

Algorithms

Key exchange or key agreement

Before a client and server can begin to exchange information protected by TLS, they must securely exchange or agree upon an encryption key and a cipher to use when encrypting data (see

Diffie–Hellman (TLS_DH), ephemeral Diffie–Hellman (TLS_DHE), elliptic-curve Diffie–Hellman (TLS_ECDH), ephemeral elliptic-curve Diffie–Hellman (TLS_ECDHE), anonymous Diffie–Hellman (TLS_DH_anon),[23] pre-shared key (TLS_PSK)[75] and Secure Remote Password (TLS_SRP).[76]

The TLS_DH_anon and TLS_ECDH_anon key agreement methods do not authenticate the server or the user and hence are rarely used because those are vulnerable to man-in-the-middle attacks. Only TLS_DHE and TLS_ECDHE provide forward secrecy.

Public key certificates used during exchange/agreement also vary in the size of the public/private encryption keys used during the exchange and hence the robustness of the security provided. In July 2013, Google announced that it would no longer use 1024-bit public keys and would switch instead to 2048-bit keys to increase the security of the TLS encryption it provides to its users because the encryption strength is directly related to the key size.[77][78]

Key exchange/agreement and authentication
Algorithm SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 Status
RSA Yes Yes Yes Yes Yes No Defined for TLS 1.2 in RFCs
DH-RSA No Yes Yes Yes Yes No
DHE-RSA (forward secrecy) No Yes Yes Yes Yes Yes
ECDH-RSA No No Yes Yes Yes No
ECDHE-RSA (forward secrecy) No No Yes Yes Yes Yes
DH-DSS No Yes Yes Yes Yes No
DHE-DSS (forward secrecy) No Yes Yes Yes Yes No[79]
ECDSA
(forward secrecy)
No No No No No Yes
ECDSA
No No Yes Yes Yes No
ECDSA
(forward secrecy)
No No Yes Yes Yes Yes
DHE-EdDSA (forward secrecy) No No No No No Yes
ECDH-EdDSA No No Yes Yes Yes No
ECDHE-EdDSA (forward secrecy)[80] No No Yes Yes Yes Yes
PSK No No Yes Yes Yes Yes
RSA-PSK No No Yes Yes Yes No
DHE-PSK (forward secrecy) No No Yes Yes Yes Yes
ECDHE-PSK (forward secrecy) No No Yes Yes Yes Yes
SRP No No Yes Yes Yes No
SRP-DSS No No Yes Yes Yes No
SRP-RSA No No Yes Yes Yes No
Kerberos No No Yes Yes Yes ?
DH-ANON (insecure) No Yes Yes Yes Yes No
ECDH-ANON (insecure) No No Yes Yes Yes No
GOST R 34.10-2012[81] No No No No Yes Yes Defined for TLS 1.2 and for TLS 1.3 in
RFC 9189, 9367
.

Cipher

Cipher security against publicly known feasible attacks
Cipher Protocol version Status
Type Algorithm Nominal strength (bits) SSL 2.0 SSL 3.0[n 1][n 2][n 3][n 4] TLS 1.0[n 1][n 3] TLS 1.1[n 1] TLS 1.2[n 1] TLS 1.3
Block cipher
with
mode of operation
AES GCM[82][n 5] 256, 128 Secure Secure Defined for TLS 1.2 in RFCs
AES CCM[83][n 5] Secure Secure
Insecure Depends on mitigations Depends on mitigations Depends on mitigations
Camellia GCM[84][n 5] 256, 128 Secure
Insecure Depends on mitigations Depends on mitigations Depends on mitigations
ARIA GCM[86][n 5] 256, 128 Secure
Depends on mitigations Depends on mitigations Depends on mitigations
128 Insecure Depends on mitigations Depends on mitigations Depends on mitigations
112[n 8] Insecure Insecure Insecure Insecure Insecure
GOST R 34.12-2015 Magma CTR[81][n 7] 256 Insecure Insecure Insecure Defined in
RFC 4357, 9189
GOST R 34.12-2015 Kuznyechik CTR[81] 256 Secure Defined in
RFC 9189
GOST R 34.12-2015 Magma MGM[81][n 5][n 7] 256 Insecure Defined in
RFC 9367
GOST R 34.12-2015 Kuznyechik MGM[81][n 5] 256 Secure Defined in
RFC 9367
128 Insecure Insecure Insecure Insecure Removed from TLS 1.2
056 Insecure Insecure Insecure Insecure
040[n 10] Insecure Insecure Insecure Forbidden in TLS 1.1 and later
040[n 10] Insecure Insecure Insecure
Stream cipher 256 Secure Secure Defined for TLS 1.2 in RFCs
RC4[n 11] 128 Insecure Insecure Insecure Insecure Insecure Prohibited in all versions of TLS by
RFC 7465
040[n 10] Insecure Insecure Insecure
None Null[n 12] Insecure Insecure Insecure Insecure Insecure Defined for TLS 1.2 in RFCs
Notes
  1. ^
    RFC 5746
    must be implemented to fix a renegotiation flaw that would otherwise break this protocol.
  2. , this violates the SSL 3.0 specification, which the IETF cannot change unlike TLS. Most current libraries implement the fix and disregard the violation that this causes.
  3. ^ a b The BEAST attack breaks all block ciphers (CBC ciphers) used in SSL 3.0 and TLS 1.0 unless mitigated by the client and/or the server. See § Web browsers.
  4. ^ The POODLE attack breaks all block ciphers (CBC ciphers) used in SSL 3.0 unless mitigated by the client and/or the server. See § Web browsers.
  5. ^
    AEAD ciphers (such as GCM and CCM
    ) can only be used in TLS 1.2 or later.
  6. ^ a b c d e f g h CBC ciphers can be attacked with the Lucky Thirteen attack if the library is not written carefully to eliminate timing side channels.
  7. ^
    Sweet32 attack breaks block ciphers with a block size of 64 bits.[88]
  8. ^ Although the key length of 3DES is 168 bits, effective security strength of 3DES is only 112 bits,[89] which is below the recommended minimum of 128 bits.[90]
  9. ^ a b IDEA and DES have been removed from TLS 1.2.[91]
  10. ^ a b c 40-bit strength cipher suites were intentionally designed with reduced key lengths to comply with since-rescinded US regulations forbidding the export of cryptographic software containing certain strong encryption algorithms (see Export of cryptography from the United States). These weak suites are forbidden in TLS 1.1 and later.
  11. RFC 7465 (because RC4 attacks
    weaken or break RC4 used in SSL/TLS).
  12. ^ Authentication only, no encryption.

Data integrity

A

CBC mode of block ciphers. Authenticated encryption (AEAD) such as GCM and CCM mode uses AEAD-integrated MAC and doesn't use HMAC.[6]: §8.4  HMAC-based PRF, or HKDF
is used for TLS handshake.

Data integrity
Algorithm SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 Status
HMAC-MD5 Yes Yes Yes Yes Yes No Defined for TLS 1.2 in RFCs
HMAC-SHA1 No Yes Yes Yes Yes No
HMAC-SHA256/384 No No No No Yes No
AEAD
No No No No Yes Yes
GOST 28147-89 IMIT[81]
No No No No Yes No Defined for TLS 1.2 in
RFC 9189
.
AEAD[81]
No No No No No Yes Defined for TLS 1.3 in
RFC 9367
.

Applications and adoption

In applications design, TLS is usually implemented on top of Transport Layer protocols, encrypting all of the protocol-related data of protocols such as

.

Historically, TLS has been used primarily with reliable transport protocols such as the Transmission Control Protocol (TCP). However, it has also been implemented with datagram-oriented transport protocols, such as the User Datagram Protocol (UDP) and the Datagram Congestion Control Protocol (DCCP), usage of which has been standardized independently using the term Datagram Transport Layer Security (DTLS).

Websites

A primary use of TLS is to secure World Wide Web traffic between a website and a web browser encoded with the HTTP protocol. This use of TLS to secure HTTP traffic constitutes the HTTPS protocol.[93]

Website protocol support (Sept 2023)
Protocol
version
Website
support[94]
Security[94][95]
Old version, no longer maintained: SSL 2.0 0.2% Insecure
Old version, no longer maintained: SSL 3.0 1.7% Insecure[96]
Old version, no longer maintained: TLS 1.0 30.1% Deprecated[20][21][22]
Old version, no longer maintained: TLS 1.1 32.5% Deprecated[20][21][22]
Older version, yet still maintained: TLS 1.2 99.9% Depends on cipher[n 1] and client mitigations[n 2]
Current stable version: TLS 1.3 64.8% Secure
Notes
  1. ^ see § Cipher table above
  2. ^ see § Web browsers and § Attacks against TLS/SSL sections

Web browsers

As of April 2016, the latest versions of all major web browsers support TLS 1.0, 1.1, and 1.2, and have them enabled by default. However, not all supported Microsoft operating systems support the latest version of IE. Additionally, many Microsoft operating systems currently support multiple versions of IE, but this has changed according to Microsoft's Internet Explorer Support Lifecycle Policy FAQ, "beginning January 12, 2016, only the most current version of Internet Explorer available for a supported operating system will receive technical support and security updates." The page then goes on to list the latest supported version of IE at that date for each operating system. The next critical date would be when an operating system reaches the end of life stage. Since June 15, 2022, Internet Explorer 11 dropped support for Windows 10 editions which follow Microsoft's Modern Lifecycle Policy.[97][98]

Mitigations against known attacks are not enough yet:

  • Mitigations against POODLE attack: some browsers already prevent fallback to SSL 3.0; however, this mitigation needs to be supported by not only clients but also servers. Disabling SSL 3.0 itself, implementation of "anti-POODLE record splitting", or denying CBC ciphers in SSL 3.0 is required.
    • Google Chrome: complete (TLS_FALLBACK_SCSV is implemented since version 33, fallback to SSL 3.0 is disabled since version 39, SSL 3.0 itself is disabled by default since version 40. Support of SSL 3.0 itself was dropped since version 44.)
    • Mozilla Firefox: complete (support of SSL 3.0 itself is dropped since
      version 34
      , TLS_FALLBACK_SCSV is implemented since version 35. In ESR, SSL 3.0 itself is disabled by default and TLS_FALLBACK_SCSV is implemented since ESR 31.3.0.)
    • Internet Explorer: partial (only in version 11, SSL 3.0 is disabled by default since April 2015. Version 10 and older are still vulnerable against POODLE.)
    • Opera: complete (TLS_FALLBACK_SCSV is implemented since version 20, "anti-POODLE record splitting", which is effective only with client-side implementation, is implemented since version 25, SSL 3.0 itself is disabled by default since version 27. Support of SSL 3.0 itself will be dropped since version 31.)
    • Safari: complete (only on OS X 10.8 and later and iOS 8, CBC ciphers during fallback to SSL 3.0 is denied, but this means it will use RC4, which is not recommended as well. Support of SSL 3.0 itself is dropped on OS X 10.11 and later and iOS 9.)
  • Mitigation against RC4 attacks:
    • Google Chrome disabled RC4 except as a fallback since version 43. RC4 is disabled since Chrome 48.
    • Firefox disabled RC4 except as a fallback since version 36. Firefox 44 disabled RC4 by default.
    • Opera disabled RC4 except as a fallback since version 30. RC4 is disabled since Opera 35.
    • Internet Explorer for Windows 7/Server 2008 R2 and for Windows 8/Server 2012 have set the priority of RC4 to lowest and can also disable RC4 except as a fallback through registry settings. Internet Explorer 11 Mobile 11 for Windows Phone 8.1 disable RC4 except as a fallback if no other enabled algorithm works. Edge and IE 11 disable RC4 completely in August 2016.
  • Mitigation against FREAK attack:
    • The Android Browser included with Android 4.0 and older is still vulnerable to the FREAK attack.
    • Internet Explorer 11 Mobile is still vulnerable to the FREAK attack.
    • Google Chrome, Internet Explorer (desktop), Safari (desktop & mobile), and Opera (mobile) have FREAK mitigations in place.
    • Mozilla Firefox on all platforms and Google Chrome on Windows were not affected by FREAK.

Libraries

Most SSL and TLS programming libraries are free and open-source software.

  • BoringSSL
    , a fork of OpenSSL for Chrome/Chromium and Android as well as other Google applications.
  • Botan, a BSD-licensed cryptographic library written in C++.
  • BSAFE Micro Edition Suite: a multi-platform implementation of TLS written in C using a FIPS-validated cryptographic module
  • BSAFE SSL-J: a TLS library providing both a proprietary API and JSSE API, using FIPS-validated cryptographic module
  • cryptlib: a portable open source cryptography library (includes TLS/SSL implementation)
  • Delphi programmers may use a library called Indy which utilizes OpenSSL
    or alternatively ICS which supports TLS 1.3 now.
  • GnuTLS: a free implementation (LGPL licensed)
  • Java Secure Socket Extension (JSSE): the Java API and provider implementation (named SunJSSE)[99]
  • LibreSSL: a fork of OpenSSL by OpenBSD project.
  • MatrixSSL: a dual licensed implementation
  • Mbed TLS (previously PolarSSL): A tiny SSL library implementation for embedded devices that is designed for ease of use
  • Network Security Services: FIPS 140 validated open source library
  • OpenSSL: a free implementation (BSD license with some extensions)
  • Schannel: an implementation of SSL and TLS Microsoft Windows as part of its package.
  • OS X and iOS
    as part of their packages.
  • wolfSSL (previously CyaSSL): Embedded SSL/TLS Library with a strong focus on speed and size.

A paper presented at the 2012 ACM conference on computer and communications security[100] showed that many applications used some of these SSL libraries incorrectly, leading to vulnerabilities. According to the authors:

"The root cause of most of these vulnerabilities is the terrible design of the APIs to the underlying SSL libraries. Instead of expressing high-level security properties of network tunnels such as confidentiality and authentication, these APIs expose low-level details of the SSL protocol to application developers. As a consequence, developers often use SSL APIs incorrectly, misinterpreting and misunderstanding their manifold parameters, options, side effects, and return values."

Other uses

The Simple Mail Transfer Protocol (SMTP) can also be protected by TLS. These applications use public key certificates to verify the identity of endpoints.

TLS can also be used for tunnelling an entire network stack to create a VPN, which is the case with OpenVPN and OpenConnect. Many vendors have by now married TLS's encryption and authentication capabilities with authorization. There has also been substantial development since the late 1990s in creating client technology outside of Web-browsers, in order to enable support for client/server applications. Compared to traditional IPsec VPN technologies, TLS has some inherent advantages in firewall and NAT traversal that make it easier to administer for large remote-access populations.

TLS is also a standard method for protecting Session Initiation Protocol (SIP) application signaling. TLS can be used for providing authentication and encryption of the SIP signalling associated with VoIP and other SIP-based applications.[101]

Security

Attacks against TLS/SSL

Significant attacks against TLS/SSL are listed below.

In February 2015, IETF issued an informational RFC[102] summarizing the various known attacks against TLS/SSL.

Renegotiation attack

A vulnerability of the renegotiation procedure was discovered in August 2009 that can lead to plaintext injection attacks against SSL 3.0 and all current versions of TLS.

RFC 5746. The RFC has been implemented by several libraries.[105][106][107]

Downgrade attacks: FREAK attack and Logjam attack

A protocol downgrade attack (also called a version rollback attack) tricks a web server into negotiating connections with previous versions of TLS (such as SSLv2) that have long since been abandoned as insecure.

Previous modifications to the original protocols, like False Start[108] (adopted and enabled by Google Chrome[109]) or Snap Start, reportedly introduced limited TLS protocol downgrade attacks[110] or allowed modifications to the cipher suite list sent by the client to the server. In doing so, an attacker might succeed in influencing the cipher suite selection in an attempt to downgrade the cipher suite negotiated to use either a weaker symmetric encryption algorithm or a weaker key exchange.[111] A paper presented at an ACM conference on computer and communications security in 2012 demonstrated that the False Start extension was at risk: in certain circumstances it could allow an attacker to recover the encryption keys offline and to access the encrypted data.[112]

Encryption downgrade attacks can force servers and clients to negotiate a connection using cryptographically weak keys. In 2014, a

man-in-the-middle attack called FREAK was discovered affecting the OpenSSL stack, the default Android web browser, and some Safari browsers.[113]
The attack involved tricking servers into negotiating a TLS connection using cryptographically weak 512 bit encryption keys.

Logjam is a

security exploit discovered in May 2015 that exploits the option of using legacy "export-grade" 512-bit Diffie–Hellman groups dating back to the 1990s.[114] It forces susceptible servers to downgrade to cryptographically weak 512-bit Diffie–Hellman groups. An attacker can then deduce the keys the client and server determine using the Diffie–Hellman key exchange
.

Cross-protocol attacks: DROWN

The DROWN attack is an exploit that attacks servers supporting contemporary SSL/TLS protocol suites by exploiting their support for the obsolete, insecure, SSLv2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure.[115][116] DROWN exploits a vulnerability in the protocols used and the configuration of the server, rather than any specific implementation error. Full details of DROWN were announced in March 2016, together with a patch for the exploit. At that time, more than 81,000 of the top 1 million most popular websites were among the TLS protected websites that were vulnerable to the DROWN attack.[116]

BEAST attack

On September 23, 2011, researchers Thai Duong and Juliano Rizzo demonstrated a proof of concept called BEAST (Browser Exploit Against SSL/TLS)

cipher block chaining (CBC) vulnerability in TLS 1.0:[118][119] an attacker observing 2 consecutive ciphertext blocks C0, C1 can test if the plaintext block P1 is equal to x by choosing the next plaintext block P2 = x ⊕ C0 ⊕ C1; as per CBC operation, C2 = E(C1 ⊕ P2) = E(C1 ⊕ x ⊕ C0 ⊕ C1) = E(C0 ⊕ x), which will be equal to C1 if x = P1. Practical exploits had not been previously demonstrated for this vulnerability, which was originally discovered by Phillip Rogaway[120]
in 2002. The vulnerability of the attack had been fixed with TLS 1.1 in 2006, but TLS 1.1 had not seen wide adoption prior to this attack demonstration.

RC4 as a stream cipher is immune to BEAST attack. Therefore, RC4 was widely used as a way to mitigate BEAST attack on the server side. However, in 2013, researchers found more weaknesses in RC4. Thereafter enabling RC4 on server side was no longer recommended.[121]

Chrome and Firefox themselves are not vulnerable to BEAST attack,

Mozilla Firefox and Google Chrome to implement SSL. Some web servers that have a broken implementation of the SSL specification may stop working as a result.[124]

Schannel) component transmits encrypted network packets from the server end.[125] Users of Internet Explorer (prior to version 11) that run on older versions of Windows (Windows 7, Windows 8 and Windows Server 2008 R2
) can restrict use of TLS to 1.1 or higher.

Apple fixed BEAST vulnerability by implementing 1/n-1 split and turning it on by default in OS X Mavericks, released on October 22, 2013.[126]

CRIME and BREACH attacks

The authors of the BEAST attack are also the creators of the later

authentication cookies, it allows an attacker to perform session hijacking
on an authenticated web session.

While the CRIME attack was presented as a general attack that could work effectively against a large number of protocols, including but not limited to TLS, and application-layer protocols such as SPDY or HTTP, only exploits against TLS and SPDY were demonstrated and largely mitigated in browsers and servers. The CRIME exploit against HTTP compression has not been mitigated at all, even though the authors of CRIME have warned that this vulnerability might be even more widespread than SPDY and TLS compression combined. In 2013 a new instance of the CRIME attack against HTTP compression, dubbed BREACH, was announced. Based on the CRIME attack a BREACH attack can extract login tokens, email addresses or other sensitive information from TLS encrypted web traffic in as little as 30 seconds (depending on the number of bytes to be extracted), provided the attacker tricks the victim into visiting a malicious web link or is able to inject content into valid pages the user is visiting (ex: a wireless network under the control of the attacker).[129] All versions of TLS and SSL are at risk from BREACH regardless of the encryption algorithm or cipher used.[130] Unlike previous instances of CRIME, which can be successfully defended against by turning off TLS compression or SPDY header compression, BREACH exploits HTTP compression which cannot realistically be turned off, as virtually all web servers rely upon it to improve data transmission speeds for users.[129] This is a known limitation of TLS as it is susceptible to chosen-plaintext attack against the application-layer data it was meant to protect.

Timing attacks on padding

Earlier TLS versions were vulnerable against the padding oracle attack discovered in 2002. A novel variant, called the Lucky Thirteen attack, was published in 2013.

Some experts[90] also recommended avoiding triple DES CBC. Since the last supported ciphers developed to support any program using Windows XP's SSL/TLS library like Internet Explorer on Windows XP are RC4 and Triple-DES, and since RC4 is now deprecated (see discussion of RC4 attacks), this makes it difficult to support any version of SSL for any program using this library on XP.

A fix was released as the Encrypt-then-MAC extension to the TLS specification, released as

RFC 7366.[131] The Lucky Thirteen attack can be mitigated in TLS 1.2 by using only AES_GCM ciphers; AES_CBC remains vulnerable. SSL may safeguard email, VoIP, and other types of communications over insecure networks in addition to its primary use case of secure data transmission between a client and the server [2]

POODLE attack

On October 14, 2014, Google researchers published a vulnerability in the design of SSL 3.0, which makes

CVE-2014-3566). They named this attack POODLE (Padding Oracle On Downgraded Legacy Encryption). On average, attackers only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages.[96]

Although this vulnerability only exists in SSL 3.0 and most clients and servers support TLS 1.0 and above, all major browsers voluntarily downgrade to SSL 3.0 if the handshakes with newer versions of TLS fail unless they provide the option for a user or administrator to disable SSL 3.0 and the user or administrator does so[

version rollback attack and then exploit this vulnerability.[96]

On December 8, 2014, a variant of POODLE was announced that impacts TLS implementations that do not properly enforce padding byte requirements.[132]

RC4 attacks

Despite the existence of attacks on

BEAST attack.[133] New forms of attack disclosed in March 2013 conclusively demonstrated the feasibility of breaking RC4 in TLS, suggesting it was not a good workaround for BEAST.[95] An attack scenario was proposed by AlFardan, Bernstein, Paterson, Poettering and Schuldt that used newly discovered statistical biases in the RC4 key table[134] to recover parts of the plaintext with a large number of TLS encryptions.[135][136] An attack on RC4 in TLS and SSL that requires 13 × 220 encryptions to break RC4 was unveiled on 8 July 2013 and later described as "feasible" in the accompanying presentation at a USENIX Security Symposium in August 2013.[137][138] In July 2015, subsequent improvements in the attack make it increasingly practical to defeat the security of RC4-encrypted TLS.[139]

As many modern browsers have been designed to defeat BEAST attacks (except Safari for Mac OS X 10.7 or earlier, for iOS 6 or earlier, and for Windows; see

prohibits the use of RC4 cipher suites in all versions of TLS.

On September 1, 2015, Microsoft, Google and Mozilla announced that RC4 cipher suites would be disabled by default in their browsers (Microsoft Edge, Internet Explorer 11 on Windows 7/8.1/10, Firefox, and Chrome) in early 2016.[142][143][144]

Truncation attack

A TLS (logout) truncation attack blocks a victim's account logout requests so that the user unknowingly remains logged into a web service. When the request to sign out is sent, the attacker injects an unencrypted TCP FIN message (no more data from sender) to close the connection. The server therefore doesn't receive the logout request and is unaware of the abnormal termination.[145]

Published in July 2013,[146][147] the attack causes web services such as Gmail and Hotmail to display a page that informs the user that they have successfully signed-out, while ensuring that the user's browser maintains authorization with the service, allowing an attacker with subsequent access to the browser to access and take over control of the user's logged-in account. The attack does not rely on installing malware on the victim's computer; attackers need only place themselves between the victim and the web server (e.g., by setting up a rogue wireless hotspot).[145] This vulnerability also requires access to the victim's computer. Another possibility is when using FTP the data connection can have a false FIN in the data stream, and if the protocol rules for exchanging close_notify alerts is not adhered to a file can be truncated.

Plaintext attack against DTLS

In February 2013 two researchers from Royal Holloway, University of London discovered a timing attack

Cipher Block Chaining
mode encryption was used.

Unholy PAC attack

This attack, discovered in mid-2016, exploits weaknesses in the

Web Proxy Autodiscovery Protocol (WPAD) to expose the URL that a web user is attempting to reach via a TLS-enabled web link.[149]
Disclosure of a URL can violate a user's privacy, not only because of the website accessed, but also because URLs are sometimes used to authenticate users. Document sharing services, such as those offered by Google and Dropbox, also work by sending a user a security token that's included in the URL. An attacker who obtains such URLs may be able to gain full access to a victim's account or data.

The exploit works against almost all browsers and operating systems.

Sweet32 attack

The Sweet32 attack breaks all 64-bit block ciphers used in CBC mode as used in TLS by exploiting a birthday attack and either a man-in-the-middle attack or injection of a malicious JavaScript into a web page. The purpose of the man-in-the-middle attack or the JavaScript injection is to allow the attacker to capture enough traffic to mount a birthday attack.[150]

Implementation errors: Heartbleed bug, BERserk attack, Cloudflare bug

The Heartbleed bug is a serious vulnerability specific to the implementation of SSL/TLS in the popular OpenSSL cryptographic software library, affecting versions 1.0.1 to 1.0.1f. This weakness, reported in April 2014, allows attackers to steal private keys from servers that should normally be protected.[151] The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret private keys associated with the public certificates used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.[152] The vulnerability is caused by a buffer over-read bug in the OpenSSL software, rather than a defect in the SSL or TLS protocol specification.

In September 2014, a variant of Daniel Bleichenbacher's PKCS#1 v1.5 RSA Signature Forgery vulnerability[153] was announced by Intel Security Advanced Threat Research. This attack, dubbed BERserk, is a result of incomplete ASN.1 length decoding of public key signatures in some SSL implementations, and allows a man-in-the-middle attack by forging a public key signature.[154]

In February 2015, after media reported the hidden pre-installation of superfish adware on some Lenovo notebooks,[155] a researcher found a trusted root certificate on affected Lenovo machines to be insecure, as the keys could easily be accessed using the company name, Komodia, as a passphrase.[156] The Komodia library was designed to intercept client-side TLS/SSL traffic for parental control and surveillance, but it was also used in numerous adware programs, including Superfish, that were often surreptitiously installed unbeknownst to the computer user. In turn, these potentially unwanted programs installed the corrupt root certificate, allowing attackers to completely control web traffic and confirm false websites as authentic.

In May 2016, it was reported that dozens of Danish HTTPS-protected websites belonging to Visa Inc. were vulnerable to attacks allowing hackers to inject malicious code and forged content into the browsers of visitors.[157] The attacks worked because the TLS implementation used on the affected servers incorrectly reused random numbers (nonces) that are intended to be used only once, ensuring that each TLS handshake is unique.[157]

In February 2017, an implementation error caused by a single mistyped character in code used to parse HTML created a buffer overflow error on Cloudflare servers. Similar in its effects to the Heartbleed bug discovered in 2014, this overflow error, widely known as Cloudbleed, allowed unauthorized third parties to read data in the memory of programs running on the servers—data that should otherwise have been protected by TLS.[158]

Survey of websites vulnerable to attacks

As of July 2021, the Trustworthy Internet Movement estimated the ratio of websites that are vulnerable to TLS attacks.[94]

Survey of the TLS vulnerabilities of the most popular websites
Attacks Security
Insecure Depends Secure Other
Renegotiation attack < 0.1%
support insecure renegotiation
< 0.1%
support both
99.4%
support secure renegotiation
0.6%
no support
RC4 attacks 0.2%
support RC4 suites used with modern browsers
3.6%
support some RC4 suites
96.2%
no support
TLS Compression (CRIME attack) 0%
vulnerable
Heartbleed 0%
vulnerable
ChangeCipherSpec injection attack
< 0.1%
vulnerable and exploitable
< 0.1%
vulnerable, not exploitable
99.3%
not vulnerable
0.7%
unknown
POODLE attack against TLS
(Original POODLE against SSL 3.0 is not included)
< 0.1%
vulnerable and exploitable
99.8%
not vulnerable
0.1%
unknown
Protocol downgrade 4.1%
Downgrade defence not supported
77.8%
Downgrade defence supported
18.1%
unknown

Forward secrecy

Forward secrecy is a property of cryptographic systems which ensures that a session key derived from a set of public and private keys will not be compromised if one of the private keys is compromised in the future.[159] Without forward secrecy, if the server's private key is compromised, not only will all future TLS-encrypted sessions using that server certificate be compromised, but also any past sessions that used it as well (provided that these past sessions were intercepted and stored at the time of transmission).[160] An implementation of TLS can provide forward secrecy by requiring the use of ephemeral Diffie–Hellman key exchange to establish session keys, and some notable TLS implementations do so exclusively: e.g., Gmail and other Google HTTPS services that use OpenSSL.[161] However, many clients and servers supporting TLS (including browsers and web servers) are not configured to implement such restrictions.[162][163] In practice, unless a web service uses Diffie–Hellman key exchange to implement forward secrecy, all of the encrypted web traffic to and from that service can be decrypted by a third party if it obtains the server's master (private) key; e.g., by means of a court order.[164]

Even where Diffie–Hellman key exchange is implemented, server-side session management mechanisms can impact forward secrecy. The use of TLS session tickets (a TLS extension) causes the session to be protected by AES128-CBC-SHA256 regardless of any other negotiated TLS parameters, including forward secrecy ciphersuites, and the long-lived TLS session ticket keys defeat the attempt to implement forward secrecy.[165][166][167] Stanford University research in 2014 also found that of 473,802 TLS servers surveyed, 82.9% of the servers deploying ephemeral Diffie–Hellman (DHE) key exchange to support forward secrecy were using weak Diffie–Hellman parameters. These weak parameter choices could potentially compromise the effectiveness of the forward secrecy that the servers sought to provide.[168]

Since late 2011, Google has provided forward secrecy with TLS by default to users of its Gmail service, along with Google Docs and encrypted search, among other services.[169] Since November 2013, Twitter has provided forward secrecy with TLS to users of its service.[170] As of August 2019, about 80% of TLS-enabled websites are configured to use cipher suites that provide forward secrecy to most web browsers.[94]

TLS interception

TLS interception (or

transparent proxy": the interception software terminates the incoming TLS connection, inspects the HTTP plaintext, and then creates a new TLS connection to the destination.[171]

TLS/HTTPS interception is used as an information security measure by network operators in order to be able to scan for and protect against the intrusion of malicious content into the network, such as computer viruses and other malware.[171] Such content could otherwise not be detected as long as it is protected by encryption, which is increasingly the case as a result of the routine use of HTTPS and other secure protocols.

A significant drawback of TLS/HTTPS interception is that it introduces new security risks of its own. One notable limitation is that it provides a point where network traffic is available unencrypted thus giving attackers an incentive to attack this point in particular in order to gain access to otherwise secure content. The interception also allows the network operator, or persons who gain access to its interception system, to perform man-in-the-middle attacks against network users. A 2017 study found that "HTTPS interception has become startlingly widespread, and that interception products as a class have a dramatically negative impact on connection security".[171]

Protocol details

The TLS protocol exchanges records, which encapsulate the data to be exchanged in a specific format (see below). Each record can be compressed, padded, appended with a message authentication code (MAC), or encrypted, all depending on the state of the connection. Each record has a content type field that designates the type of data encapsulated, a length field and a TLS version field. The data encapsulated may be control or procedural messages of the TLS itself, or simply the application data needed to be transferred by TLS. The specifications (cipher suite, keys etc.) required to exchange application data by TLS, are agreed upon in the "TLS handshake" between the client requesting the data and the server responding to requests. The protocol therefore defines both the structure of payloads transferred in TLS and the procedure to establish and monitor the transfer.

TLS handshake

Simplified illustration of the full TLS 1.2 handshake with timing information

When the connection starts, the record encapsulates a "control" protocol – the handshake messaging protocol (content type 22). This protocol is used to exchange all the information required by both sides for the exchange of the actual application data by TLS. It defines the format of messages and the order of their exchange. These may vary according to the demands of the client and server – i.e., there are several possible procedures to set up the connection. This initial exchange results in a successful TLS connection (both parties ready to transfer application data with TLS) or an alert message (as specified below).

Basic TLS handshake

A typical connection example follows, illustrating a handshake where the server (but not the client) is authenticated by its certificate:

  1. Negotiation phase:
  2. The client now sends a ChangeCipherSpec record, essentially telling the server, "Everything I tell you from now on will be authenticated (and encrypted if encryption parameters were present in the server certificate)." The ChangeCipherSpec is itself a record-level protocol with content type of 20.
    • The client sends an authenticated and encrypted Finished message, containing a hash and MAC over the previous handshake messages.
    • The server will attempt to decrypt the client's Finished message and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be terminated.
  3. Finally, the server sends a ChangeCipherSpec, telling the client, "Everything I tell you from now on will be authenticated (and encrypted, if encryption was negotiated)."
    • The server sends its authenticated and encrypted Finished message.
    • The client performs the same decryption and verification procedure as the server did in the previous step.
  4. Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with content type of 23. Application messages exchanged between client and server will also be authenticated and optionally encrypted exactly like in their Finished message. Otherwise, the content type will return 25 and the client will not authenticate.

Client-authenticated TLS handshake

The following full example shows a client being authenticated (in addition to the server as in the example above; see mutual authentication) via TLS using certificates exchanged between both peers.

  1. Negotiation Phase:
    • A client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods.
    • The server responds with a ServerHello message, containing the chosen protocol version, a random number, cipher suite and compression method from the choices offered by the client. The server may also send a session id as part of the message to perform a resumed handshake.
    • The server sends its Certificate message (depending on the selected cipher suite, this may be omitted by the server).[172]
    • The server sends its ServerKeyExchange message (depending on the selected cipher suite, this may be omitted by the server). This message is sent for all DHE, ECDHE and DH_anon ciphersuites.[1]
    • The server sends a CertificateRequest message, to request a certificate from the client.
    • The server sends a ServerHelloDone message, indicating it is done with handshake negotiation.
    • The client responds with a Certificate message, which contains the client's certificate, but not its private key.
    • The client sends a ClientKeyExchange message, which may contain a PreMasterSecret, public key, or nothing. (Again, this depends on the selected cipher.) This PreMasterSecret is encrypted using the public key of the server certificate.
    • The client sends a CertificateVerify message, which is a signature over the previous handshake messages using the client's certificate's private key. This signature can be verified by using the client's certificate's public key. This lets the server know that the client has access to the private key of the certificate and thus owns the certificate.
    • The client and server then use the random numbers and PreMasterSecret to compute a common secret, called the "master secret". All other key data ("session keys") for this connection is derived from this master secret (and the client- and server-generated random values), which is passed through a carefully designed pseudorandom function.
  2. The client now sends a ChangeCipherSpec record, essentially telling the server, "Everything I tell you from now on will be authenticated (and encrypted if encryption was negotiated). "The ChangeCipherSpec is itself a record-level protocol and has type 20 and not 22.
    • Finally, the client sends an encrypted Finished message, containing a hash and MAC over the previous handshake messages.
    • The server will attempt to decrypt the client's Finished message and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be torn down.
  3. Finally, the server sends a ChangeCipherSpec, telling the client, "Everything I tell you from now on will be authenticated (and encrypted if encryption was negotiated)."
    • The server sends its own encrypted Finished message.
    • The client performs the same decryption and verification procedure as the server did in the previous step.
  4. Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with content type of 23. Application messages exchanged between client and server will also be encrypted exactly like in their Finished message.

Resumed TLS handshake

Public key operations (e.g., RSA) are relatively expensive in terms of computational power. TLS provides a secure shortcut in the handshake mechanism to avoid these operations: resumed sessions. Resumed sessions are implemented using session IDs or session tickets.

Apart from the performance benefit, resumed sessions can also be used for single sign-on, as it guarantees that both the original session and any resumed session originate from the same client. This is of particular importance for the FTP over TLS/SSL protocol, which would otherwise suffer from a man-in-the-middle attack in which an attacker could intercept the contents of the secondary data connections.[174]

TLS 1.3 handshake

The TLS 1.3 handshake was condensed to only one round trip compared to the two round trips required in previous versions of TLS/SSL.

To start the handshake, the client guesses which key exchange algorithm will be selected by the server and sends a ClientHello message to the server containing a list of supported ciphers (in order of the client's preference) and public keys for some or all of its key exchange guesses. If the client successfully guesses the key exchange algorithm, 1 round trip is eliminated from the handshake. After receiving the ClientHello, the server selects a cipher and sends back a ServerHello with its own public key, followed by server Certificate and Finished messages.[175]

After the client receives the server's finished message, it now is coordinated with the server on which cipher suite to use.[176]

Session IDs

In an ordinary full handshake, the server sends a session id as part of the ServerHello message. The client associates this session id with the server's IP address and TCP port, so that when the client connects again to that server, it can use the session id to shortcut the handshake. In the server, the session id maps to the cryptographic parameters previously negotiated, specifically the "master secret". Both sides must have the same "master secret" or the resumed handshake will fail (this prevents an eavesdropper from using a session id). The random data in the ClientHello and ServerHello messages virtually guarantee that the generated connection keys will be different from in the previous connection. In the RFCs, this type of handshake is called an abbreviated handshake. It is also described in the literature as a restart handshake.

  1. Negotiation phase:
    • A client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods. Included in the message is the session id from the previous TLS connection.
    • The server responds with a ServerHello message, containing the chosen protocol version, a random number, cipher suite and compression method from the choices offered by the client. If the server recognizes the session id sent by the client, it responds with the same session id. The client uses this to recognize that a resumed handshake is being performed. If the server does not recognize the session id sent by the client, it sends a different value for its session id. This tells the client that a resumed handshake will not be performed. At this point, both the client and server have the "master secret" and random data to generate the key data to be used for this connection.
  2. The server now sends a ChangeCipherSpec record, essentially telling the client, "Everything I tell you from now on will be encrypted." The ChangeCipherSpec is itself a record-level protocol and has type 20 and not 22.
    • Finally, the server sends an encrypted Finished message, containing a hash and MAC over the previous handshake messages.
    • The client will attempt to decrypt the server's Finished message and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be torn down.
  3. Finally, the client sends a ChangeCipherSpec, telling the server, "Everything I tell you from now on will be encrypted."
    • The client sends its own encrypted Finished message.
    • The server performs the same decryption and verification procedure as the client did in the previous step.
  4. Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with content type of 23. Application messages exchanged between client and server will also be encrypted exactly like in their Finished message.
Session tickets

RFC 5077
extends TLS via use of session tickets, instead of session IDs. It defines a way to resume a TLS session without requiring that session-specific state is stored at the TLS server.

When using session tickets, the TLS server stores its session-specific state in a session ticket and sends the session ticket to the TLS client for storing. The client resumes a TLS session by sending the session ticket to the server, and the server resumes the TLS session according to the session-specific state in the ticket. The session ticket is encrypted and authenticated by the server, and the server verifies its validity before using its contents.

One particular weakness of this method with OpenSSL is that it always limits encryption and authentication security of the transmitted TLS session ticket to AES128-CBC-SHA256, no matter what other TLS parameters were negotiated for the actual TLS session.[166] This means that the state information (the TLS session ticket) is not as well protected as the TLS session itself. Of particular concern is OpenSSL's storage of the keys in an application-wide context (SSL_CTX), i.e. for the life of the application, and not allowing for re-keying of the AES128-CBC-SHA256 TLS session tickets without resetting the application-wide OpenSSL context (which is uncommon, error-prone and often requires manual administrative intervention).[167][165]

TLS record

This is the general format of all TLS records.

TLS record format, general
Offset Byte+0 Byte+1 Byte+2 Byte+3
Byte
0
Content type
Bytes
1–4
Legacy version Length
(Major) (Minor) (bits 15–8) (bits 7–0)
Bytes
5–(m−1)
Protocol message(s)
Bytes
m–(p−1)
MAC (optional)
Bytes
p–(q−1)
Padding (block ciphers only)
Content type
This field identifies the Record Layer Protocol Type contained in this record.
Content types
Hex Dec Type
0×14 20 ChangeCipherSpec
0×15 21 Alert
0×16 22 Handshake
0×17 23 Application
0×18 24 Heartbeat
Legacy version
This field identifies the major and minor version of TLS prior to TLS 1.3 for the contained message. For a ClientHello message, this need not be the highest version supported by the client. For TLS 1.3 and later, this must to be set 0x0303 and application must send supported versions in an extra message extension block.
Versions
Major
version
Minor
version
Version type
3 0 SSL 3.0
3 1 TLS 1.0
3 2 TLS 1.1
3 3 TLS 1.2
3 4 TLS 1.3
Length
The length of "protocol message(s)", "MAC" and "padding" fields combined (i.e. q−5), not to exceed 214 bytes (16 KiB).
Protocol message(s)
One or more messages identified by the Protocol field. Note that this field may be encrypted depending on the state of the connection.
MAC and padding
A message authentication code computed over the "protocol message(s)" field, with additional key material included. Note that this field may be encrypted, or not included entirely, depending on the state of the connection.
No "MAC" or "padding" fields can be present at end of TLS records before all cipher algorithms and parameters have been negotiated and handshaked and then confirmed by sending a CipherStateChange record (see below) for signalling that these parameters will take effect in all further records sent by the same peer.

Handshake protocol

Most messages exchanged during the setup of the TLS session are based on this record, unless an error or warning occurs and needs to be signaled by an Alert protocol record (see below), or the encryption mode of the session is modified by another record (see ChangeCipherSpec protocol below).

TLS record format for handshake protocol
Offset Byte+0 Byte+1 Byte+2 Byte+3
Byte
0
22
Bytes
1–4
Legacy version Length
(Major) (Minor) (bits 15–8) (bits 7–0)
Bytes
5–8
Message type Handshake message data length
(bits 23–16) (bits 15–8) (bits 7–0)
Bytes
9–(n−1)
Handshake message data
Bytes
n–(n+3)
Message type Handshake message data length
(bits 23–16) (bits 15–8) (bits 7–0)
Bytes
(n+4)–
Handshake message data
Message type
This field identifies the handshake message type.
Message types
Code Description
0 HelloRequest
1 ClientHello
2 ServerHello
4 NewSessionTicket
8 EncryptedExtensions (TLS 1.3 only)
11 Certificate
12 ServerKeyExchange
13 CertificateRequest
14 ServerHelloDone
15 CertificateVerify
16 ClientKeyExchange
20 Finished
Handshake message data length
This is a 3-byte field indicating the length of the handshake data, not including the header.

Note that multiple handshake messages may be combined within one record.

Alert protocol

This record should normally not be sent during normal handshaking or application exchanges. However, this message can be sent at any time during the handshake and up to the closure of the session. If this is used to signal a fatal error, the session will be closed immediately after sending this record, so this record is used to give a reason for this closure. If the alert level is flagged as a warning, the remote can decide to close the session if it decides that the session is not reliable enough for its needs (before doing so, the remote may also send its own signal).

TLS record format for alert protocol
Offset Byte+0 Byte+1 Byte+2 Byte+3
Byte
0
21
Bytes
1–4
Legacy version Length
(Major) (Minor) 0 2
Bytes
5–6
Level Description
Bytes
7–(p−1)
MAC (optional)
Bytes
p–(q−1)
Padding (block ciphers only)
Level
This field identifies the level of alert. If the level is fatal, the sender should close the session immediately. Otherwise, the recipient may decide to terminate the session itself, by sending its own fatal alert and closing the session itself immediately after sending it. The use of Alert records is optional, however if it is missing before the session closure, the session may be resumed automatically (with its handshakes).
Normal closure of a session after termination of the transported application should preferably be alerted with at least the Close notify Alert type (with a simple warning level) to prevent such automatic resume of a new session. Signalling explicitly the normal closure of a secure session before effectively closing its transport layer is useful to prevent or detect attacks (like attempts to truncate the securely transported data, if it intrinsically does not have a predetermined length or duration that the recipient of the secured data may expect).
Alert level types
Code Level type Connection state
1 warning connection or security may be unstable.
2 fatal connection or security may be compromised, or an unrecoverable error has occurred.
Description
This field identifies which type of alert is being sent.
Alert description types
Code Description Level types Note
0 Close notify warning/fatal
10 Unexpected message fatal
20 Bad record MAC fatal Possibly a bad SSL implementation, or payload has been tampered with e.g. FTP firewall rule on FTPS server.
21 Decryption failed fatal TLS only, reserved
22 Record overflow fatal TLS only
30 Decompression failure fatal
40 Handshake failure fatal
41 No certificate warning/fatal SSL 3.0 only, reserved
42 Bad certificate warning/fatal
43 Unsupported certificate warning/fatal e.g. certificate has only server authentication usage enabled and is presented as a client certificate
44 Certificate revoked warning/fatal
45 Certificate expired warning/fatal Check server certificate expire also check no certificate in the chain presented has expired
46 Certificate unknown warning/fatal
47 Illegal parameter fatal
48 Unknown CA (Certificate authority) fatal TLS only
49 Access denied fatal TLS only – e.g. no client certificate has been presented (TLS: Blank certificate message or SSLv3: No Certificate alert), but server is configured to require one.
50 Decode error fatal TLS only
51 Decrypt error warning/fatal TLS only
60 Export restriction fatal TLS only, reserved
70 Protocol version fatal TLS only
71 Insufficient security fatal TLS only
80 Internal error fatal TLS only
86 Inappropriate fallback fatal TLS only
90 User canceled fatal TLS only
100 No renegotiation warning TLS only
110 Unsupported extension warning TLS only
111 Certificate unobtainable warning TLS only
112 Unrecognized name warning/fatal TLS only; client's Server Name Indicator specified a hostname not supported by the server
113 Bad certificate status response fatal TLS only
114 Bad certificate hash value fatal TLS only
115 Unknown PSK identity (used in TLS-PSK and TLS-SRP) fatal TLS only
116 Certificate required fatal TLS version 1.3 only
120 or 255 No application protocol fatal TLS version 1.3 only

ChangeCipherSpec protocol

TLS record format for ChangeCipherSpec protocol
Offset Byte+0 Byte+1 Byte+2 Byte+3
Byte
0
20
Bytes
1–4
Legacy version Length
(Major) (Minor) 0 1
Byte
5
CCS protocol type
CCS protocol type
Currently only 1.

Application protocol

TLS record format for application protocol
Offset Byte+0 Byte+1 Byte+2 Byte+3
Byte
0
23
Bytes
1–4
Legacy version Length
(Major) (Minor) (bits 15–8) (bits 7–0)
Bytes
5–(m−1)
Application data
Bytes
m–(p−1)
MAC (optional)
Bytes
p–(q−1)
Padding (block ciphers only)
Length
Length of application data (excluding the protocol header and including the MAC and padding trailers)
MAC
32 bytes for the
SHA-256-based HMAC, 20 bytes for the SHA-1-based HMAC, 16 bytes for the MD5
-based HMAC.
Padding
Variable length; last byte contains the padding length.

Support for name-based virtual servers

From the application protocol point of view, TLS belongs to a lower layer, although the TCP/IP model is too coarse to show it. This means that the TLS handshake is usually (except in the

name-based virtual server
feature being provided by the application layer, all co-hosted virtual servers share the same certificate because the server has to select and send a certificate immediately after the ClientHello message. This is a big problem in hosting environments because it means either sharing the same certificate among all customers or using a different IP address for each of them.

There are two known workarounds provided by X.509:

  • If all virtual servers belong to the same domain, a wildcard certificate can be used.[177] Besides the loose host name selection that might be a problem or not, there is no common agreement about how to match wildcard certificates. Different rules are applied depending on the application protocol or software used.[178]
  • Add every virtual host name in the subjectAltName extension. The major problem being that the certificate needs to be reissued whenever a new virtual server is added.

To provide the server name,

RFC 4366 Transport Layer Security (TLS) Extensions allow clients to include a Server Name Indication
extension (SNI) in the extended ClientHello message. This extension hints to the server immediately which name the client wishes to connect to, so the server can select the appropriate certificate to send to the clients.

URI scheme (which avoids forking the URI space and reduces the number of used ports), however, few implementations currently support this.[citation needed
]

Standards

Primary standards

The current approved version of (D)TLS is version 1.3, which are specified in:

The current standards replaces these former versions, which are now considered obsolete:

Extensions

Other RFCs subsequently extended (D)TLS.

Extensions to (D)TLS 1.3 include:

Extensions to (D)TLS 1.2 include:

Extensions to (D)TLS 1.1 include:

Extensions to TLS 1.0 include:

Informational RFCs

See also

References

  1. ^ i.e. "Delegated Credentials for (D)TLS". Ietf Datatracker. Retrieved 2022-11-29.
  2. ^ . Retrieved 15 December 2018.
  3. ^ "SSL/TLS in Detail". TechNet. Microsoft Docs. October 8, 2009. Retrieved 2021-10-24.
  4. ^ .
  5. ^ a b Spott, Andrew; Leek, Tom; et al. "What layer is TLS?". Information Security Stack Exchange.
  6. ^
    doi:10.17487/RFC8446. RFC 8446. Proposed Standard. Obsoletes RFC 5077, 5246 and 6961; updates RFC 5705 and 6066
    .
  7. .
  8. .
  9. ^ Titz, Olaf (2001-04-23). "Why TCP Over TCP Is A Bad Idea". Retrieved 2015-10-17.
  10. S2CID 8945952
    .
  11. ^ RFC 4347 § 4
  12. ^ Rescorla, Eric; Tschofenig, Hannes; Modadugu, Nagena (April 21, 2022). "The Datagram Transport Layer Security (DTLS) Protocol Version 1.3".
  13. ^ "AnyConnect FAQ: tunnels, reconnect behavior, and the inactivity timer". Cisco. Retrieved 26 February 2017.
  14. Cisco Systems
    .
  15. ^ "OpenConnect". OpenConnect. Retrieved 26 February 2017.
  16. ZScaler
    .
  17. f5 Networks
    .
  18. ^ "Configuring a DTLS Virtual Server". Citrix Systems.
  19. ^ "WebRTC Interop Notes". Archived from the original on 2013-05-11.
  20. ^ a b c d e Bright, Peter (17 October 2018). "Apple, Google, Microsoft, and Mozilla come together to end TLS 1.0". Retrieved 17 October 2018.
  21. ^ a b c d "Here is what is new and changed in Firefox 74.0 Stable - gHacks Tech News". www.ghacks.net. 10 March 2020. Retrieved 2020-03-10.
  22. ^ a b c d "TLS 1.0 and TLS 1.1 - Chrome Platform Status". chromestatus.com. Retrieved 2020-03-10.
  23. ^
    doi:10.17487/RFC5246. RFC 5246. Obsolete. Obsoleted by RFC 8446; obsoletes RFC 3268, 4346 and 4366; updates RFC 4492
    .
  24. ^ a b "Using TLS to protect data". www.ncsc.gov.uk. Archived from the original on July 21, 2021. Retrieved August 24, 2022.
  25. ^ "TLS 1.3: One Year Later". IETF. Archived from the original on July 8, 2020. Retrieved August 24, 2022.
  26. ^ "Creating TLS: The Pioneering Role of Ruth Nelson".
  27. ^ Woo, Thomas Y. C.; Bindignavle, Raghuram; Su, Shaowen; Lam, Simon S. (June 1994). SNP: An interface for secure network programming (PDF). Proceedings USENIX Summer Technical Conference.
  28. ^ "1994 USENIX Summer Technical Conference Program, Boston, 6-10 June 1994".
  29. ^ Simon S. Lam (PI/PD), "Applying a Theory of Modules and Interfaces to Security Verification," NSA INFOSEC University Research Program grant no. MDA 904-91-C-7046, 6/28/91 to 6/27/93.
  30. ^ "2004 ACM Software System Award citation". ACM. Retrieved 25 July 2012.
  31. ^ "ACM Press Release, March 15, 2005". ACM. Retrieved 25 July 2012.
  32. ^ "Internet Hall of Fame inductee Simon S. Lam". Retrieved 3 Mar 2024.
  33. ^ "Computer Scientist Inducted into Internet Hall of Fame". Retrieved 3 Mar 2024.
  34. ^ Messmer, Ellen. "Father of SSL, Dr. Taher Elgamal, Finds Fast-Moving IT Projects in the Middle East". Network World. Archived from the original on 31 May 2014. Retrieved 30 May 2014.
  35. ^ Greene, Tim. "Father of SSL says despite attacks, the security linchpin has lots of life left". Network World. Archived from the original on 31 May 2014. Retrieved 30 May 2014.
  36. ^ . Retrieved 2018-03-01 – via Google Books.
  37. ^ "THE SSL PROTOCOL". Netscape Corporation. 2007. Archived from the original on 14 June 1997.
  38. ^ Rescorla 2001
  39. ^ "POODLE: SSLv3 vulnerability (CVE-2014-3566)". Archived from the original on 5 December 2014. Retrieved 21 October 2014.
  40. ^ "Security Standards and Name Changes in the Browser Wars". Retrieved 2020-02-29.
  41. ^ Laura K. Gray (2015-12-18). "Date Change for Migrating from SSL and Early TLS". Payment Card Industry Security Standards Council blog. Retrieved 2018-04-05.
  42. ^ "Changes to PCI Compliance are Coming June 30. Is Your Ecommerce Business Ready?". Forbes. Retrieved 2018-06-20.
  43. doi:10.17487/RFC4346. RFC 4346. Historic. Obsoleted by RFC 5246. Obsoletes RFC 2246
    .
  44. ^ a b c "Transport Layer Security Parameters - Cipher Suites". Internet Assigned Numbers Authority (IANA). Retrieved 2022-12-16.
  45. ^ "Twitter will deprecate support for TLS 1.0, TLS 1.1 on July 15". Hashed Out by The SSL Store. 2019-07-12. Retrieved 14 June 2021.
  46. ^ Mackie, Kurt. "Microsoft Delays End of Support for TLS 1.0 and 1.1 -". Microsoft Certified Professional Magazine Online.
  47. ^ "TLS 1.2 FAQ – Knowledge Base". Answers.psionline.com. Retrieved 20 February 2022.
  48. ^ "Differences between TLS 1.2 and TLS 1.3 (#TLS13)". WolfSSL. 2019-09-18. Archived from the original on 2019-09-19. Retrieved 2019-09-18.
  49. ^ https://datatracker.ietf.org/meeting/116/materials/slides-116-tls-null-encryption-and-key-exchange-without-forward-secrecy-are-discouraged-00
  50. ^ "NSS 3.29 release notes". Mozilla Developer Network. February 2017. Archived from the original on 2017-02-22.
  51. ^ "Enable TLS 1.3 by default". Bugzilla@Mozilla. 16 October 2016. Retrieved 10 October 2017.
  52. ^ "Firefox — Notes (60.0)". Mozilla. Retrieved 2018-05-10.
  53. ^ "ProxySG, ASG and WSS will interrupt SSL connections when clients using TLS 1.3 access sites also using TLS 1.3". BlueTouch Online. 16 May 2017. Archived from the original on 12 September 2017. Retrieved 11 September 2017.
  54. ^ Sullivan 2017.
  55. ^ Thomson & Pauly 2021, A.6. TLS.
  56. ^ Thomson & Pauly 2021, 3.3. Falsifying Active Use.
  57. ^ "TLS 1.3 IETF 100 Hackathon". Archived from the original on 2018-01-15.
  58. ^ a b IETF – Internet Engineering Task Force (2017-11-12), IETF Hackathon Presentations and Awards, archived from the original on 2021-10-28, retrieved 2017-11-14
  59. ^ "Hurrah! TLS 1.3 is here. Now to implement it and put it into software". Retrieved 2018-03-28.
  60. ^ IETF - Internet Engineering Task Force (2018-07-15), IETF102-HACKATHON-20180715-1400, archived from the original on 2021-10-28, retrieved 2018-07-18
  61. ^ "wolfSSL TLS 1.3 BETA Release Now Available". [email protected]. 11 May 2017. Retrieved 11 May 2017.
  62. ^ "TLS 1.3 PROTOCOL SUPPORT". [email protected].
  63. ^ "TLS 1.3 Draft 28 Support in wolfSSL". [email protected]. 14 June 2018. Retrieved 14 June 2018.
  64. ^ "OpenSSL 1.1.1 Is Released". Matt Caswell. 11 Sep 2018. Retrieved 19 Dec 2018.
  65. ^ "Protocols in TLS/SSL (Schannel SSP)". Microsoft Docs. May 25, 2022. Retrieved 21 February 2023.
  66. ^ Hoffman-Andrews, Jacob (2019-02-26). "ETS Isn't TLS and You Shouldn't Use It". Electronic Frontier Foundation. Retrieved 2019-02-27.
  67. ^ TS 103 523-3 - V1.1.1 - CYBER; Middlebox Security Protocol; Part 3: Profile for enterprise network and data centre access control (PDF). ETSI.org. Archived (PDF) from the original on November 14, 2018.
  68. ^ Cory Doctorow (February 26, 2019). "Monumental Recklessness". Boing Boing. Archived from the original on February 27, 2019.
  69. ^ Rea, Scott (2013). "Alternatives to Certification Authorities for a Secure Web" (PDF). RSA Conference Asia Pacific. Archived (PDF) from the original on 7 October 2016. Retrieved 7 September 2016.
  70. ^ "Counting SSL certificates". Archived from the original on 16 May 2015. Retrieved 20 February 2022.
  71. ^ Raymond, Art (3 August 2017). "Lehi's DigiCert swallows web security competitor in $1 billion deal". Deseret News. Retrieved 21 May 2020.
  72. ^ "Market share trends for SSL certificate authorities". W3Techs. Retrieved 21 May 2020.
  73. ^ Ryan Singel (March 24, 2010). "Law Enforcement Appliance Subverts SSL". wired.com. Archived from the original on April 12, 2014.
  74. from the original on March 25, 2010.
  75. from the original on 5 September 2013. Retrieved 9 September 2013.
  76. from the original on December 7, 2014. Retrieved December 21, 2014.
  77. ^ Gothard, Peter (31 July 2013). "Google updates SSL certificates to 2048-bit encryption". Computing. Incisive Media. Archived from the original on 22 September 2013. Retrieved 9 September 2013.
  78. ^ "The value of 2,048-bit encryption: Why encryption key length matters". SearchSecurity. Archived from the original on 2018-01-16. Retrieved 2017-12-18.
  79. ^ Sean Turner (September 17, 2015). "Consensus: remove DSA from TLS 1.3". Archived from the original on October 3, 2015.
  80. RFC 8422
  81. ^
  82. ^ "On the Practical (In-)Security of 64-bit Block Ciphers — Collision Attacks on HTTP over TLS and OpenVPN" (PDF). 2016-10-28. Archived (PDF) from the original on 2017-04-24. Retrieved 2017-06-08.
  83. ^ "NIST Special Publication 800-57 Recommendation for Key Management — Part 1: General (Revised)" (PDF). 2007-03-08. Archived from the original (PDF) on June 6, 2014. Retrieved 2014-07-03.
  84. ^ a b c Qualys SSL Labs. "SSL/TLS Deployment Best Practices". Archived from the original on 4 July 2015. Retrieved 2 June 2015.
  85. RFC 5469
  86. ^ "Http vs https". Archived from the original on 2015-02-12. Retrieved 2015-02-12.
  87. ^ a b c d As of Sept 03, 2023. "SSL Pulse: Survey of the SSL Implementation of the Most Popular Websites". Qualys. Retrieved 2023-10-05.
  88. ^ a b ivanr (19 March 2013). "RC4 in TLS is Broken: Now What?". Qualsys Security Labs. Archived from the original on 2013-08-27. Retrieved 2013-07-30.
  89. ^ a b c Bodo Möller, Thai Duong & Krzysztof Kotowicz. "This POODLE Bites: Exploiting The SSL 3.0 Fallback" (PDF). Archived (PDF) from the original on 2014-10-14. Retrieved 2014-10-15.
  90. ^ "Internet Explorer 11 has retired and is officially out of support—what you need to know". June 15, 2022. Retrieved 2022-06-15.
  91. ^ "Internet Explorer 11 desktop app support ended for certain versions of Windows 10". Retrieved 2022-06-17.
  92. ^ "Java Secure Socket Extension (JSSE) Reference Guide". Oracle Help Center. Retrieved 2021-12-24.
  93. (PDF) from the original on 2017-10-22.
  94. .
  95. .
  96. ^ "CVE – CVE-2009-3555". Archived from the original on 2016-01-04.
  97. ^ Rescorla, Eric (2009-11-05). "Understanding the TLS Renegotiation Attack". Educated Guesswork. Archived from the original on 2012-02-11. Retrieved 2009-11-27.
  98. ^ "SSL_CTX_set_options SECURE_RENEGOTIATION". OpenSSL Docs. 2010-02-25. Archived from the original on 2010-11-26. Retrieved 2010-11-18.
  99. ^ "GnuTLS 2.10.0 released". GnuTLS release notes. 2010-06-25. Archived from the original on 2015-10-17. Retrieved 2011-07-24.
  100. ^ "NSS 3.12.6 release notes". NSS release notes. 2010-03-03. Archived from the original on March 6, 2012. Retrieved 2011-07-24.
  101. ^ A. Langley; N. Modadugu; B. Moeller (2010-06-02). "Transport Layer Security (TLS) False Start". Internet Engineering Task Force. IETF. Archived from the original on 2013-09-05. Retrieved 2013-07-31.
  102. ^ Gruener, Wolfgang. "False Start: Google Proposes Faster Web, Chrome Supports It Already". Archived from the original on 2010-10-07. Retrieved 2011-03-09.
  103. ^ Smith, Brian. "Limited rollback attacks in False Start and Snap Start". Archived from the original on 2011-05-04. Retrieved 2011-03-09.
  104. ^ Dimcev, Adrian. "False Start". Random SSL/TLS 101. Archived from the original on 2011-05-04. Retrieved 2011-03-09.
  105. (PDF) from the original on 2015-07-06.
  106. ^ "SMACK: State Machine AttaCKs". Archived from the original on 2015-03-12.
  107. ^ Goodin, Dan (2015-05-20). "HTTPS-crippling attack threatens tens of thousands of Web and mail servers". Ars Technica. Archived from the original on 2017-05-19.
  108. ^ Leyden, John (1 March 2016). "One-third of all HTTPS websites open to DROWN attack". The Register. Archived from the original on 1 March 2016. Retrieved 2016-03-02.
  109. ^ a b "More than 11 million HTTPS websites imperiled by new decryption attack". Ars Technica. March 2016. Archived from the original on 2016-03-01. Retrieved 2016-03-02.
  110. ^ Thai Duong & Juliano Rizzo (2011-05-13). "Here Come The ⊕ Ninjas". Archived from the original on 2014-06-03.
  111. ^ Goodin, Dan (2011-09-19). "Hackers break SSL encryption used by millions of sites". The Register. Archived from the original on 2012-02-10.
  112. ^ "Y Combinator comments on the issue". 2011-09-20. Archived from the original on 2012-03-31.
  113. ^ "Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures". 2004-05-20. Archived from the original on 2012-06-30.
  114. ^ Ristic, Ivan (Sep 10, 2013). "Is BEAST Still a Threat?". Archived from the original on 12 October 2014. Retrieved 8 October 2014.
  115. ^ "Chrome Stable Release". Chrome Releases. 2011-10-25. Archived from the original on 2015-02-20. Retrieved 2015-02-01.
  116. ^ "Attack against TLS-protected communications". Mozilla Security Blog. Mozilla. 2011-09-27. Archived from the original on 2015-03-04. Retrieved 2015-02-01.
  117. ^ Smith, Brian (2011-09-30). "(CVE-2011-3389) Rizzo/Duong chosen plaintext attack (BEAST) on SSL/TLS 1.0 (facilitated by websockets-76)".
  118. MSRC (2012-01-10). Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584). Security Bulletins (Technical report). MS12-006. Retrieved 2021-10-24 – via Microsoft Docs
    .
  119. ^ Ristic, Ivan (Oct 31, 2013). "Apple Enabled BEAST Mitigations in OS X 10.9 Mavericks". Archived from the original on 12 October 2014. Retrieved 8 October 2014.
  120. ^ Goodin, Dan (2012-09-13). "Crack in Internet's foundation of trust allows HTTPS session hijacking". Ars Technica. Archived from the original on 2013-08-01. Retrieved 2013-07-31.
  121. ^ Fisher, Dennis (September 13, 2012). "CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions". ThreatPost. Archived from the original on September 15, 2012. Retrieved 2012-09-13.
  122. ^ a b Goodin, Dan (1 August 2013). "Gone in 30 seconds: New attack plucks secrets from HTTPS-protected pages". Ars Technica. Condé Nast. Archived from the original on 3 August 2013. Retrieved 2 August 2013.
  123. ^ Leyden, John (2 August 2013). "Step into the BREACH: New attack developed to read encrypted web data". The Register. Archived from the original on 5 August 2013. Retrieved 2 August 2013.
  124. from the original on 2015-05-12.
  125. ^ Langley, Adam (December 8, 2014). "The POODLE bites again". Archived from the original on December 8, 2014. Retrieved 2014-12-08.
  126. ^ "ssl - Safest ciphers to use with the BEAST? (TLS 1.0 exploit) I've read that RC4 is immune". Serverfault.com. Retrieved 20 February 2022.
  127. .
  128. ^ Green, Matthew (12 March 2013). "Attack of the week: RC4 is kind of broken in TLS". Cryptography Engineering. Archived from the original on March 14, 2013. Retrieved March 12, 2013.
  129. ^ AlFardan, Nadhem; Bernstein, Dan; Paterson, Kenny; Poettering, Bertram; Schuldt, Jacob. "On the Security of RC4 in TLS". Royal Holloway University of London. Archived from the original on March 15, 2013. Retrieved March 13, 2013.
  130. ^ AlFardan, Nadhem J.; Bernstein, Daniel J.; Paterson, Kenneth G.; Poettering, Bertram; Schuldt, Jacob C. N. (8 July 2013). "On the Security of RC4 in TLS and WPA" (PDF). Information Security Group. Archived (PDF) from the original on 22 September 2013. Retrieved 2 September 2013.
  131. ^ AlFardan, Nadhem J.; Bernstein, Daniel J.; Paterson, Kenneth G.; Poettering, Bertram; Schuldt, Jacob C. N. (15 August 2013). On the Security of RC4 in TLS (PDF). 22nd USENIX Security Symposium. p. 51. Archived (PDF) from the original on 22 September 2013. Retrieved 2 September 2013. Plaintext recovery attacks against RC4 in TLS are feasible although not truly practical
  132. ^ Goodin, Dan (15 July 2015). "Once-theoretical crypto attack against HTTPS now verges on practicality". Ars Technical. Conde Nast. Archived from the original on 16 July 2015. Retrieved 16 July 2015.
  133. ^ "Mozilla Security Server Side TLS Recommended Configurations". Mozilla. Archived from the original on 2015-01-03. Retrieved 2015-01-03.
  134. ^ "Security Advisory 2868725: Recommendation to disable RC4". Microsoft. 2013-11-12. Archived from the original on 2013-11-18. Retrieved 2013-12-04.
  135. ^ "Ending support for the RC4 cipher in Microsoft Edge and Internet Explorer 11". Microsoft Edge Team. September 1, 2015. Archived from the original on September 2, 2015.
  136. ^ Langley, Adam (Sep 1, 2015). "Intent to deprecate: RC4".
  137. ^ Barnes, Richard (Sep 1, 2015). "Intent to ship: RC4 disabled by default in Firefox 44". Archived from the original on 2011-01-22.
  138. ^ a b John Leyden (1 August 2013). "Gmail, Outlook.com and e-voting 'pwned' on stage in crypto-dodge hack". The Register. Archived from the original on 1 August 2013. Retrieved 1 August 2013.
  139. ^ "BlackHat USA Briefings". Black Hat 2013. Archived from the original on 30 July 2013. Retrieved 1 August 2013.
  140. ^ Smyth, Ben; Pironti, Alfredo (2013). Truncating TLS Connections to Violate Beliefs in Web Applications. 7th USENIX Workshop on Offensive Technologies (report). Archived from the original on 6 November 2015. Retrieved 15 February 2016.
  141. ^ AlFardan, Nadhem; Paterson, Kenneth G (2012). Plaintext-recovery attacks against datagram TLS (PDF). Network and distributed system security symposium (NDSS 2012). Archived from the original on 2012-01-18.{{cite conference}}: CS1 maint: unfit URL (link)
  142. ^ Goodin, Dan (26 July 2016). "New attack bypasses HTTPS protection on Macs, Windows, and Linux". Ars Technica. Condé Nast. Archived from the original on 27 July 2016. Retrieved 28 July 2016.
  143. ^ Goodin, Dan (August 24, 2016). "HTTPS and OpenVPN face new attack that can decrypt secret cookies". Ars Technica. Archived from the original on August 24, 2016. Retrieved August 24, 2016.
  144. ^ "Why is it called the 'Heartbleed Bug'?". The Washington Post. 2014-04-09. Archived from the original on 2014-10-09.
  145. Comodo Group. Archived
    from the original on 5 July 2014.
  146. ^ Bleichenbacher, Daniel (August 2006). "Bleichenbacher's RSA signature forgery based on implementation error". Archived from the original on 2014-12-16.
  147. ^ "BERserk". Intel Security: Advanced Threat Research. September 2014. Archived from the original on 2015-01-12.
  148. ^ Goodin, Dan (February 19, 2015). "Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections". Ars Technica. Archived from the original on September 12, 2017. Retrieved December 10, 2017.
  149. ^ Valsorda, Filippo (2015-02-20). "Komodia/Superfish SSL validation is broken". Filippo.io. Archived from the original on 2015-02-24.
  150. ^ a b Goodin, Dan (26 May 2016). ""Forbidden attack" makes dozens of HTTPS Visa sites vulnerable to tampering". Ars Technica. Archived from the original on 26 May 2016. Retrieved 26 May 2016.
  151. ^ Clark Estes, Adam (February 24, 2017). "Everything You Need to Know About Cloudbleed, the Latest Internet Security Disaster". Gizmodo. Archived from the original on 2017-02-25. Retrieved 2017-02-24.
  152. from the original on 2008-03-13. Retrieved 2008-02-11.
  153. ^ "Discussion on the TLS mailing list in October 2007". Archived from the original on 22 September 2013. Retrieved 20 February 2022.
  154. ^ "Protecting data for the long term with forward secrecy". Archived from the original on 2013-05-06. Retrieved 2012-11-05.
  155. ^ Bernat, Vincent (28 November 2011). "SSL/TLS & Perfect Forward Secrecy". Archived from the original on 2012-08-27. Retrieved 2012-11-05.
  156. ^ "SSL Labs: Deploying Forward Secrecy". Qualys.com. 2013-06-25. Archived from the original on 2013-06-26. Retrieved 2013-07-10.
  157. ^ Ristic, Ivan (2013-08-05). "SSL Labs: Deploying Forward Secrecy". Qualsys. Archived from the original on 2013-09-20. Retrieved 2013-08-31.
  158. ^ a b Langley, Adam (27 June 2013). "How to botch TLS forward secrecy". imperialviolet.org. Archived from the original on 8 August 2013.
  159. ^ a b Daignière, Florent. "TLS "Secrets": Whitepaper presenting the security implications of the deployment of session tickets (RFC 5077) as implemented in OpenSSL" (PDF). Matta Consulting Limited. Archived (PDF) from the original on 6 August 2013. Retrieved 7 August 2013.
  160. ^ a b Daignière, Florent. "TLS "Secrets": What everyone forgot to tell you…" (PDF). Matta Consulting Limited. Archived (PDF) from the original on 5 August 2013. Retrieved 7 August 2013.
  161. from the original on 20 September 2015. Retrieved 16 October 2015.
  162. ^ "Protecting data for the long term with forward secrecy". Archived from the original on 2014-02-12. Retrieved 2014-03-07.
  163. ^ Hoffman-Andrews, Jacob. "Forward Secrecy at Twitter". Twitter. Archived from the original on 2014-02-16. Retrieved 2014-03-07.
  164. ^ .
  165. ^
    OpenPGP
    -based certificates.
  166. ^ "tls - Differences between the terms "pre-master secret", "master secret", "private key", and "shared secret"?". Cryptography Stack Exchange. Retrieved 2020-10-01.
  167. ^ Chris (2009-02-18). "vsftpd-2.1.0 released – Using TLS session resume for FTPS data connection authentication". Scarybeastsecurity. blogspot.com. Archived from the original on 2012-07-07. Retrieved 2012-05-17.
  168. ^ Rescorla, Eric (August 2018). "The Transport Layer Security (TLS) Protocol Version 1.3". IETF RFC Editor.
  169. ^ Valsorda, Filippo (23 September 2016). "An overview of TLS 1.3 and Q&A". The Cloudflare Blog.
  170. ^ Wildcard SSL Certificate overview, archived from the original on 2015-06-23, retrieved 2015-07-02
  171. ^ Named-based SSL virtual hosts: how to tackle the problem (PDF), archived (PDF) from the original on 2012-08-03, retrieved 2012-05-17

Works cited

Further reading

External links