02
How does SSL/TLS work?
The respective certificate determines how SSL and TLS work. It is essentially a handshake between the client accessing a server and the server. The server uses a certificate to authenticate itself to the client. It then sends to the server a random number encrypted using the server’s certificate. Alternatively, client and server use the Diffie-Hellman key exchange method. The client and server then calculate a key used to encode further communication.
SSL certificates are issued by official certificate authorities. There are three types of certificates, which meet different requirements:
Domain-validated Certificate (DV-SSL):
With this certificate, the certificate authority checks the applicant’s right to use a specific domain name. DV-SSL certificates can be issued very quickly because the certificate authority does not require any additional company documents.
Organization Validation Certificate (OV-SSL):
In addition to the applicant’s right to use a specific domain, the certificate authority also checks some additional company information. A website with an OV SSL certificate shows the user more information about the operator of the website, imparting a greater level of trust.
Extended Validation Certificate (EV-SSL)
In this case, the organization submitting the application is thoroughly vetted. The Guidelines for Extended Validation, promulgated by the CA/Browser Forum in 2007, set out how the issuance process works. Among other things, companies seeking this certification must verify that the entity legally, materially, and operationally exists and has control over the domain.
How has SSL/TLS evolved?
SSL 1.0
SSL 1.0
1994
With the advent of SSL, Netscape Communications responded to the need for secure data transmission between the Netscape web browser and the server it connects to.
SSL 2.0
SSL 2.0
1994
In November of the same year, Netscape released SSL 2.0 which provided better security.
PCT
PCT
1995
Microsoft responded to criticism of SSL with its own encryption protocol called Private Communication Technology (PCT).
SSL 3.0
SSL 3.0
1998
SSL 3.0 was much more stable than its predecessors and no longer compatible with SSL 2.0.
TLS
1999
TLS is an upgrade of SSL and has now become the encryption standard.
TLS 1.1
TLS 1.1
2005
The first big update of TLS took place six years later.
TLS 1.2
TLS 1.2
2008
TLS 1.2 met increased expectations in terms of security standards and modern browsers.
TLS 1.3
2018
TLS 1.3 is more secure and better performing than its predecessors and represents the current official standard for transport encryption.
05
How secure is SSL/TLS?
SSL/TLS has some vulnerabilities that can be exploited by attackers to prevent effective authentication and encryption. The places vulnerable to attacks include the following:
Certificate authority
There are currently over 700 certificate authorities around the world authorized to issue SSL certificates. In addition, a large number of resellers and hosting providers offer related services, where companies have no influence on the choice of certificate authority. Although software makers carry out appropriate audits before accepting a certificate authority, there is still a risk that hackers will attack such an authority and create arbitrary certificates themselves.
Man-in-the-middle activities using arbitrary certificates
Intelligence agencies and investigating authorities can exploit vulnerabilities with certificate authorities by using a valid certificate from another host to impersonate someone else.
Fake certificate chains
By using special intermediate CA certificates, attackers have the ability to hack into encrypted connections and analyze their content.
Key generation
Some certificate authorities also handle the generation of keys. This poses a security risk, because the private key must be generated on the user’s own computer.
Compromised certificates
If the private key is stolen without the owner of the certificate being aware of it, attackers can use it to decrypt encrypted data.
The POODLE attack is one of the known attacks on SSL. It is a type of man-in-the-middle attack in which attackers exploit the vulnerability of SSLv3. The hack causes script code to be executed on the victim’s computer. Hackers are then able to access sensitive information such as online banking login data.
Another known attack is the Heartbleed exploit. It uses a known security bug in the TLS heartbeat, where client and server send a payload packet back and forth to ensure that the connection is still ok. By tampering with the length field specified in the payload packet on the sender side, attackers are able to read remote data.
