What is SSL/TLS?
SSL is short for Secure Sockets Layer and describes a protocol that authenticates and encrypts internet connections. SSL has now been replaced by Transport Layer Security (TLS), but SSL is still frequently used as a synonym for encrypted internet connections.
Definition of what SSL/TLS is
In the 1990s, Netscape developed Secure Sockets Layer for their Netscape Navigator web browser. Until the late 1990s, SSL encryption was the standard for secure internet connections. SSL 3 was the last version bearing this name and was incorporated into TLS. The VPN protocol Transport Layer Security replaced SSL as the standard in 1999.
The classic use case of SSL or TLS is encrypted data transmission over HTTP. Although HTTPS certification may be optional for websites, there are hardly any companies and organizations that do not secure their sensitive data. In addition, HTTPS is now one of Google’s ranking criteria and thus an important aspect of search engine optimization. Furthermore, the encrypted transmission of emails via SSL is also possible. Other methods such as EAP-TLS, EAP-TTL, PEAP, and the LDAP protocol also rely on SSL.
How does SSL/TLS work?
The respective certificate determines how SSL and TLS work. It is essentially a handshake between the client accessing a server and the server. The server uses a certificate to authenticate itself to the client. It then sends to the server a random number encrypted using the server’s certificate. Alternatively, client and server use the Diffie-Hellman key exchange method. The client and server then calculate a key used to encode further communication.
SSL certificates are issued by official certificate authorities. There are three types of certificates, which meet different requirements:
With this certificate, the certificate authority checks the applicant’s right to use a specific domain name. DV-SSL certificates can be issued very quickly because the certificate authority does not require any additional company documents.
Organization Validation Certificate
In addition to the applicant’s right to use a specific domain, the certificate authority also checks some additional company information. A website with an OV SSL certificate shows the user more information about the operator of the website, imparting a greater level of trust.
Extended Validation Certificate
In this case, the organization submitting the application is thoroughly vetted. The Guidelines for Extended Validation, promulgated by the CA/Browser Forum in 2007, set out how the issuance process works. Among other things, companies seeking this certification must verify that the entity legally, materially, and operationally exists and has control over the domain.
Why should companies use SSL/TLS?
SSL/TLS is an important component for ensuring that online processes comply with the principles of information security:
- Encrypted data transmission: Whether between two servers, from browser to server, or even from application to server, SSL protects data during transmission.
- Server authentication: The contacted server uses SSL to authenticate itself.
- Data integrity: When data transmission is protected by SSL/TLS, webmasters and users can be sure that no tampering has taken place.
Due to its many advantages, SSL encryption is used in many areas, including securing online credit card transactions, secure data transmission in online banking and online shops, webmail and forms on websites.
How has SSL/TLS evolved?
Since the introduction of SSL 1.0 in 1994, the security protocol has evolved considerably:
With the advent of SSL, Netscape Communications responded to the need for secure data transmission between the Netscape web browser and the server it connects to.
In November of the same year, Netscape released SSL 2.0 which provided better security.
Microsoft responded to criticism of SSL with its own encryption protocol called Private Communication Technology (PCT).
SSL 3.0 was much more stable than its predecessors and no longer compatible with SSL 2.0.
TLS is an upgrade of SSL and has now become the encryption standard.
The first big update of TLS took place six years later.
TLS 1.2 met increased expectations in terms of security standards and modern browsers.
TLS 1.3 is more secure and better performing than its predecessors and represents the current official standard for transport encryption.
How secure is SSL/TLS?
SSL/TLS has some vulnerabilities that can be exploited by attackers to prevent effective authentication and encryption. The places vulnerable to attacks include the following:
There are currently over 700 certificate authorities around the world authorized to issue SSL certificates. In addition, a large number of resellers and hosting providers offer related services, where companies have no influence on the choice of certificate authority. Although software makers carry out appropriate audits before accepting a certificate authority, there is still a risk that hackers will attack such an authority and create arbitrary certificates themselves.
Man-in-the-middle activities using arbitrary certificates
Intelligence agencies and investigating authorities can exploit vulnerabilities with certificate authorities by using a valid certificate from another host to impersonate someone else.
Fake certificate chains
By using special intermediate CA certificates, attackers have the ability to hack into encrypted connections and analyze their content.
Some certificate authorities also handle the generation of keys. This poses a security risk, because the private key must be generated on the user’s own computer.
If the private key is stolen without the owner of the certificate being aware of it, attackers can use it to decrypt encrypted data.
The POODLE attack is one of the known attacks on SSL. It is a type of man-in-the-middle attack in which attackers exploit the vulnerability of SSLv3. The hack causes script code to be executed on the victim’s computer. Hackers are then able to access sensitive information such as online banking login data.
Another known attack is the Heartbleed exploit. It uses a known security bug in the TLS heartbeat, where client and server send a payload packet back and forth to ensure that the connection is still ok. By tampering with the length field specified in the payload packet on the sender side, attackers are able to read remote data.
What are the drawbacks of SSL/TLS?
Although SSL/TLS has many benefits and is the standard for encryption, the secure protocol also has a few drawbacks. Establishing the connection on the server side is CPU-intensive and thus slower with TLS encryption.
At lower layers, such as on the PPTP level, encrypted data can barely be compressed.
Another limitation of TLS is that the protocol is only suitable for encrypting communication between two stations. Therefore, TLS is not the appropriate method for encrypting messages sent over multiple stations, each of which may only read part of the information.
SSL/TLS: What you need to know
TLS is currently the standard for encrypted data transmission on the internet. For companies, TLS encryption is an important component for information security. However, the protocol also poses some security risks, which companies can avoid by relying on an excellent IT security concept.
Myra DDoS Protection, for instance, also supports encrypted HTTPS traffic.
If you are interested in futher informations, we are willing to send you our product sheet for free
How Myra DDoS Protection can reliably secure your website or web application against all DDoS attack vectors:
- How is the protection activated in case of attack?
- What are the advantages of Myra protection solution?
- What are the features of Myra DDoS Protection for web applications?