Transport Layer Security

From Wikipedia, the free encyclopedia - View original article

 
Jump to: navigation, search

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communication security over the Internet.[1] They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties. This allows for data/message confidentiality, and message authentication codes for message integrity and as a by-product, message authentication. Several versions of the protocols are in widespread use in applications such as web browsing, electronic mail, Internet faxing, instant messaging, and voice-over-IP (VoIP). An important property in this context is forward secrecy, so the short-term session key cannot be derived from the long-term asymmetric secret key.[2]

As a consequence of choosing X.509 certificates, certificate authorities and a public key infrastructure are necessary to verify the relation between a certificate and its owner, as well as to generate, sign, and administer the validity of certificates. While this can be more beneficial than verifying the identities via a web of trust, the 2013 mass surveillance disclosures made it more widely known that certificate authorities are a weak point from a security standpoint, allowing man-in-the-middle attacks (MITM).[3][4]

In the Internet Protocol Suite, TLS and SSL encrypt the data of network connections in the application layer. In OSI model equivalences, TLS/SSL is initialized at layer 5 (session layer) and works at layer 6 (the presentation layer).[citation needed] The session layer has a handshake using an asymmetric cipher in order to establish cipher settings and a shared key for that session; then the presentation layer encrypts the rest of the communication using a symmetric cipher and that session key. In both models, TLS and SSL work on behalf of the underlying transport layer, whose segments carry encrypted data.

TLS is an Internet Engineering Task Force (IETF) standards track protocol, first defined in 1999 and last updated in RFC 5246 (August 2008) and RFC 6176 (March 2011). It is based on the earlier SSL specifications (1994, 1995, 1996) developed by Netscape Communications[5] for adding the HTTPS protocol to their Navigator web browser.

Description[edit]

The TLS protocol allows client-server applications to communicate across a network in a way designed to prevent eavesdropping and tampering.

Since protocols can operate either with or without TLS (or SSL), it is necessary for the client to indicate to the server the setup of a TLS connection. There are two main ways of achieving this. One option is to use a different port number for TLS connections (for example port 443 for HTTPS). The other is for the client to request that the server switch the connection to TLS using a protocol-specific mechanism (for example STARTTLS for mail and news protocols).

Once the client and server have agreed to use TLS, they negotiate a stateful connection by using a handshaking procedure.[6] During this handshake, the client and server agree on various parameters used to establish the connection's security:

  1. The client sends the server the client's SSL version number, cipher settings, session-specific data, and other information that the server needs to communicate with the client using SSL.
  2. The server sends the client the server's SSL version number, cipher settings, session-specific data, and other information that the client needs to communicate with the server over SSL. The server also sends its own certificate, and if the client is requesting a server resource that requires client authentication, the server requests the client's certificate.
  3. The client uses the information sent by the server to authenticate the server—e.g., in the case of a web browser connecting to a web server, the browser checks whether the received certificate's subject name actually matches the name of the server being contacted, whether the issuer of the certificate is a trusted certificate authority, whether the certificate has expired, and, ideally, whether the certificate has been revoked.[7] If the server cannot be authenticated, the user is warned of the problem and informed that an encrypted and authenticated connection cannot be established. If the server can be successfully authenticated, the client proceeds to the next step.
  4. Using all data generated in the handshake thus far, the client (with the cooperation of the server, depending on the cipher in use) creates the pre-master secret for the session, encrypts it with the server's public key (obtained from the server's certificate, sent in step 2), and then sends the encrypted pre-master secret to the server.
  5. If the server has requested client authentication (an optional step in the handshake), the client also signs another piece of data that is unique to this handshake and known by both the client and server. In this case, the client sends both the signed data and the client's own certificate to the server along with the encrypted pre-master secret.
  6. If the server has requested client authentication, the server attempts to authenticate the client. If the client cannot be authenticated, the session ends. If the client can be successfully authenticated, the server uses its private key to decrypt the pre-master secret, and then performs a series of steps (which the client also performs, starting from the same pre-master secret) to generate the master secret.
  7. Both the client and the server use the master secret to generate the session keys, which are symmetric keys used to encrypt and decrypt information exchanged during the SSL session and to verify its integrity (that is, to detect any changes in the data between the time it was sent and the time it is received over the SSL connection).
  8. The client sends a message to the server informing it that future messages from the client will be encrypted with the session key. It then sends a separate (encrypted) message indicating that the client portion of the handshake is finished.
  9. The server sends a message to the client informing it that future messages from the server will be encrypted with the session key. It then sends a separate (encrypted) message indicating that the server portion of the handshake is finished.

The SSL handshake is now complete and the session begins. The client and the server use the session keys to encrypt and decrypt the data they send to each other and to validate its integrity.

This is the normal operation condition of the secure channel. At any time, due to internal or external stimulus (either automation or user intervention), either side may renegotiate the connection, in which case, the process repeats itself.[8]

This concludes the handshake and begins the secured connection, which is encrypted and decrypted with the key material until the connection closes.

If any one of the above steps fails, the TLS handshake fails and the connection is not created.

In step 3, the client must check a chain of "signatures" from a "root of trust" built into, or added to, the client. The client must also check that none of these have been revoked; this is not often implemented correctly,[citation needed] but is a requirement of any public-key authentication system. If the particular signer beginning this server's chain is trusted, and all signatures in the chain remain trusted, then the Certificate (thus the server) is trusted.

History and development[edit]

Secure Network Programming API[edit]

Early research efforts towards transport layer security included the Secure Network Programming (SNP) application programming interface (API), which in 1993 explored the approach of having a secure transport layer API closely resembling Berkeley sockets, to facilitate retrofitting preexisting network applications with security measures.[9]

SSL 1.0, 2.0 and 3.0[edit]

The SSL protocol was originally developed by Netscape.[10] Version 1.0 was never publicly released; version 2.0 was released in February 1995 but "contained a number of security flaws which ultimately led to the design of SSL version 3.0."[11] SSL version 3.0, released in 1996, was a complete redesign of the protocol produced by Paul Kocher working with Netscape engineers Phil Karlton and Alan Freier. Newer versions of SSL/TLS are based on SSL 3.0. The 1996 draft of SSL 3.0 was published by IETF as a historical document in RFC 6101.

The basic algorithm was written by Dr. Taher Elgamal. As the Chief Scientist of Netscape, Taher was recognized as the "father of SSL".[12][13]

TLS 1.0[edit]

TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0. As stated in the RFC, "the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to preclude interoperability between TLS 1.0 and SSL 3.0." TLS 1.0 does include a means by which a TLS implementation can downgrade the connection to SSL 3.0, thus weakening security.[14]:1–2

TLS 1.1[edit]

TLS 1.1 was defined in RFC 4346 in April 2006.[15] It is an update from TLS version 1.0. Significant differences in this version include:

TLS 1.2[edit]

TLS 1.2 was defined in RFC 5246 in August 2008. It is based on the earlier TLS 1.1 specification. Major differences include:

All TLS versions were further refined in RFC 6176 in March 2011 removing their backward compatibility with SSL such that TLS sessions will never negotiate the use of Secure Sockets Layer (SSL) version 2.0.

TLS 1.3 (draft)[edit]

As of July 2014, TLS 1.3 is a draft and details have not fixed yet.[16][17] It is based on the earlier TLS 1.1 and 1.2 specification. Major differences from TLS 1.2 include:

Algorithm[edit]

Key exchange or key agreement[edit]

See also: Cipher suite

Before a client and server can begin to exchange information protected by TLS, they must securely exchange or agree upon an encryption key and a cipher to use when encrypting data (see Cipher). Among the methods used for key exchange/agreement are: public and private keys generated with RSA (denoted TLS_RSA in the TLS handshake protocol), Diffie-Hellman (denoted TLS_DH in the TLS handshake protocol), ephemeral Diffie-Hellman (denoted TLS_DHE in the handshake protocol), Elliptic Curve Diffie-Hellman (denoted TLS_ECDH), ephemeral Elliptic Curve Diffie-Hellman (TLS_ECDHE), anonymous Diffie-Hellman (TLS_DH_anon),[18] and PSK (TLS_PSK).[19]

The TLS_DH_anon and TLS_ECDH_anon key agreement method does not authenticate the server or the user and hence is rarely used because those are vulnerable to Man-in-the-middle attack. Only TLS_DHE and TLS_ECDHE provide forward secrecy.

Public key certificates used during exchange/agreement also vary in the size of the public/private encryption keys used during the exchange and hence the robustness of the security provided. In July 2013, Google announced that it would no longer use 1024 bit public keys and would switch instead to 2048 bit keys to increase the security of the TLS encryption it provides to its users.[20]

Authentication and key exchange/agreement
AlgorithmSSL 2.0SSL 3.0TLS 1.0TLS 1.1TLS 1.2
RSAYesYesYesYesYes
DH-RSANoYesYesYesYes
DHE-RSA (forward secrecy)
ECDH-RSANoNoYesYesYes
ECDHE-RSA (forward secrecy)
DH-DSSNoYesYesYesYes
DHE-DSS (forward secrecy)
ECDH-ECDSANoNoYesYesYes
ECDHE-ECDSA (forward secrecy)
DH-ANON (insecure)NoYesYesYesYes
ECDH-ANON (insecure)NoNoYesYesYes

Cipher[edit]

Cipher security against publicly known feasible attacks
CipherProtocol version
TypeAlgorithmStrength (bits)SSL 2.0SSL 3.0
[note 1][note 2][note 3]
TLS 1.0
[note 1][note 3]
TLS 1.1
[note 1]
TLS 1.2
[note 1]
Block cipher
with
mode of operation
AES CBC[note 4]128, 256N/AN/ADepends on mitigationsSecureSecure
AES GCM[21][note 5]N/AN/AN/AN/ASecure
AES CCM[22][note 5]N/AN/AN/AN/ASecure
CAMELLIA CBC[23][note 4]128, 256N/AN/ADepends on mitigationsSecureSecure
CAMELLIA GCM[24][note 5]N/AN/AN/AN/ASecure
SEED CBC[25][note 4]128N/AN/ADepends on mitigationsSecureSecure
ARIA CBC[26][note 4]128, 256N/AN/ADepends on mitigationsSecureSecure
ARIA GCM[26][note 5]N/AN/AN/AN/ASecure
IDEA CBC[note 4][note 6]128InsecureDepends on mitigationsDepends on mitigationsSecureN/A
3DES EDE CBC[note 4]112[note 7]InsecureLow strength, Depends on mitigationsLow strength, Depends on mitigationsLow strengthLow strength
DES CBC[note 4][note 6]56InsecureInsecureInsecureInsecureN/A
40[note 8]InsecureInsecureInsecureN/AN/A
RC2 CBC[note 4]40[note 8]InsecureInsecureInsecureN/AN/A
Stream cipherCHACHA20+POLY1305[30][note 5]256N/AN/AN/AN/ASecure
RC4[note 9]128InsecureInsecureInsecureInsecureInsecure
40[note 8]InsecureInsecureInsecureN/AN/A
no encryptionNULL-N/AInsecureInsecureInsecureInsecure
Notes
  1. ^ a b c d RFC 5746 must be implemented in order to fix a renegotiation flaw that would otherwise break this protocol.
  2. ^ If libraries implement fixes listed in RFC 5746, this will violate the SSL 3.0 specification, which the IETF cannot change unlike TLS. Fortunately, most current libraries implement the fix and disregard the violation that this causes.
  3. ^ a b the BEAST attack breaks all block ciphers (CBC ciphers) used in SSL 3.0 and TLS 1.0 unless mitigated by the client. See #Web browsers.
  4. ^ a b c d e f g h CBC ciphers can be attacked with the Lucky 13 attack if the library is not written carefully to eliminate timing side channels.
  5. ^ a b c d e AEAD ciphers (such as GCM and CCM) can be used in only TLS 1.2.
  6. ^ a b IDEA and DES have been removed from TLS 1.2.[27]
  7. ^ Although the key length of 3DES is 168 bits, effective security strength of 3DES is only 112 bits,[28] which is below the recommended minimum of 128 bits.[29]
  8. ^ a b c 40 bits strength of cipher suites were designed to operate at reduced key lengths in order to comply with US regulations about the export of cryptographic software containing certain strong encryption algorithms (see Export of cryptography from the United States). These weak suites are forbidden in TLS 1.1 and later.
  9. ^ the RC4 attacks weaken or break RC4 used in SSL/TLS

Data integrity[edit]

Message authentication code (MAC) is used for data integrity. HMAC is used for CBC mode of block ciphers and stream ciphers. AEAD is used for Authenticated encryption such GCM mode and CCM mode.

Data integrity
AlgorithmSSL 2.0SSL 3.0TLS 1.0TLS 1.1TLS 1.2
HMAC-MD5YesYesYesYesYes
HMAC-SHA1NoYesYesYesYes
HMAC-SHA256/384NoNoNoNoYes
AEADNoNoNoNoYes

Applications and adoption[edit]

In applications design, TLS is usually implemented on top of any of the Transport Layer protocols, encapsulating the application-specific protocols such as HTTP, FTP, SMTP, NNTP and XMPP. Historically it has been used primarily with reliable transport protocols such as the Transmission Control Protocol (TCP). However, it has also been implemented with datagram-oriented transport protocols, such as the User Datagram Protocol (UDP) and the Datagram Congestion Control Protocol (DCCP), usage which has been standardized independently using the term Datagram Transport Layer Security (DTLS).

Websites[edit]

A prominent use of TLS is for securing World Wide Web traffic between the website and the browser carried by HTTP to form HTTPS. Notable applications are electronic commerce and asset management.

Website protocol support
Protocol
version
Website
support[31]
Security[31][32]
SSL 2.021.1% (−0.3%)Insecure
SSL 3.098.7% (−0.2%)Depends on cipher[n 1] and client mitigations[n 2]
TLS 1.099.3% (+0.1%)Depends on cipher[n 1] and client mitigations[n 2]
TLS 1.136.0% (+2.0%)Depends on cipher[n 1] and client mitigations[n 2]
TLS 1.238.5% (+1.5%)Depends on cipher[n 1] and client mitigations[n 2]
Notes
  1. ^ a b c d see #Cipher table below
  2. ^ a b c d see #Web browsers and #Attacks against TLS/SSL sections

Web browsers[edit]

Further information: Comparison of web browsers

As of July 2014, the latest version of all major web browsers support SSL 3.0, TLS 1.0, 1.1, and 1.2 enabled by default and mitigations against known attacks have been implemented. However, there are still problems on several version of browsers which are not the latest but still supported.

Browser support for TLS/SSL
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0TLS 1.0TLS 1.1TLS 1.2EV certificate[33]SHA-2 certificate[34]Vulnerabilities Fixed[notes 1]
Google Chrome
[notes 2]
[notes 3]
0–9Android,
iOS,
Linux,
Mac OS X,
Windows
Disabled by defaultYesYesNoNosince v1NoNo, discontinued
10–21No[38]YesYesNoNoYesNounknown, assume No, discontinued
22–29NoYesYesYes[39]No[39][40][41][42]Yessince v26unknown, assume No, discontinued
30–[notes 4]NoYesYesYesYes[40][41][42]YesYesYes
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0TLS 1.0TLS 1.1TLS 1.2EV certificateSHA-2 certificateVulnerabilities Fixed
Mozilla Firefox
[notes 5]
1, 1.5Android,
Firefox OS,
Linux,
Mac OS X,
Windows
Yes[43]Yes[43]Yes[43]NoNoNosince 1.5No, discontinued
2–7Disabled by default[43][44]YesYesNoNosince v3YesNo, discontinued
8–22
ESR 10, 17
No[44]YesYesNoNoYesYesunknown, assume No, discontinued
23NoYesYesDisabled by default[45]NoYesYesunknown, assume No, discontinued
24–26NoYesYesDisabled by defaultDisabled by default[46]YesYesunknown, discontinued
ESR 24Yes
27–[notes 4]
ESR 31–
NoYesYesYes[47][48]Yes[49][48]YesYesYes
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0TLS 1.0TLS 1.1TLS 1.2EV certificateSHA-2 certificateVulnerabilities Fixed
Internet Explorer
[notes 6]
2Windows 3.1, 95, NT 3.1[notes 7]YesNoNoNoNoNoNoNo, discontinued
3YesYes[54]NoNoNoNoNoNo, discontinued
4-6Windows 3.1, 95, 98, ME
Windows NT 3.x, 4
Windows 2000[notes 7]
YesYesDisabled by default[54]NoNoNoNoNo, discontinued
(latest for Win 3.1, 95, 98, ME
Windows NT 3.x, 4, Windows 2000)
6Windows XP[notes 7]YesYesDisabled by defaultNoNoNowith SP3[55]Yes, discontinued
7, 8Disabled by default[56]YesYes[56]NoNoYeswith SP3[55]Yes, discontinued (latest for Win XP)
6Windows Server 2003[notes 7]YesYesDisabled by defaultNoNoNowith KB 938397, 968730[55]Yes
7, 8Disabled by default[56]YesYes[56]NoNoYeswith KB 938397, 968730[55]Yes (latest for Server 2003)
7–9Windows Vista / 2008Disabled by defaultYesYesNoNoYesYesYes (latest for Win Vista / 2008)
8–10Windows 7 / 2008R2Disabled by defaultYesYesDisabled by default[57]Disabled by default[57]YesYesYes
10Windows 8 / 2012Disabled by defaultYesYesDisabled by defaultDisabled by defaultYesYesYes (latest for Win 8 / 2012)
11Windows 7 / 2008R2Disabled by defaultYesYesYes[58]Yes[58]YesYesYes[59] (latest for Win 7 / 2008R2, 8.1 / 2012R2)
Windows 8.1 / 2012R2
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0TLS 1.0TLS 1.1TLS 1.2EV certificateSHA-2 certificateVulnerabilities Fixed
Opera
[notes 8]
[notes 9]
5–7Android,
iOS,[citation needed]
Linux,
Mac OS X,
Windows
Yes[61]Yes[61]Yes[61]NoNoNoNoNo, discontinued
8YesYesYesDisabled by default[62]NoNoNoNo, discontinued
9Disabled by default[63]YesYesYesNosince v9.5YesNo, discontinued
10–12No[64]YesYesDisabled by defaultDisabled by default[64]YesYessince version 11.60+(latest for Linux, with Presto)
14–16NoYesYesYes[65]No[65]YesYesunknown, discontinued
17–[notes 4]NoYesYesYes[66]Yes[66]YesYesYes (latest for Windows, OS X, Android)
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0TLS 1.0TLS 1.1TLS 1.2EV certificateSHA-2 certificateVulnerabilities Fixed
Safari
[notes 10]
1–5Mac OS X 10.0–10.6No[71]YesYesNoNosince v3.2since OS X 10.5No, discontinued (latest for OS X 10.0–10.6)
Mac OS X 10.7
6Mac OS X 10.7NoYesYesNoNoYesYesNo (latest for OS X 10.7)
Mac OS X 10.8Yes[notes 11] (latest for OS X 10.8)
7Mac OS X 10.9NoYesYesYes[75]Yes[75]YesYesYes[73] (latest for OS X 10.9)
3–5iPhone (i)OS 1–4[notes 12]No[76]YesYesNoNosince v3.2since OS 3No, discontinued (latest for iPhone (i)OS 1–4)
5, 6iOS 5, 6[notes 12]NoYesYesYes[77]Yes[77]YesYesNo, discontinued (latest for iOS 5, 6)
7iOS 7[notes 12]NoYesYesYesYesYesYesYes[80] (Latest for iOS 7)
3–5WindowsNoYesYesNoNosince v3.2NoNo, discontinued (Latest for Windows)
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0TLS 1.0TLS 1.1TLS 1.2EV certificate[33]SHA-2 certificate[34]Vulnerabilities Fixed[notes 1]
Version and Platform colorSignificance
GreyMixed / Unspecified
RedFormer release; no longer supported
YellowFormer release; still supported
GreenCurrent supported release[notes 4]
Notes
  1. ^ a b Does the current browser have mitigations or is not vulnerable for all the known protocol and cipher attacks listed in this page (BEAST, CRIME, BREACH, Lucky Thirteen, see ##Attacks against TLS/SSL). Note actual security depends on other factors such as negotiated cipher, encryption strength etc (see #Cipher table). Non-current browsers will have unfixed security issues so are not considered.
  2. ^ Google Chrome (and Chromium) supports TLS 1.0, and TLS 1.1 from version 22 (it was added, then dropped from version 21). TLS 1.2 support has been added, then dropped from Chrome 29.[35][36][37]
  3. ^ Uses the TLS implementation provided by OpenSSL for Android, or by NSS for other platforms.
  4. ^ a b c d Shown Number e.g "27-" only reflect last version at the time TLS Support changed. It does not reflect the really latest current version and does not reflect that the shown version is really still suppored and have latest security patches included.
  5. ^ Uses the TLS implementation provided by NSS. As of Firefox 22, Firefox supports only TLS 1.0 despite the bundled NSS supporting TLS 1.1. Since Firefox 23, TLS 1.1 can be enabled, but was not enabled by default due to issues. Firefox 24 has TLS 1.2 support disabled by default. TLS 1.1 and TLS 1.2 have been enabled by default in Firefox 27 release.
  6. ^ IE uses the TLS implementation of the Microsoft Windows operating system provided by the SChannel security support provider. TLS 1.1 and 1.2 are disabled by default until IE11.[50][51]
  7. ^ a b c d Windows XP as well as Server 2003 and older only support weak ciphers like 3DES and RC4.[52] The weak ciphers of these SChannel version are not only used for IE. They are also used for other Microsoft products running on this OS, e.g like Office. Only Windows Server 2003 can get a manually update to support AES ciphers by KB948963[53]
  8. ^ Opera 10 added support for TLS 1.2 as of Presto 2.2. Previous support was for TLS 1.0 and 1.1. TLS 1.1 and 1.2 are disabled by default (except for version 9[60] that enabled TLS 1.1 by default).
  9. ^ TLS support of Opera 14 and above is same as that of Chrome, because Opera has migrated to Chromium backend.
  10. ^ Safari uses the operating system implementation on Mac OS X, Windows (XP, Vista, 7)[67] with unknown version,[68] Safari 5 is the last version available for Windows. OS X 10.8 on have SecureTransport support for TLS 1.1 and 1.2[69] Qualys SSL report simulates Safari 5.1.9 connecting with TLS 1.0 not 1.1 or 1.2[70]
  11. ^ In September 2013, Apple implemented BEAST mitigation in OS X 10.8 (Mountain Lion), but it was not turned on by default resulting in Safari still being theoretically vulnerable to the BEAST attack on that platform.[72][73] BEAST mitigation has been enabled by default from OS X 10.8.5 updated in February 2014.[74]
  12. ^ a b c Mobile Safari and third-party software utilizing the system UIWebView library use the iOS operating system implementation, which supports TLS 1.2 as of iOS 5.0.[77][78][79]

Libraries[edit]

Most SSL and TLS programming libraries are free and open source software.

Library support for TLS/SSL
ImplementationSSL 2.0
(insecure)
SSL 3.0TLS 1.0TLS 1.1TLS 1.2
BotanNo[a]YesYesYesYes
cryptlibNoYesYesYesYes
CyaSSLNoYesYesYesYes
GnuTLSNo[a]YesYesYesYes
MatrixSSLNo[a]YesYesYesYes
NSSDisabled by default[a]YesYesYes[83]Yes[84]
OpenSSLYesYesYesYes[85]Yes[85]
LibreSSLNoYesYesYes[85]Yes[85]
PolarSSLNoYesYesYesYes
SChannel XP/2003[86]Disabled by MSIE 7YesEnabled by MSIE 7NoNo
SChannel Vista/2008[87]Disabled by defaultYesYesNoNo
SChannel 7/2008R2, 8/1012, 8.1/2012R2[88]Disabled by defaultYesYesYesYes
Secure TransportNot anymore[b]YesYesYes[b]Yes[b]
SharkSSLNoYesYesYesYes
JSSENo[a]YesYesYesYes
ImplementationSSL 2.0
(insecure)
SSL 3.0TLS 1.0TLS 1.1TLS 1.2
  1. ^ SSL 2.0 client hello is supported even though SSL 2.0 is not supported or is disabled because of the backward compatibilities.
  2. ^ Secure Transport: SSL 2.0 was discontinued in OS X 10.8. TLS 1.1 and 1.2 are available on iOS 5.0 and later, and OS X 10.8 and later.[89]

A paper presented at the 2012 ACM conference on computer and communications security[90] showed that few applications used some of these SSL libraries incorrectly, leading to vulnerabilities. According to the authors

"the root cause of most of these vulnerabilities is the terrible design of the APIs to the underlying SSL libraries. Instead of expressing high-level security properties of network tunnels such as confidentiality and authentication, these APIs expose low-level details of the SSL protocol to application developers. As a consequence, developers often use SSL APIs incorrectly, misinterpreting and misunderstanding their manifold parameters, options, side effects, and return values."

Other uses[edit]

The Simple Mail Transfer Protocol (SMTP) can also be protected by TLS. These applications use public key certificates to verify the identity of endpoints.

TLS can also be used to tunnel an entire network stack to create a VPN, as is the case with OpenVPN and OpenConnect. Many vendors now marry TLS's encryption and authentication capabilities with authorization. There has also been substantial development since the late 1990s in creating client technology outside of the browser to enable support for client/server applications. When compared against traditional IPsec VPN technologies, TLS has some inherent advantages in firewall and NAT traversal that make it easier to administer for large remote-access populations.

TLS is also a standard method to protect Session Initiation Protocol (SIP) application signaling. TLS can be used to provide authentication and encryption of the SIP signaling associated with VoIP and other SIP-based applications.[citation needed]

Security[edit]

SSL 2.0[edit]

SSL 2.0 is flawed in a variety of ways:[91]

SSL 2.0 is disabled by default, beginning with Internet Explorer 7,[92] Mozilla Firefox 2,[93] Opera 9.5,[94] and Safari. After it sends a TLS "ClientHello", if Mozilla Firefox finds that the server is unable to complete the handshake, it will attempt to fall back to using SSL 3.0 with an SSL 3.0 "ClientHello" in SSL 2.0 format to maximize the likelihood of successfully handshaking with older servers.[95] Support for SSL 2.0 (and weak 40-bit and 56-bit ciphers) has been removed completely from Opera as of version 10.[96][97]

SSL 3.0[edit]

SSL 3.0 improved upon SSL 2.0 by adding SHA-1–based ciphers and support for certificate authentication.

From a security standpoint, SSL 3.0 should be considered less desirable than TLS 1.0. The SSL 3.0 cipher suites have a weaker key derivation process; half of the master key that is established is fully dependent on the MD5 hash function, which is not resistant to collisions and is, therefore, not considered secure. Under TLS 1.0, the master key that is established depends on both MD5 and SHA-1 so its derivation process is not currently considered weak. It is for this reason that SSL 3.0 implementations cannot be validated under FIPS 140-2.[98]

TLS[edit]

TLS has a variety of security measures:

Attacks against TLS/SSL[edit]

Significant attacks against TLS/SSL are listed below:

Renegotiation attack[edit]

A vulnerability of the renegotiation procedure was discovered in August 2009 that can lead to plaintext injection attacks against SSL 3.0 and all current versions of TLS. For example, it allows an attacker who can hijack an https connection to splice their own requests into the beginning of the conversation the client has with the web server. The attacker can't actually decrypt the client-server communication, so it is different from a typical man-in-the-middle attack. A short-term fix is for web servers to stop allowing renegotiation, which typically will not require other changes unless client certificate authentication is used. To fix the vulnerability, a renegotiation indication extension was proposed for TLS. It will require the client and server to include and verify information about previous handshakes in any renegotiation handshakes.[99] This extension has become a proposed standard and has been assigned the number RFC 5746. The RFC has been implemented by several libraries.[100][101][102]

Version rollback attacks[edit]

Modifications to the original protocols, like False Start[103] (adopted and enabled by Google Chrome[104]) or Snap Start, have reportedly introduced limited TLS protocol version rollback attacks[105] or allowed modifications to the cipher suite list sent by the client to the server (an attacker may be able to influence the cipher suite selection in an attempt to downgrade the cipher suite strength, to use either a weaker symmetric encryption algorithm or a weaker key exchange[106]). A paper presented at an Association for Computing Machinery (ACM) conference on computer and communications security demonstrates that the False Start extension is at risk: in certain circumstances it could allow an attacker to recover the encryption keys offline and to access the encrypted data.[107]

BEAST attack[edit]

On September 23, 2011 researchers Thai Duong and Juliano Rizzo demonstrated a proof of concept called BEAST (Browser Exploit Against SSL/TLS)[108] using a Java applet to violate same origin policy constraints, for a long-known cipher block chaining (CBC) vulnerability in TLS 1.0.[109][110] Practical exploits had not been previously demonstrated for this vulnerability, which was originally discovered by Phillip Rogaway[111] in 2002. The vulnerability of the attack had been fixed with TLS 1.1 in 2006, but TLS 1.1 had not seen wide adoption prior to this attack demonstration.

Mozilla updated the development versions of their NSS libraries to mitigate BEAST-like attacks. NSS is used by Mozilla Firefox and Google Chrome to implement SSL. Some web servers that have a broken implementation of the SSL specification may stop working as a result.[112]

Microsoft released Security Bulletin MS12-006 on January 10, 2012, which fixed the BEAST vulnerability by changing the way that the Windows Secure Channel (SChannel) component transmits encrypted network packets.[113]

Users of Windows 7, Windows 8 and Windows Server 2008 R2 can enable use of TLS 1.1 and 1.2, but this workaround will fail if it is not supported by the other end of the connection and will result in a fall-back to TLS 1.0.

CRIME and BREACH attacks[edit]

The authors of the BEAST attack are also the creators of the later CRIME attack, which can allow an attacker to recover the content of web cookies when data compression is used along with TLS.[114][115] When used to recover the content of secret authentication cookies, it allows an attacker to perform session hijacking on an authenticated web session.

While the CRIME attack was presented as a general attack that could work effectively against a large number of protocols, including but not limited to TLS, and application-layer protocols such as SPDY or HTTP, only exploits against TLS and SPDY were demonstrated and largely mitigated in browsers and servers. The CRIME exploit against HTTP compression has not been mitigated at all, even though the authors of CRIME have warned that this vulnerability might be even more widespread than SPDY and TLS compression combined. In 2013 a new instance of the CRIME attack against HTTP compression, dubbed BREACH, was announced. Built based on the CRIME attack a BREACH attack can extract login tokens, email addresses or other sensitive information from TLS encrypted web traffic in as little as 30 seconds (depending on the number of bytes to be extracted), provided the attacker tricks the victim into visiting a malicious web link or is able to inject content into valid pages the user is visiting (ex: a wireless network under the control of the attacker).[116] All versions of TLS and SSL are at risk from BREACH regardless of the encryption algorithm or cipher used.[117] Unlike previous instances of CRIME, which can be successfully defended against by turning off TLS compression or SPDY header compression, BREACH exploits HTTP compression which cannot realistically be turned off, as virtually all web servers rely upon it to improve data transmission speeds for users.[116] This is a known limitation of TLS as it is susceptible to chosen-plaintext attack against the application-layer data it was meant to protect.

Padding attacks[edit]

Earlier TLS versions were vulnerable against the padding oracle attack discovered in 2002. A novel variant, called the Lucky Thirteen attack, was published in 2013. As of February 2013, TLS implementors were still working on developing fixes to protect against this form of attack.

RC4 attacks[edit]

In spite of existing attacks on RC4 that break it, the cipher suites based on RC4 in SSL and TLS were at one time considered secure because of the way the cipher was used in these protocols defeated the attacks that broke RC4 until new attacks disclosed in March 2013 allowed RC4 in TLS to be feasibly completely broken. In 2011 the RC4 suite was actually recommended as a work around for the BEAST attack.[118] In 2013 a vulnerability was discovered in RC4 suggesting it was not a good workaround for BEAST.[32] An attack scenario was proposed by AlFardan, Bernstein, Paterson, Poettering and Schuldt that used newly discovered statistical biases in the RC4 key table[119] to recover parts of the plaintext with a large number of TLS encryptions.[120][121] A double-byte bias attack on RC4 in TLS and SSL that requires 13 × 220 encryptions to break RC4 was unveiled on 8 July 2013, and it was described as "feasible" in the accompanying presentation at the 22nd USENIX Security Symposium on August 15, 2013.[122][123]

However, many modern browsers have been designed to defeat BEAST attacks (except Safari for Mac OS X 10.8 or earlier, for iOS 6 or earlier, and for Windows; see #Web browsers). As a result, RC4 is not the best choice for TLS 1.0 anymore. The CBC ciphers which were affected by the BEAST attack in the past are becoming a more popular choice for protection.[29]

Microsoft recommends disabling RC4 where possible.[124][125]

Truncation attack[edit]

A TLS truncation attack blocks a victim's account logout requests so that the user unknowingly remains logged into a web service. When the request to sign out is sent, the attacker injects an unencrypted TCP FIN message (no more data from sender) to close the connection. The server therefore doesn't receive the logout request and is unaware of the abnormal termination.[126]

Published in July 2013,[127] the attack causes web services such as Gmail and Hotmail to display a page that informs the user that they have successfully signed-out, while ensuring that the user's browser maintains authorization with the service, allowing an attacker with subsequent access to the browser to access and take over control of the user's logged-in account. The attack does not rely on installing malware on the victim's computer; attackers need only place themselves between the victim and the web server (e.g., by setting up a rogue wireless hotspot).[126] This vulnerability also requires access to the victim's computer.

Heartbleed Bug[edit]

The Heartbleed bug is a serious vulnerability in the popular OpenSSL cryptographic software library, affecting versions 1.0.1 to 1.0.1f. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the data payloads. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

Survey of websites[edit]

As of July 2014, Trustworthy Internet Movement estimate the ratio of websites that are vulnerable to TLS attacks.[31]

Survey of the TLS vulnerabilities of the most popular websites
AttacksSecurity
InsecureDependsSecureOther
Renegotiation attackN/A4.8% (−0.2%)
support insecure renegotiation
1.3% (−0.1%)
support both
87.1% (+0.5%)
support secure renegotiation
6.8% (−0.2%)
not support
RC4 attacks1.8% (±0.0%)
support only RC4 suites
30.6% (−1.0%)
support RC4 suites used with modern browsers
58.7% (+0.7%)
support some RC4 suites
10.7% (+0.3%)
not support
N/A
BEAST attackN/A74.1% (+0.6%)
vulnerable
N/AN/AN/A
CRIME attackN/A10.0% (−1.0%)
vulnerable
N/AN/AN/A
HeartbleedN/A0.5% (−0.2%)
vulnerable
N/AN/AN/A
CVE-2014-0224N/A8.9% (−)
vulnerable
N/AN/AN/A

Forward secrecy[edit]

Main article: Forward secrecy

Forward secrecy is a property of cryptographic systems which ensures that a session key derived from a set of public and private keys will not be compromised if one of the private keys is compromised in the future.[128] An implementation of TLS can provide forward secrecy by requiring the use of ephemeral Diffie-Hellman key exchange to establish session keys, and some notable TLS implementations do so exclusively: e.g., Gmail and other Google HTTPS services that use OpenSSL.[129] However, many clients and servers supporting TLS (including browsers and web servers) are not configured to implement such restrictions.[130][131] Without forward secrecy, if the server's private key is compromised, not only will all future TLS-encrypted sessions using that server certificate be compromised, but also any past sessions that used it as well (provided of course that these past sessions were intercepted and stored at the time of transmission).[132] In practice, unless a web service uses Diffie-Hellman key exchange to implement forward secrecy, all of the encrypted web traffic to and from that service can be decrypted by a third party if it obtains the server's master (private) key; e.g., by means of a court order.[133]

Even where Diffie-Hellman key exchange is implemented, server-side session management mechanisms can impact forward secrecy. The use of TLS session tickets (a TLS extension) causes the session to be protected by AES128-CBC-SHA256 regardless of any other negotiated TLS parameters, including forward secrecy ciphersuites, and the long-lived TLS session ticket keys defeat the attempt to implement forward secrecy.[134][135][136]

Since late 2011, Google has provided forward secrecy with TLS by default to users of its Gmail service, along with Google Docs and encrypted search among other services.[137] Since November 2013, Twitter has provided forward secrecy with TLS to users of its service.[138] As of July 2014, 10.1% of TLS-enabled websites are configured to use cipher suites that provide forward secrecy to web browsers.[31]

Avoiding Triple-DES CBC[edit]

Some experts recommend avoiding Triple-DES CBC. Since the last supported ciphers developed to support any program using Windows XP's SSL/TLS library like Internet Explorer on Windows XP are RC4 and Triple-DES, this makes it difficult to support SSL for any program using this library on XP.[29]

Dealing with MITM attacks[edit]

Certificate pinning[edit]

One way to detect and block many kinds of MITM attacks is "certificate pinning", sometimes called "SSL pinning".[139] A client that does certificate pinning adds an extra step to the normal TLS protocol or SSL protocol: After obtaining the server's certificate in the standard way, the client checks the server's certificate against trusted validation data. Typically the trusted validation data is bundled with the application, in the form of a trusted copy of that certificate, or a trusted hash or fingerprint of that certificate or the certificate's public key. For example, Chromium and Google Chrome include validation data for the *.google.com certificate that detected fraudulent certificates in 2011.

In other systems the client hopes that the first time it obtains a server's certificate it is trustworthy and stores it; during later sessions with that server, the client checks the server's certificate against the stored certificate to guard against later MITM attacks.

Perspectives Project[edit]

The Perspectives Project[140] operates network notaries that clients can use to detect if a site's certificate has changed. By their nature, man-in-the-middle attacks place the attacker between the destination and a single specific target. As such, Perspectives would warn the target that the certificate delivered to the web browser does not match the certificate seen from other perspectives - the perspectives of other users in different times and places. Use of network notaries from a multitude of perspectives makes it possible for a target to detect an attack even if a certificate appears to be completely valid.

Protocol details[edit]

The TLS protocol exchanges records—which encapsulate the data to be exchanged in a specific format (see below). Each record can be compressed, padded, appended with a message authentication code (MAC), or encrypted, all depending on the state of the connection. Each record has a content type field that designates the type of data encapsulated, a length field and a TLS version field. The data encapsulated may be control or procedural messages of the TLS itself, or simply the application data needed to be transferred by TLS. The specifications (cipher suite, keys etc.) required to exchange application data by TLS, are agreed upon in the "TLS handshake" between the client requesting the data and the server responding to requests. The protocol therefore defines both the structure of payloads transferred in TLS and the procedure to establish and monitor the transfer.

TLS handshake[edit]

When the connection starts, the record encapsulates a "control" protocol—the handshake messaging protocol  (content type 22). This protocol is used to exchange all the information required by both sides for the exchange of the actual application data by TLS. It defines the messages formatting or containing this information and the order of their exchange. These may vary according to the demands of the client and server—i.e., there are several possible procedures to set up the connection. This initial exchange results in a successful TLS connection (both parties ready to transfer application data with TLS) or an alert message (as specified below).

Basic TLS handshake[edit]

A simple connection example follows, illustrating a handshake where the server (but not the client) is authenticated by its certificate:

  1. Negotiation phase:
    • A client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested CipherSuites and suggested compression methods. If the client is attempting to perform a resumed handshake, it may send a session ID.
    • The server responds with a ServerHello message, containing the chosen protocol version, a random number, CipherSuite and compression method from the choices offered by the client. To confirm or allow resumed handshakes the server may send a session ID. The chosen protocol version should be the highest that both the client and server support. For example, if the client supports TLS1.1 and the server supports TLS1.2, TLS1.1 should be selected; SSL 3.0 should not be selected.
    • The server sends its Certificate message (depending on the selected cipher suite, this may be omitted by the server).[141]
    • The server sends a ServerHelloDone message, indicating it is done with handshake negotiation.
    • The client responds with a ClientKeyExchange message, which may contain a PreMasterSecret, public key, or nothing. (Again, this depends on the selected cipher.) This PreMasterSecret is encrypted using the public key of the server certificate.
    • The client and server then use the random numbers and PreMasterSecret to compute a common secret, called the "master secret". All other key data for this connection is derived from this master secret (and the client- and server-generated random values), which is passed through a carefully designed pseudorandom function.
  2. The client now sends a ChangeCipherSpec record, essentially telling the server, "Everything I tell you from now on will be authenticated (and encrypted if encryption parameters were present in the server certificate)." The ChangeCipherSpec is itself a record-level protocol with content type of 20.
    • Finally, the client sends an authenticated and encrypted Finished message, containing a hash and MAC over the previous handshake messages.
    • The server will attempt to decrypt the client's Finished message and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be torn down.
  3. Finally, the server sends a ChangeCipherSpec, telling the client, "Everything I tell you from now on will be authenticated (and encrypted, if encryption was negotiated)."
    • The server sends its authenticated and encrypted Finished message.
    • The client performs the same decryption and verification.
  4. Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with content type of 23. Application messages exchanged between client and server will also be authenticated and optionally encrypted exactly like in their Finished message. Otherwise, the content type will return 25 and the client will not authenticate.

Client-authenticated TLS handshake[edit]

The following full example shows a client being authenticated (in addition to the server like above) via TLS using certificates exchanged between both peers.

  1. Negotiation Phase:
    • A client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods.
    • The server responds with a ServerHello message, containing the chosen protocol version, a random number, cipher suite and compression method from the choices offered by the client. The server may also send a session id as part of the message to perform a resumed handshake.
    • The server sends its Certificate message (depending on the selected cipher suite, this may be omitted by the server).[141]
    • The server requests a certificate from the client, so that the connection can be mutually authenticated, using a CertificateRequest message.
    • The server sends a ServerHelloDone message, indicating it is done with handshake negotiation.
    • The client responds with a Certificate message, which contains the client's certificate.
    • The client sends a ClientKeyExchange message, which may contain a PreMasterSecret, public key, or nothing. (Again, this depends on the selected cipher.) This PreMasterSecret is encrypted using the public key of the server certificate.
    • The client sends a CertificateVerify message, which is a signature over the previous handshake messages using the client's certificate's private key. This signature can be verified by using the client's certificate's public key. This lets the server know that the client has access to the private key of the certificate and thus owns the certificate.
    • The client and server then use the random numbers and PreMasterSecret to compute a common secret, called the "master secret". All other key data for this connection is derived from this master secret (and the client- and server-generated random values), which is passed through a carefully designed pseudorandom function.
  2. The client now sends a ChangeCipherSpec record, essentially telling the server, "Everything I tell you from now on will be authenticated (and encrypted if encryption was negotiated). " The ChangeCipherSpec is itself a record-level protocol and has type 20 and not 22.
    • Finally, the client sends an encrypted Finished message, containing a hash and MAC over the previous handshake messages.
    • The server will attempt to decrypt the client's Finished message and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be torn down.
  3. Finally, the server sends a ChangeCipherSpec, telling the client, "Everything I tell you from now on will be authenticated (and encrypted if encryption was negotiated). "
    • The server sends its own encrypted Finished message.
    • The client performs the same decryption and verification.
  4. Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with content type of 23. Application messages exchanged between client and server will also be encrypted exactly like in their Finished message.

Resumed TLS handshake[edit]

Public key operations (e.g., RSA) are relatively expensive in terms of computational power. TLS provides a secure shortcut in the handshake mechanism to avoid these operations: resumed sessions. Resumed sessions are implemented using session IDs or session tickets.

Apart from the performance benefit, resumed sessions can also be used for single sign-on as it is guaranteed that both the original session as well as any resumed session originate from the same client. This is of particular importance for the FTP over TLS/SSL protocol which would otherwise suffer from a man-in-the-middle attack in which an attacker could intercept the contents of the secondary data connections.[142]

Session IDs[edit]

In an ordinary full handshake, the server sends a session id as part of the ServerHello message. The client associates this session id with the server's IP address and TCP port, so that when the client connects again to that server, it can use the session id to shortcut the handshake. In the server, the session id maps to the cryptographic parameters previously negotiated, specifically the "master secret". Both sides must have the same "master secret" or the resumed handshake will fail (this prevents an eavesdropper from using a session id). The random data in the ClientHello and ServerHello messages virtually guarantee that the generated connection keys will be different from in the previous connection. In the RFCs, this type of handshake is called an abbreviated handshake. It is also described in the literature as a restart handshake.

  1. Negotiation phase:
    • A client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods. Included in the message is the session id from the previous TLS connection.
    • The server responds with a ServerHello message, containing the chosen protocol version, a random number, cipher suite and compression method from the choices offered by the client. If the server recognizes the session id sent by the client, it responds with the same session id. The client uses this to recognize that a resumed handshake is being performed. If the server does not recognize the session id sent by the client, it sends a different value for its session id. This tells the client that a resumed handshake will not be performed. At this point, both the client and server have the "master secret" and random data to generate the key data to be used for this connection.
  2. The server now sends a ChangeCipherSpec record, essentially telling the client, "Everything I tell you from now on will be encrypted." The ChangeCipherSpec is itself a record-level protocol and has type 20 and not 22.
    • Finally, the server sends an encrypted Finished message, containing a hash and MAC over the previous handshake messages.
    • The client will attempt to decrypt the server's Finished message and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be torn down.
  3. Finally, the client sends a ChangeCipherSpec, telling the server, "Everything I tell you from now on will be encrypted. "
    • The client sends its own encrypted Finished message.
    • The server performs the same decryption and verification.
  4. Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with content type of 23. Application messages exchanged between client and server will also be encrypted exactly like in their Finished message.
Session tickets[edit]

RFC 5077 extends TLS via use of session tickets, instead of session IDs. It defines a way to resume a TLS session without requiring that session-specific state is stored at the TLS server.

When using session tickets, the TLS server stores its session-specific state in a session ticket and sends the session ticket to the TLS client for storing. The client resumes a TLS session by sending the session ticket to the server, and the server resumes the TLS session according to the session-specific state in the ticket. The session ticket is encrypted and authenticated by the server, and the server verifies its validity before using its contents.

One particular weakness of this method is that it always limits encryption and authentication security of the transmitted TLS session ticket to AES128-CBC-SHA256, no matter what other TLS parameters were negotiated for the actual TLS session.[135] This means that the state information (the TLS session ticket) is not as well protected as the TLS session itself. Of particular concern is OpenSSL's storage of the keys in an application-wide context (SSL_CTX), i.e. for the life of the application, and not allowing for re-keying of the AES128-CBC-SHA256 TLS session tickets without resetting the application-wide OpenSSL context (which is uncommon, error-prone and often requires manual administrative intervention).[136][134]

TLS record[edit]

This is the general format of all TLS records.

+Byte +0Byte +1Byte +2Byte +3
Byte
0
Content type 
Bytes
1..4
VersionLength
(Major)(Minor)(bits 15..8)(bits 7..0)
Bytes
5..(m-1)
Protocol message(s)
Bytes
m..(p-1)
MAC (optional)
Bytes
p..(q-1)
Padding (block ciphers only)
Content type
This field identifies the Record Layer Protocol Type contained in this Record.
Content types
HexDecType
0x1420ChangeCipherSpec
0x1521Alert
0x1622Handshake
0x1723Application
0x1824Heartbeat
Version
This field identifies the major and minor version of TLS for the contained message. For a ClientHello message, this need not be the highest version supported by the client.
Versions
Major
Version
Minor
Version
Version Type
30SSL 3.0
31TLS 1.0
32TLS 1.1
33TLS 1.2
Length
The length of Protocol message(s), MAC and Padding, not to exceed 214 bytes (16 KiB).
Protocol message(s)
One or more messages identified by the Protocol field. Note that this field may be encrypted depending on the state of the connection.
MAC and Padding
A message authentication code computed over the Protocol message, with additional key material included. Note that this field may be encrypted, or not included entirely, depending on the state of the connection.
No MAC or Padding can be present at end of TLS records before all cipher algorithms and parameters have been negotiated and handshaked and then confirmed by sending a CipherStateChange record (see below) for signalling that these parameters will take effect in all further records sent by the same peer.

Handshake protocol[edit]

Most messages exchanged during the setup of the TLS session are based on this record, unless an error or warning occurs and needs to be signaled by an Alert protocol record (see below), or the encryption mode of the session is modified by another record (see ChangeCipherSpec protocol below).

+Byte +0Byte +1Byte +2Byte +3
Byte
0
22 
Bytes
1..4
VersionLength
(Major)(Minor)(bits 15..8)(bits 7..0)
Bytes
5..8
Message typeHandshake message data length
(bits 23..16)(bits 15..8)(bits 7..0)
Bytes
9..(n-1)
Handshake message data
Bytes
n..(n+3)
Message typeHandshake message data length
(bits 23..16)(bits 15..8)(bits 7..0)
Bytes
(n+4)..
Handshake message data
Message type
This field identifies the Handshake message type.
Message Types
CodeDescription
0HelloRequest
1ClientHello
2ServerHello
4NewSessionTicket
11Certificate
12ServerKeyExchange
13CertificateRequest
14ServerHelloDone
15CertificateVerify
16ClientKeyExchange
20Finished
Handshake message data length
This is a 3-byte field indicating the length of the handshake data, not including the header.

Note that multiple Handshake messages may be combined within one record.

Alert protocol[edit]

This record should normally not be sent during normal handshaking or application exchanges. However, this message can be sent at any time during the handshake and up to the closure of the session. If this is used to signal a fatal error, the session will be closed immediately after sending this record, so this record is used to give a reason for this closure. If the alert level is flagged as a warning, the remote can decide to close the session if it decides that the session is not reliable enough for its needs (before doing so, the remote may also send its own signal).

+Byte +0Byte +1Byte +2Byte +3
Byte
0
21 
Bytes
1..4
VersionLength
(Major)(Minor)02
Bytes
5..6
LevelDescription 
Bytes
7..(p-1)
MAC (optional)
Bytes
p..(q-1)
Padding (block ciphers only)
Level
This field identifies the level of alert. If the level is fatal, the sender should close the session immediately. Otherwise, the recipient may decide to terminate the session itself, by sending its own fatal alert and closing the session itself immediately after sending it. The use of Alert records is optional, however if it is missing before the session closure, the session may be resumed automatically (with its handshakes).
Normal closure of a session after termination of the transported application should preferably be alerted with at least the Close notify Alert type (with a simple warning level) to prevent such automatic resume of a new session. Signalling explicitly the normal closure of a secure session before effectively closing its transport layer is useful to prevent or detect attacks (like attempts to truncate the securely transported data, if it intrinsically does not have a predetermined length or duration that the recipient of the secured data may expect).
Alert level types
CodeLevel typeConnection state
1warningconnection or security may be unstable.
2fatalconnection or security may be compromised, or an unrecoverable error has occurred.
Description
This field identifies which type of alert is being sent.
Alert description types
CodeDescriptionLevel typesNote
0Close notifywarning/fatal
10Unexpected messagefatal
20Bad record MACfatalPossibly a bad SSL implementation, or payload has been tampered with e.g. FTP firewall rule on FTPS server.
21Decryption failedfatalTLS only, reserved
22Record overflowfatalTLS only
30Decompression failurefatal
40Handshake failurefatal
41No certificatewarning/fatalSSL 3.0 only, reserved
42Bad certificatewarning/fatal
43Unsupported certificatewarning/fatale.g. certificate has only Server authentication usage enabled and is presented as a client certificate
44Certificate revokedwarning/fatal
45Certificate expiredwarning/fatalCheck server certificate expire also check no certificate in the chain presented has expired
46Certificate unknownwarning/fatal
47Illegal parameterfatal
48Unknown CA (Certificate authority)fatalTLS only
49Access deniedfatalTLS only – e.g. no client certificate has been presented (TLS: Blank certificate message or SSLv3: No Certificate alert), but server is configured to require one.
50Decode errorfatalTLS only
51Decrypt errorwarning/fatalTLS only
60Export restrictionfatalTLS only, reserved
70Protocol versionfatalTLS only
71Insufficient securityfatalTLS only
80Internal errorfatalTLS only
90User canceledfatalTLS only
100No renegotiationwarningTLS only
110Unsupported extensionwarningTLS only
111Certificate unobtainablewarningTLS only
112Unrecognized namewarningTLS only; client's Server Name Indicator specified a hostname not supported by the server
113Bad certificate status responsefatalTLS only
114Bad certificate hash valuefatalTLS only
115Unknown PSK identity (used in TLS-PSK and TLS-SRP)fatalTLS only
120No Application ProtocolfatalTLS only, client's ALPN did not contain any server-supported protocols

ChangeCipherSpec protocol[edit]

+Byte +0Byte +1Byte +2Byte +3
Byte
0
20 
Bytes
1..4
VersionLength
(Major)(Minor)01
Byte
5
CCS protocol type 
CCS protocol type
Currently only 1.

Application protocol[edit]

+Byte +0Byte +1Byte +2Byte +3
Byte
0
23 
Bytes
1..4
VersionLength
(Major)(Minor)(bits 15..8)(bits 7..0)
Bytes
5..(m-1)
Application data
Bytes
m..(p-1)
MAC (optional)
Bytes
p..(q-1)
Padding (block ciphers only)
Length
Length of Application data (excluding the protocol header and including the MAC and padding trailers)
MAC
20 bytes for the SHA-1-based HMAC, 16 bytes for the MD5-based HMAC.
Padding
Variable length; last byte contains the padding length.

Support for name-based virtual servers[edit]

From the application protocol point of view, TLS belongs to a lower layer, although the TCP/IP model is too coarse to show it. This means that the TLS handshake is usually (except in the STARTTLS case) performed before the application protocol can start. In the name-based virtual server feature being provided by the application layer, all co-hosted virtual servers share the same certificate because the server has to select and send a certificate immediately after the ClientHello message. This is a big problem in hosting environments because it means either sharing the same certificate among all customers or using a different IP address for each of them.

There are two known workarounds provided by X.509:

In order to provide the server name, RFC 4366 Transport Layer Security (TLS) Extensions allow clients to include a Server Name Indication extension (SNI) in the extended ClientHello message. This extension hints the server immediately which name the client wishes to connect to, so the server can select the appropriate certificate to send to the client.

Standards[edit]

The current approved version of TLS is version 1.2, which is specified in:

The current standard replaces these former versions, which are now considered obsolete:

as well as the never standardized SSL 2.0 and 3.0:

Other RFCs subsequently extended TLS.

Extensions to TLS 1.0 include:

Extensions to TLS 1.1 include:

Extensions to TLS 1.2 include:

Encapsulations of TLS include:

See also[edit]

References[edit]

  1. ^ T. Dierks, E. Rescorla (August 2008). "The Transport Layer Security (TLS) Protocol, Version 1.2". 
  2. ^ SSL: Intercepted today, decrypted tomorrow, Netcraft, 2013-06-25.
  3. ^ Law Enforcement Appliance Subverts SSL, Wired, 2010-04-03.
  4. ^ New Research Suggests That Governments May Fake SSL Certificates, EFF, 2010-03-24.
  5. ^ A. Freier, P. Karlton, P. Kocher (August 2011). "The Secure Sockets Layer (SSL) Protocol Version 3.0". 
  6. ^ "SSL/TLS in Detail". Microsoft TechNet. Updated July 31, 2003.
  7. ^ Checking for certificate revocation can slow down browsing, so browsers generally don't perform this check unless so configured.
  8. ^ "Description of the Secure Sockets Layer (SSL) Handshake". Support. microsoft.com. 2008-07-07. Retrieved 2012-05-17. 
  9. ^ Thomas Y. C. Woo, Raghuram Bindignavle, Shaowen Su and Simon S. Lam, SNP: An interface for secure network programming Proceedings USENIX Summer Technical Conference, June 1994
  10. ^ "THE SSL PROTOCOL". Netscape Corporation. 2007. Archived from the original on 14 June 1997. 
  11. ^ Rescorla 2001
  12. ^ Messmer, Ellen. "Father of SSL, Dr. Taher Elgamal, Finds Fast-Moving IT Projects in the Middle East". Network World. Retrieved 30 May 2014. 
  13. ^ Greene, Tim. "Father of SSL says despite attacks, the security linchpin has lots of life left". Network World. Retrieved 30 May 2014. 
  14. ^ a b c Polk, Tim; McKay, Terry; Chokhani, Santosh (April 2014). "Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations". National Institute of Standards and Technology. p. 67. Retrieved 2014-05-07. 
  15. ^ Dierks, T. and E. Rescorla (April 2006). "The Transport Layer Security (TLS) Protocol Version 1.1, RFC 4346". 
  16. ^ draft-ietf-tls-tls13-02
  17. ^ draft-ietf-tls-tls13-latest
  18. ^ "RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2". Internet Engineering Task Force. Retrieved 9 September 2013. 
  19. ^ P. Eronen, Ed. "RFC 4279: Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)". Internet Engineering Task Force. Retrieved 9 September 2013. 
  20. ^ Gothard, Peter. "Google updates SSL certificates to 2048-bit encryption". Computing. Incisive Media. Retrieved 9 September 2013. 
  21. ^ RFC 5288
  22. ^ RFC 6655
  23. ^ RFC 5932, RFC 6367
  24. ^ RFC 6367
  25. ^ RFC 4162
  26. ^ a b RFC 6209
  27. ^ RFC 5469
  28. ^ "NIST Special Publication 800-57 Recommendation for Key Management — Part 1: General (Revised)". 2007-03-08. Retrieved 2014-07-03. 
  29. ^ a b c Qualys SSL Labs. "SSL/TLS Deployment Best Practices". Retrieved 19 November 2013. 
  30. ^ draft-agl-tls-chacha20poly1305-04, draft-mavrogiannopoulos-chacha-tls-02
  31. ^ a b c d As of July 3, 2014. "SSL Pulse: Survey of the SSL Implementation of the Most Popular Web Sites". Retrieved 2014-07-08. 
  32. ^ a b ivanr. "RC4 in TLS is Broken: Now What?". Qualsys Security Labs. Retrieved 2013-07-30. 
  33. ^ a b "What browsers support Extended Validation (EV) and display an EV indicator?". Symantec. Retrieved 2014-07-28. 
  34. ^ a b "SHA-256 Compatibility". Retrieved 2014-07-02. 
  35. ^ Google (2012-05-29). "Dev Channel Update". Retrieved 2011-06-01. 
  36. ^ Google (2012-08-21). "Stable Channel Update". Retrieved 2012-08-22. 
  37. ^ Chromium Project (2013-05-30). "Chromium TLS 1.2 Implementation". 
  38. ^ "SVN revision log on Chrome 10.0.648.127 release". Retrieved 2014-06-19. 
  39. ^ a b "SSL/TLS Overview". 2008-08-06. Retrieved 2013-03-29. 
  40. ^ a b "Chromium Issue 90392". 2008-08-06. Retrieved 2013-06-28. 
  41. ^ a b "Issue 23503030 Merge 219882". 2013-09-03. Retrieved 2013-09-19. 
  42. ^ a b "Issue 278370: Unable to submit client certificates over TLS 1.2 from Windows". 2013-08-23. Retrieved 2013-10-03. 
  43. ^ a b c d "Security in Firefox 2". 2008-08-06. Retrieved 2009-03-31. 
  44. ^ a b "Introduction to SSL". MDN. Retrieved 2014-06-19. 
  45. ^ "Bug 565047 – (RFC4346) Implement TLS 1.1 (RFC 4346)". Retrieved 2013-10-29. 
  46. ^ "Bug 480514 – Implement support for TLS 1.2 (RFC 5246)". Retrieved 2013-10-29. 
  47. ^ "Bug 733647 – Implement TLS 1.1 (RFC 4346) in Gecko (Firefox, Thunderbird), on by default". Retrieved 2013-12-04. 
  48. ^ a b "Firefox Notes – Desktop". 2014-02-04. Retrieved 2014-02-04. 
  49. ^ "Bug 861266 – Implement TLS 1.2 (RFC 5246) in Gecko (Firefox, Thunderbird), on by default". Retrieved 2013-11-18. 
  50. ^ Microsoft (2012-09-05). "Secure Channel". Retrieved 2012-10-18. 
  51. ^ Microsoft (2009-02-27). "MS-TLSP Appendix A". Retrieved 2009-03-19. 
  52. ^ http://msdn.microsoft.com/en-us/library/windows/desktop/aa380512(v=vs.85).aspx
  53. ^ http://support.microsoft.com/kb/948963
  54. ^ a b "What browsers only support SSLv2?". Retrieved 2014-06-19. 
  55. ^ a b c d "SHA2 and Windows - Windows PKI blog - Site Home - TechNet Blogs". 2010-09-30. Retrieved 2014-07-29. 
  56. ^ a b c d "HTTPS Security Improvements in Internet Explorer 7". Retrieved 2013-10-29. 
  57. ^ a b "Windows 7 adds support for TLSv1.1 and TLSv1.2 - IEInternals - Site Home - MSDN Blogs". Retrieved 2013-10-29. 
  58. ^ a b Microsoft (2013-09-24). "IE11 Changes". Retrieved 2013-11-01. 
  59. ^ Microsoft (2013-06-24). "Release Notes: Important Issues in Windows 8.1 Preview". Retrieved 2013-10-29. 
  60. ^ "Changelog for Opera 9.0 for Windows" at Opera.com
  61. ^ a b c "Changelog for Opera 5.x for Windows". Retrieved 2014-06-19. 
  62. ^ "Changelog for Opera [8] Beta 2 for Windows". Retrieved 2014-06-19. 
  63. ^ "Web Specifications Supported in Opera 9". Retrieved 2014-06-19. 
  64. ^ a b "Opera: Opera 10 beta for Windows changelog". Retrieved 2014-06-19. 
  65. ^ a b same as Chrome 27–29
  66. ^ a b same as Chrome 30-
  67. ^ Adrian, Dimcev. "Common browsers/libraries/servers and the associated cipher suites implemented". TLS Cipher Suites Project. 
  68. ^ Apple (2009-06-10). "Features". Retrieved 2009-06-10. 
  69. ^ Curl: Patch to add TLS 1.1 and 1.2 support & replace deprecated functions in SecureTransport
  70. ^ Qualys SSL Report: google.co.uk (simulation Safari 5.1.9 TLS 1.0)
  71. ^ "Apple Secures Mac OS X with Mavericks Release - eSecurity Planet". 2013-10-25. Retrieved 2014-06-23. 
  72. ^ Ristic, Ivan. "Is BEAST Still a Threat?". qualys.com. 
  73. ^ a b Ivan Ristić (2013-10-31). "Apple enabled BEAST mitigations in OS X 10.9 Mavericks". Retrieved 2013-11-07. 
  74. ^ Ivan Ristić (2014-02-26). "Apple finally releases patch for BEAST". Retrieved 2014-07-01. 
  75. ^ a b "About the security content of OS X Mavericks v10.9". Retrieved 2014-06-20. 
  76. ^ "Secure Transport Reference". Retrieved 2014-06-23.  kSSLProtocol2 is deprecated in iOS
  77. ^ a b c Apple (2011-10-14). "Technical Note TN2287 – iOS 5 and TLS 1.2 Interoperability Issues". Retrieved 2012-12-10. 
  78. ^ Liebowitz, Matt (2011-10-13). "Apple issues huge software security patches". NBCNews.com. Retrieved 2012-12-10. 
  79. ^ MWR Info Security (2012-04-16). "Adventures with iOS UIWebviews". Retrieved 2012-12-10. , section "HTTPS (SSL/TLS)"
  80. ^ schurtertom (October 11, 2013). "SOAP Request fails randomly on one Server but works on an other on iOS7". Retrieved January 5, 2014. 
  81. ^ Oracle. "Java Cryptography Architecture Oracle Providers Documentation". Retrieved 2012-08-16. 
  82. ^ Oracle. "JDK 8 Security Enhancements". Retrieved 2014-03-25. [dead link]
  83. ^ "NSS 3.14 release notes". Mozilla Developer Network. Mozilla. Retrieved 2012-10-27. 
  84. ^ "NSS 3.15.1 release notes". Mozilla Developer Network. Mozilla. Retrieved 2013-08-10. 
  85. ^ a b c d www.openssl.org/news/changelog.html
  86. ^ TLS cipher suites in Microsoft Windows XP and 2003
  87. ^ SChannel Cipher Suites in Microsoft Windows Vista
  88. ^ TLS Cipher Suites in SChannel for Windows 7, 2008R2, 8, 2012
  89. ^ "Technical Note TN2287: iOS 5 and TLS 1.2 Interoperability Issues". iOS Developer Library. Apple Inc. Retrieved 2012-05-03. 
  90. ^ Georgiev, Martin and Iyengar, Subodh and Jana, Suman and Anubhai, Rishita and Boneh, Dan and Shmatikov, Vitaly (2012). The most dangerous code in the world: validating SSL certificates in non-browser software. Proceedings of the 2012 ACM conference on Computer and communications security. pp. 38–49. ISBN 978-1-4503-1651-4. 
  91. ^ Joris Claessens, Valentin Dem, Danny De Cock, Bart Preneel, Joos Vandewalle (2002). "On the Security of Today's Online Electronic Banking Systems". Computers & Security 21 (3): 253–265. doi:10.1016/S0167-4048(02)00312-7. 
  92. ^ Lawrence, Eric (2005-10-22). "IEBlog: Upcoming HTTPS Improvements in Internet Explorer 7 Beta 2". MSDN Blogs. Retrieved 2007-11-25. 
  93. ^ "Bugzilla@Mozilla — Bug 236933 – Disable SSL2 and other weak ciphers". Mozilla Corporation. Retrieved 2007-11-25. 
  94. ^ "Opera 9.5 for Windows Changelog" at Opera.com: "Disabled SSL v2 and weak ciphers."
  95. ^ "Firefox still sends SSLv2 handshake even though the protocol is disabled". 2008-09-11. 
  96. ^ "Opera 10 for Windows changelog" at Opera.com: "Removed support for SSL v2 and weak ciphers"
  97. ^ Pettersen, Yngve (2007-04-30). "10 years of SSL in Opera — Implementer's notes". Opera Software. Retrieved 2007-11-25. [dead link]
  98. ^ National Institute of Standards and Technology (December 2010). "Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program". 
  99. ^ Eric Rescorla (2009-11-05). "Understanding the TLS Renegotiation Attack". Educated Guesswork. Retrieved 2009-11-27. 
  100. ^ "SSL_CTX_set_options SECURE_RENEGOTIATION". OpenSSL Docs. 2010-02-25. Retrieved 2010-11-18. 
  101. ^ "GnuTLS 2.10.0 released". GnuTLS release notes. 2010-06-25. Retrieved 2011-07-24. 
  102. ^ "NSS 3.12.6 release notes". NSS release notes. 2010-03-03. Retrieved 2011-07-24. 
  103. ^ A. Langley; N. Modadugu; B. Moeller (June 20120). "Transport Layer Security (TLS) False Start". Internet Engineering Task Force. IETF. Retrieved 31 July 2013. 
  104. ^ Wolfgang, Gruener. "False Start: Google Proposes Faster Web, Chrome Supports It Already". Archived from the original on October 7, 2010. Retrieved 9 March 2011. 
  105. ^ Brian, Smith. "Limited rollback attacks in False Start and Snap Start". Retrieved 9 March 2011. 
  106. ^ Adrian, Dimcev. "False Start". Random SSL/TLS 101. Retrieved 9 March 2011. 
  107. ^ Mavrogiannopoulos, Nikos and Vercautern, Frederik and Velichkov, Vesselin and Preneel, Bart (2012). A cross-protocol attack on the TLS protocol. Proceedings of the 2012 ACM conference on Computer and communications security. pp. 62–72. ISBN 978-1-4503-1651-4. 
  108. ^ Thai Duong and Juliano Rizzo (2011-05-13). "Here Come The ⊕ Ninjas". 
  109. ^ Dan Goodin (2011-09-19). "Hackers break SSL encryption used by millions of sites". 
  110. ^ "Y Combinator comments on the issue". 2011-09-20. 
  111. ^ "Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures". 2004-05-20. Archived from the original on 2012-06-30. 
  112. ^ Brian Smith (2011-09-30). "(CVE-2011-3389) Rizzo/Duong chosen plaintext attack (BEAST) on SSL/TLS 1.0 (facilitated by websockets −76)". 
  113. ^ "Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)". 2012-01-10. 
  114. ^ Dan Goodin (2012-09-13). "Crack in Internet's foundation of trust allows HTTPS session hijacking". Ars Technica. Retrieved 2013-07-31. 
  115. ^ Dennis Fisher (September 13, 2012). "CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions". ThreatPost. Retrieved 2012-09-13. [dead link]
  116. ^ a b Goodin, Dan (1 August 2013). "Gone in 30 seconds: New attack plucks secrets from HTTPS-protected pages". Ars Technica. Condé Nast. Retrieved 2 August 2013. 
  117. ^ Leyden, John (2 August 2013). "Step into the BREACH: New attack developed to read encrypted web data". The Register. Retrieved 2 August 2013. 
  118. ^ security – Safest ciphers to use with the BEAST? (TLS 1.0 exploit) I've read that RC4 is immune – Server Fault
  119. ^ Pouyan Sepehrdad, Serge Vaudenay, Martin Vuagnoux (2011). "Discovery and Exploitation of New Biases in RC4". Lecture Notes in Computer Science 6544: 74–91. doi:10.1007/978-3-642-19574-7_5. 
  120. ^ Green, Matthew. "Attack of the week: RC4 is kind of broken in TLS". Cryptography Engineering. Retrieved March 12, 2013. 
  121. ^ Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt. "On the Security of RC4 in TLS". Royal Holloway University of London. Retrieved March 13, 2013. 
  122. ^ AlFardan, Nadhem J.; Bernstein, Daniel J.; Paterson, Kenneth G.; Poettering, Bertram; Schuldt, Jacob C. N. (8 July 2013). On the Security of RC4 in TLS and WPA (PDF). Retrieved 2 September 2013. 
  123. ^ AlFardan, Nadhem J.; Bernstein, Daniel J.; Paterson, Kenneth G.; Poettering, Bertram; Schuldt, Jacob C. N. (15 August 2013). "On the Security of RC4 in TLS" (PDF). 22nd USENIX Security Symposium. p. 51. Retrieved 2 September 2013. "Plaintext recovery attacks against RC4 in TLS are feasible although not truly practical" 
  124. ^ "Security Advisory 2868725: Recommendation to disable RC4". Microsoft. 2013-11-12. Retrieved 2013-12-04. 
  125. ^ "draft-popov-tls-prohibiting-rc4-02". 
  126. ^ a b John Leyden (1 August 2013). "Gmail, Outlook.com and e-voting 'pwned' on stage in crypto-dodge hack". The Register. Retrieved 1 August 2013. 
  127. ^ "BlackHat USA Briefings". Black Hat 2013. Retrieved 1 August 2013. 
  128. ^ Diffie, Whitfield; van Oorschot, Paul C.; Wiener, Michael J. (June 1992). "Authentication and Authenticated Key Exchanges". Designs, Codes and Cryptography 2 (2): 107–125. doi:10.1007/BF00124891. Retrieved 2008-02-11. 
  129. ^ "Protecting data for the long term with forward secrecy". Retrieved 2012-11-05. 
  130. ^ Vincent Bernat. "SSL/TLS & Perfect Forward Secrecy". Retrieved 2012-11-05. 
  131. ^ "SSL Labs: Deploying Forward Secrecy". Qualys.com. 25 June 2013. Retrieved 10 July 2013. 
  132. ^ Discussion on the TLS mailing list in October 2007
  133. ^ Ristic, Ivan (5 August 2013). "SSL Labs: Deploying Forward Secrecy". Qualsys. Retrieved 31 August 2013. 
  134. ^ a b Langley, Adam (27 June 2013). "How to botch TLS forward secrecy". imperialviolet.org. 
  135. ^ a b Daignière, Florent. "TLS "Secrets": Whitepaper presenting the security implications of the deployment of session tickets (RFC 5077) as implemented in OpenSSL". Matta Consulting Limited. Retrieved 7 August 2013. 
  136. ^ a b Daignière, Florent. "TLS "Secrets": What everyone forgot to tell you...". Matta Consulting Limited. Retrieved 7 August 2013. 
  137. ^ "Protecting data for the long term with forward secrecy". Retrieved 2014-03-07. 
  138. ^ Hoffman-Andrews, Jacob. "Forward Secrecy at Twitter". Twitter. Twitter. Retrieved 2014-03-07. 
  139. ^ "Certificate Pinning".
  140. ^ Perspectives Project
  141. ^ a b These certificates are currently X.509, but RFC 6091 also specifies the use of OpenPGP-based certificates.
  142. ^ Chris (2009-02-18). "vsftpd-2.1.0 released – Using TLS session resume for FTPS data connection authentication". Scarybeastsecurity. blogspot.com. Retrieved 2012-05-17. 
  143. ^ "Named-based SSL virtual hosts: how to tackle the problem" (PDF). Retrieved 2012-05-17. 

Further reading[edit]

External links[edit]

This article is based on material taken from the Free On-line Dictionary of Computing prior to 1 November 2008 and incorporated under the "relicensing" terms of the GFDL, version 1.3 or later.