Just another TLA! Those three-letter acronyms are everywhere. It is an acronym that we often throw around within the tech industry which you have likely heard of and it’s short for Secure Socket Layer. Although SSL was replaced by a closely related and more up to date protocol named Transport Layer Security (TLS) in 2006, SSL is commonly found when conducting web application penetration tests.
Secure Sockets Layer and Transport Layer Security are one of the most widely known and commonly used cryptographic security protocols, owed for the most part, to the implementation between a web browser and a web server. These are the protocols responsible for, amongst various other applications, displaying the padlock sign next to the website address that you are browsing to within a web browser and confirm that network communication is encrypted.
The presence of a padlock does not mean that the recipient of your communication is genuine, however, it does mean that the information which you will send is encrypted to a mutually agreeable standard. Had you unwittingly clicked on a malicious link, you could very well be sending your information to a criminal, granted you would be doing so securely. Still, you would be sending your information to a criminal non the less.Here we can see an example of where a valid certificate is not present.
Similar to the notion that just because a website has a valid TLS certificate does not make it a genuine site with no negative intentions; a website that does not have a TLS certificate does not mean the site is malicious. As a rule, a user should never enter their personal information into a website which does not have a TLS certificate.
Web connections are entirely possible without TLS to secure them. However, without a security protocol in situ, the communication would be rendered hospitable for external access. The purpose of any cryptography is to ensure data confidentiality, integrity and authenticity. If a user had to enter their credentials to log in without SSL/TLS, those credentials and all information after that including payment details could be intercepted by a third party.
The SSL protocol was the primary protocol designed for this purpose and TLS as is its successor, provides exactly that with its latest versions of 1.2 and 1.3, although just as with SSL, TLS also has weak versions. The Payment Card Industry Council stated that versions of SSL and TLS 1.0 is to be considered obsolete and insecure as of 30 June 2016. Google Chrome state that after a depreciation period in early 2020, TLS 1.0. and TLS 1.1 will not be supported within their browsers and it will not be possible to connect to a server if the server does not support TLS 1.2 as a minimum.
SSL and TLS are commonly employed by web browsers to guard connections between web applications and web servers. Many other TCP-based protocols use TLS/SSL also, including instant messaging (XMPP), FTP, VoIP, VPN and email (SMTP/POP3). Typically, when a service uses a secure connection, the letter S is appended to the protocol name, for instance, HTTPS, SMTPS, FTPS, SIPS. In most cases, SSL/TLS implementations are supported by the OpenSSL library. A network assessment would clarify what services an organisation is using, FTP, HTTP and Telnet, all of which transmit information in clear text, are commonly found during infrastructure penetration tests.
When two systems (web browser and web server) that leverage TLS plan to connect, each system will make an attempt to verify that the opposite supports TLS . This process is termed as the TLS handshake where both parties decide upon the TLS version, encryption algorithm, cipher suite and confirm the authenticity of the certificate which will be utilised in the procedure. Once a TLS handshake has been successfully executed, both systems start exchanging encrypted data.
Digital certificates are important pieces within the public key cryptography domain. They’re attached to public keys and are proof that the holder of the general public key is actually the legitimate owner. Digital certificates are signed, sold, and issued by bodies called ‘Certificate Authorities’ (or CAs, for short), which are trusted bodies liable for verifying the authenticity of anyone who requests a certificate. Since major operating systems and browsers have ‘trust stores’ consisting of those CAs built into them, browsers will automatically trust certificates issued by major CAs.
Certificates are crucial to making websites easily recognisable to users as a trusted, secure page. Webpages with valid SSL/TLS certificates installed on them will have ‘https’ preceding the name of the web site within the search bar, as long as the certificate has been installed correctly. In some browsers, the utilisation of legitimate Extended Validation certificates (a TLS certificate with a few extra security features), will cause the HTTPS padlock to show green, providing visitors with additional assurance that they are on a legitimate website.
A simple, although not infallible action that we can carry out as an everyday web user is to ensure that the website’s we visit do have a valid certificate and the details are genuine. By clicking on the padlock to the left of the website address and then the word ‘Certificate’, we can see the certificate information.
Here we see that the certificate was issued to www.amazon.co.uk and it was issued by DigiCert Global CA G2. Furthermore, we can see when it was issued and when it expires. For further investigation, we could check the tabs labelled ‘Details’ and ‘Certification Path’ as well as to conduct a web search for DigiCert Global CA G2 to ensure they are a genuine certificate authority.
As mentioned above, Google Chrome won’t allow connections to a server which does not support TLS 1.2 or 1.3. Should any other browser be used then it will have to be configured manually until the provider applies the same configurations. Here are the settings for a few of the common browsers:
Open Internet Explorer, click the cog in the top right, then select Internet Options
Select the Advanced Tab then Security section
In the Security section, locate the Use SSL and Use TLS options, uncheck SSL 2.0, 3.0 and TLS 1.1
Click apply, then OK
Open Firefox and search “about:config”
Click through the warning
In the search field, type “TLS”
Double-click on security.tls.version.min
Type 1.1 in the Enter Integer Value window
Click OK
Google disabled support for weak protocols, providing you update your browser on the same schedule as all other apps then all is taken care of.
TLS is widely used throughout the tech industry, but it is within web browsers where the vast majority of us encounter its use. Unfortunately, staying secure online is not as simple as looking for a padlock next website address within our browser. There isn’t a one-stop rule which will keep you safe online as security is a holistic approach. Clicking on a link within an email may well lead to a TLS secure website, however, entering the user’s credentials into what appears to be a genuine portal will likely lead to undesired consequences. Relying on the sole presence of a padlock is not advised at the expense of forgetting all other security precautions.
Aside from HTTP, other unencrypted protocols are commonly used which should also be replaced with more secure options. HTTP, Telnet and FTP on an internal network still leak information to anyone on that network and let’s ask a serious question, do you know who is on your network? For further advice on how you can secure your systems please get in touch and speak with one of the team.