How much SSL layers important for website security?

Hosting, Webmaster, Marketing and SEO Forums Forums SSL and Security How much SSL layers important for website security?

This topic contains 2 replies, has 2 voices, and was last updated by steve Steele steveSteele 3 weeks ago.

  • Author
    Posts
  • #563 Reply
    santhoshsocial
    santhoshsocial
    Participant

    How much SSL layers important for website security?

  • #569 Reply
    steve Steele
    steveSteele
    Participant

    Secure Sockets Layer (SSL) is a computer networking protocol for securing connections between network application clients and servers over an insecure network, such as the internet. Due to numerous protocol and implementation flaws and vulnerabilities, SSL was deprecated for use on the internet by the Internet Engineering Task Force (IETF) in 2015 and has been replaced by the Transport Layer Security (TLS) protocol. While TLS and SSL are not interoperable, TLS is backwards-compatible with SSL 3.0.

    SSL uses a combination of public key and symmetric key encryption to secure a connection between two machines, typically a web or mail server and a client system, communicating over the internet or another TCP/IP network. SSL provides a mechanism for encrypting and authenticating data sent between processes running on a client and server.

    The TLS protocol evolved from SSL and has officially superseded it, although the terms SSL or SSL/TLS are still commonly used to refer to the protocol used to secure web/internet traffic. SSL/TLS is the most widely deployed security protocol used today and, according to Google, it is being used to secure more than 50% of the pages loaded by the Chrome browser. In addition to supporting the transmission of web pages, SSL has been implemented for applications including email, file transfer, instant messagingand voice over IP.

    • #570 Reply
      steve Steele
      steveSteele
      Participant

      How it works
      The SSL protocol includes two subprotocols: the record protocol and the “handshake” protocol.

      The handshake protocol defines how a client and server establish an SSL connection, including the negotiation of which cryptographic systems each host is willing (or unwilling) to use for communication, as well as the exchange of cryptographic material, such as public keys and session keys for encryption or authentication of transmitted data.

      The record protocol defines how communicating hosts exchange data using SSL, including specifications for how data is to be prepared for transmission and how it is to be verified or decrypted on receipt.

      As part of the initial handshake process, a server presents its digital certificate to authenticate itself to the client. Server certificates follow the X.509 certificate format defined by the Public Key Cryptography Standards. The authentication process uses public key encryption to validate the digital certificate and to confirm that a server is, in fact, the server it claims to be.

      Once the server has been authenticated, the client and server establish cipher settings and a shared key to encrypt the information they exchange during the remainder of the session. This provides data confidentiality and integrity. This whole process is invisible to the user. For example, if a webpage requires an SSL connection, the URL will change from HTTP to HTTPS, and a padlock icon will appear in the browser once the server has been authenticated.

      The handshake also allows the client to authenticate itself to the server. In this case, after server authentication is complete, the client must present its certificate to the server to authenticate the client’s identity before the encrypted SSL session can be established.

      After the IETF officially took over the SSL protocol to standardize it through an open process, version 3.1 of SSL was released as TLS 1.0 (The name was changed to avoid any legal issues with Netscape). Many attacks against SSL have focused on SSL implementation issues, but the POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability is a known flaw in the SSL 3.0 protocol itself, exploiting the way in which it ignores padding bytes when running in cipher block chaining mode. This flaw allows an attacker to decrypt sensitive information, such as authentication cookies. TLS 1.0 is not vulnerable to this attack because it specifies that all padding bytes must have the same value and must be verified.

      Other key differences between SSL and TLS that make TLS a more secure and efficient protocol are message authentication, key material generation and the supported cipher suites with TLS supporting newer and more secure algorithms. TLS 1.2 is the most recent version, but publication of the next version is expected to be approved in 2017; that update is likely to be called either TLS 1.3 or TLS 2.0.

Reply To: How much SSL layers important for website security?
Your information: