ssl sign in



ssl

ssl

This article or section does not cite its references or sources.
Please help improve this article by introducing appropriate citations. (help, get involved!)
This article has been tagged since January 2007.
"SSL" redirects here. For other uses, see SSL (disambiguation).
The five layer TCP/IP model
5. Application layer

DHCP • DNS • FTP • HTTP • IMAP4 • IRC • MIME • POP3 • SIP • SMTP • SNMP • SSH • TELNET • BGP • RPC • RTP • RTCP • TLS/SSL • SDP • SOAP • L2TP • PPTP • …
4. Transport layer

TCP • UDP • DCCP • SCTP • GTP • …
3. Network layer

IP (IPv4 • IPv6) • ARP • RARP • ICMP • IGMP • RSVP • IPSec • …
2. Data link layer

ATM • DTM • Ethernet • FDDI • Frame Relay • GPRS • PPP • …
1. Physical layer

Ethernet physical layer • ISDN • Modems • PLC • RS232 • SONET/SDH • G.709 • Wi-Fi • …
This box: view  talk  edit

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols which provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, and other data transfers. There are slight differences between SSL 3.0 and TLS 1.0, but the protocol remains substantially the same. The term "TLS" as used here applies to both protocols unless clarified by context.

Contents

  • 1 Description
  • 2 How it works
  • 3 Applications
  • 4 History and development
    • 4.1 Early short keys
    • 4.2 Incorrect uses
  • 5 Standards
  • 6 Implementation
  • 7 TLS 1.1
  • 8 Certificate providers
  • 9 See also
    • 9.1 Software
  • 10 References
  • 11 External links

Description

The TLS protocol(s) allow applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and communications privacy over the Internet using cryptography. Typically, only the server is authenticated (i.e., its identity is ensured) while the client remains unauthenticated; this means that the end user (be that a person, or an application such as a web browser), can be sure of whom they are "talking" to. The next level of security - both ends of the "conversation" being sure of who they are "talking" to - is known as mutual authentication. Mutual authentication requires public key infrastructure (PKI) deployment to clients.

TLS involves three basic phases:

  1. Peer negotiation for algorithm support
  2. Public key encryption -based key exchange and certificate-based authentication
  3. Symmetric cipher -based traffic encryption

During the first phase, the client and server negotiation uses cryptographic algorithms. Current implementations support the following choices:

  • for public-key cryptography: RSA, Diffie-Hellman, DSA or Fortezza;
  • for symmetric ciphers: RC2, RC4, IDEA, DES, Triple DES, AES or Camellia;
  • for one-way hash functions: MD2, MD4, MD5 or SHA.

How it works

The TLS protocol exchanges records; each record can be optionally compressed, encrypted and packed with a message authentication code (MAC). Each record has a content_type field that specifies which upper level protocol is being used.

When the connection starts, the record level encapsulates another protocol, the handshake protocol, which has content_type 22.

The client sends and receives several handshake structures:

  • It sends a ClientHello message specifying the list of cipher suites, compression methods and the highest protocol version it supports. It also sends random bytes which will be used later.
  • Then it receives a ServerHello, in which the server chooses the connection parameters from the choices offered by the client earlier.
  • When the connection parameters are known, the client and server exchange certificates (depending on the selected public key cipher). These certificates are currently X.509, but there is also a draft specifying the use of OpenPGP based certificates.
  • The server can request a certificate from the client, so that the connection can be mutually authenticated.
  • The client and server negotiate a common secret called the "master secret", possibly using the result of a Diffie-Hellman exchange, or simply encrypting a secret with a public key that is decrypted with the peer's private key. All other key data is derived from this "master secret" (and the client- and server-generated random values), which is passed through a carefully designed "pseudorandom function".

TLS/SSL have a variety of security measures:

  • Numbering all the records and using the sequence number in the MACs.
  • Using a message digest enhanced with a key (so only a key-holder can check the MAC). This is specified in RFC 2104.
  • Protection against several known attacks (including man in the middle attacks), like those involving a downgrade of the protocol to a previous (less secure) version or a weaker cipher suite.
  • The message that ends the handshake ("Finished") sends a hash of all the exchanged data seen by both parties.
  • The pseudorandom function splits the input data in half and processes each one with a different hashing algorithm (MD5 and SHA), then XORs them together. This provides protection if one of these algorithms is found to be vulnerable.

Applications

TLS runs on layers beneath application protocols such as HTTP, FTP, SMTP and NNTP, and above the TCP or UDP transport protocol, which form part of the TCP/IP protocol suite. While it can add security to any protocol that uses reliable connections (such as TCP), it is most commonly used with HTTP to form HTTPS. HTTPS is used to secure World Wide Web pages for applications such as electronic commerce. SMTP is also an area in which TLS has been growing and is specified in RFC 3207. These applications use public key certificates to verify the identity of endpoints.

An increasing number of client and server products support TLS natively, but many still lack support. As an alternative, users may wish to use standalone TLS products like Stunnel. Wrappers such as Stunnel rely on being able to obtain a TLS connection immediately, by simply connecting to a separate port reserved for the purpose. For example, by default the TCP port for HTTPS is 443, to distinguish it from HTTP on port 80. However, in 1997 the Internet Engineering Task Force recommended that application protocols always start unsecured and instead offer a way to upgrade to TLS - which a pure wrapper like Stunnel cannot cope with.

TLS can also be used to tunnel an entire network stack to create a VPN, as is the case with OpenVPN. Many vendors now marry TLS's encryption and authentication capabilities with authorization. There has also been substantial development since the late 1990s in creating client technology outside of the browser to enable support for client/server applications. When compared against traditional IPSec VPN technologies, TLS has some inherent advantages in firewall and NAT traversal that make it easier to administer for large remote access populations. Vendors like Arkoon, Aventail, F5 Networks, Juniper, and others have been developing in this space for some time.

History and development

Developed by Netscape, SSL version 3.0 was released in 1996, which later served as the basis for TLS version 1.0, an IETF standard protocol first defined in RFC 2246 in January 1999. Visa, MasterCard, American Express and many leading financial institutions have endorsed SSL for commerce over the Internet.

SSL operates in modular fashion. It is extensible by design, with support for forward and backward compatibility and negotiation between peers.

Early short keys

Some early implementations of SSL used 40-bit symmetric keys because of US government restrictions on the export of cryptographic technology. The US government explicitly imposed a 40-bit keyspace small enough to be broken by brute-force search by law enforcement agencies wishing to read the encrypted traffic, while still presenting obstacles to less-well-funded attackers. A similar limitation applied to Lotus Notes in export versions. After several years of public controversy, a series of lawsuits, and eventual US government recognition of changes in the market availability of 'better' cryptographic products produced outside the US, the authorities relaxed some aspects of the export restrictions. The 40-bit key size limitation has mostly gone away. Modern implementations use 128-bit (or longer) keys for symmetric key ciphers.

Incorrect uses

Some websites have been criticized for incorrectly using TLS and therefore negating its security benefits [1]. Such incorrect uses include:

  • Only securing the form submission page, while failing to secure the login page [2]
  • Displaying a secure page mixed with non-secure media [3]

Both practices have been found present in many commercial websites such as those of Bank of America, Washington Mutual, JPMorgan Chase & Co. [4], and PayPal®.

Standards

The first definition of TLS appeared in RFC 2246: "The TLS Protocol Version 1.0". The current approved version is 1.1, which is specified in RFC 4346: "The Transport Layer Security (TLS) Protocol Version 1.1".

Other RFCs subsequently extended TLS, including:

  • RFC 2712: "Addition of Kerberos Cipher Suites to Transport Layer Security (TLS)". The 40-bit ciphersuites defined in this memo appear only for the purpose of documenting the fact that those ciphersuite codes have already been assigned.
  • RFC 2817: "Upgrading to TLS Within HTTP/1.1", explains how to use the Upgrade mechanism in HTTP/1.1 to initiate Transport Layer Security (TLS) over an existing TCP connection. This allows unsecured and secured HTTP traffic to share the same well known port (in this case, http: at 80 rather than https: at 443).
  • RFC 2818: "HTTP Over TLS", distinguishes secured traffic from insecure traffic by the use of a different 'server port'.
  • RFC 3207: "SMTP Service Extension for Secure SMTP over Transport Layer Security". Specifies an extension to the SMTP service that allows an SMTP server and client to use transport-layer security to provide private, authenticated communication over the Internet.
  • RFC 3268: "AES Ciphersuites for TLS". Adds Advanced Encryption Standard (AES) ciphersuites to the previously existing symmetric ciphers.
  • RFC 3546: "Transport Layer Security (TLS) Extensions", adds a mechanism for negotiating protocol extensions during session initialisation and defines some extensions.
  • RFC 4132: "Addition of Camellia Cipher Suites to Transport Layer Security (TLS)".
  • RFC 4162: "Addition of SEED Cipher Suites to Transport Layer Security (TLS)".
  • RFC 4279: "Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)", adds three sets of new ciphersuites for the TLS protocol to support authentication based on pre-shared keys.
  • RFC 4347: "Datagram Transport Layer Security" specifies a TLS variant that works over datagram protocols (such as UDP).
  • RFC 4366: "Transport Layer Security (TLS) Extensions" describes both a set of specific extensions, and a generic extension mechanism.
  • RFC 4492: "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)".

Implementation

Programmers may use the OpenSSL, NSS, or GnuTLS libraries for SSL/TLS functionality. Delphi programmers may use the library called Indy, which has ways of connecting components to a TLS intercept using the OpenSSL libraries. This enables the development of secure Web browsers and Web servers using Delphi/Indy/OpenSSL. The protocols supported are SSLv2, SSLv3, and TLS v1.

TLS 1.1

As noted above, TLS 1.1 is the current approved version of the TLS protocol. TLS 1.1 clarifies some ambiguities and adds a number of recommendations. TLS 1.1 is very similar to TLS 1.0. A full list of differences between TLS 1.0 and TLS 1.1 is provided in RFC 4346 (Section 1.1).

TLS 1.1 is currently supported by Opera and GnuTLS.

Certificate providers

A 2005 Netcraft survey determined that VeriSign and its acquisitions such as Thawte have a 53% share of the certificate authority market, followed by GeoTrust (25%), Comodo (12%), Go Daddy (4%) and Entrust (2%).[1] (GeoTrust has since been acquired by VeriSign.)
ssl news and ssl articles

Here's our top rated ssl links for the day:

Are New SSL Certificates Locking Out Small Businesses? 

PC Magazine via Yahoo! News - Feb 08 4:20 PM
The familiar "padlock" that indicates a secure Web site is being replaced with a green bar. The worry, however, is that the security being used to lock down e-commerce -- new Extended Validation (EV) Secure Socket Layer (SSL) Certificates -- will also bar small businesses from participating.

Security Regulations Prompt Companies To Deploy SSL VPN Devices 
[Press Release] Business Wire via Yahoo! Finance - Feb 09 4:57 AM
DUBLIN, Ireland----Research and Markets has announced the addition of "World SSL VPN Products Markets" to their offering.

Array Networks Releases LAN-to-LAN SSL VPN at RSA 
IT Architect - Feb 08 1:23 PM
Promising finer-grained access control and more flexibility than conventional IPsec VPNs, Array unwraps its Site2Site SSL VPN beta.

Thank you for viewing the ssl page ssl. 

 

 Ever wondered what others are searching for in relation to ssl? Now you can see.  Below is a listing of  what everyone else is searching for in regard to ssl.

1. ssl
2. ssl sign in
3. ssl web hosting
4. ssl certificates
5. ssl certificate
6. ssl domino java
7. ssl vpn
8. ssl proxy
9. what is ssl
10. ssl web proxy
11. ssl encryption
12. ssl c100
13. how does ssl work
14. microsoft certificate authority for ssl certificate issue
15. future of ssl
16. vpn ssl
17. ssl email security
18. ssl verified hyips
19. anonymous surfing ssl
20. ssl port
21. ssl email
22. sock ssl
23. ssl connection
24. rpc over http and without ssl
25. ssl 128 bits windows mobile bank registry
26. ssl server
27. ssl v2
28. ssl j9000
29. richmond ssl certificate
30. cisco webvpn ssl internet explorer 7
31. jboss ssl
32. open ssl
33. richmond ssl
34. why should i use ssl
35. hyips websites with address and ssl
36. how secure is ssl
37. cisco web ssl remote peer
38. ssl error windows xp home edition
39. ssl mixing console
40. ssl implemetation
41. ssl sl615e mic pre
42. ssl voip vpn tunneling
43. what company developed ssl
44. web hosting pop3s imaps ssl
45. waves ssl
46. ssl secure payments
47. how ssl works
48. apache ssl
49. ssl error
50. microsoft 2003 ssl certificate for intranet and internet
51. free ssl
52. sharepoint ssl
53. ssl documents
54. ssl diagram
55. ssl definition
56. ssl ftp storage plans
57. ssl j 9000 power supply
58. ssl email windows 2003 ports certificates how to
59. ssl cert
60. ssl protocol
61. ssl certificate bridging
62. ssl duende review
63. ssl vpn definition
64. unable to establish ssl connection with directory server
65. walton antiques ssl
66. ssl 6048
67. ssl sox compliance
68. ssl root certificate cost comparison
69. ssl sign in + yahoo
70. ssl proxy servers
71. ssl apache
72. firewall-1 ftp ssl
73. free proxy server ssl support
74. install ssl certificate
75. dutchman ssl
76. compare of ssl to remote access
77. apache ssl virtualhosts
78. ssl + http + file upload
79. ipp ssl spooler
80. can we run one ssl connection for two different website
81. small business web hosting frontpage php perl cgi mysql ssl
82. jsp include ssl certificate
83. shared ssl hosting web hosting cheap hosting netho
84. spam monitor ssl
85. mavic ksyrium ssl
86. not able to open ssl pages
87. only use ssl connections with the oracle internet directory
88. exchange activesync ssl proxy
89. free ssl proxy servers
90. free encryption ssl
91. how to install ssl certificates on blackjack
92. display an image only on an ssl page
93. how to setup ssl
94. 13' ssl boston whaler
95. .net switch ssl
96. 'yahoo ssl wap'
97. activex ssl telnet emulation vb
98. certificate for ssl
99. clear ssl state
100. disavantage of ssl