Actions

Transport Layer Security (TLS)

From Whonix



TLS[edit]

Introduction[edit]

Transport Layer Security (TLS) is a cryptographic protocol that is designed to provide secure communications over a computer network. TLS has replaced the deprecated Secure Sockets Layer (SSL) predecessor and is intended to enforce privacy and data integrity between two or more communicating computer applications. [1] TLS is utilized for a host of online activities, such as web browsing, email, instant messaging and VOIP applications. It ensures the client (like a web browser) is securely communicating with a server (such as whonix.org), meaning the connection is private, authenticated and reliable. For a detailed overview of the TLS design, refer to this Wikipedia entry [archive].

TLS Attacks[edit]

A significant number of attacks have been demonstrated against the SSL/TLS protocol in the recent past, including: [2]

  • BEAST attack: violation of same origin policy constraints.
  • ChangeCipherSpec injection attack [archive]: a specially crafted handshake forces the use of weak keyring material, allowing decryption and modification of traffic in transit.
  • Cross protocol attacks: servers are attacked by exploiting their support of obsolete, insecure SSL protocols to leverage attacks on connections using up-to-date protocols.
  • Heartbleed [archive]: private keys are stolen from servers, allowing anyone to read the memory of protected systems.
  • POODLE attack [archive]: padding attacks which reveal the contents of encrypted messages.
  • Protocol downgrade [archive]: web servers are tricked into negotiating connections with earlier versions of TLS that are insecure.
  • RC4 attack [archive]: recovery of plain text relying on the RC4 cipher suite.
  • Renegotiation attack [archive]: plaintext injection attacks via the hijacking of the https connection.
  • TLS Compression (CRIME attack) [archive]: session hijacking of web sessions via recovery of secret authentication cookies.
  • Truncation attack: victim logout requests are blocked so the user remains logged into a web service.
  • Unholy PAC attack: URLs are exposed when a user attempts to reach a TLS-enabled web link.

In addition, little trust should be placed in the public TLS certificate authority (CA) system, since it relies on a third-party correctly establishing the authenticity of certificates. If/once the CA is subverted, then the security of the entire system is lost, and potentially all entities relying on the trust of the compromised CA are affected. [3]

The Snowden leaks confirmed that CAs were a weakpoint targeted by the IC, allowing for Man-in-the-middle attacks if the CAs were either compromised or cooperative. Examples of CA security breaches include DigiNotar [archive], Comodo [archive] and Turktrust [archive].

Whonix ™ Technical Design[edit]

TLS certificates, especially for https://check.torproject.org [archive] (check.tpo) are not yet pinned in Whonix ™; this is a future goal that requires further discussion. How pinning could be technically achieved is documented under Dev/SSL Certificate Pinning. At present this is a low priority for Whonix ™, since not even the Tor Browser Bundle pins the check.tpo TLS certificate (which is a much bigger issue). [4]

Footnotes[edit]

  1. https://en.wikipedia.org/wiki/Transport_Layer_Security [archive]
  2. https://en.wikipedia.org/wiki/Transport_Layer_Security#Attacks_against_TLS/SSL [archive]
  3. https://en.wikipedia.org/wiki/Certificate_authority#CA_compromise [archive]
  4. Whonix ™ developer Patrick Schleizer does not agree with "low priority" assigned to this issue in TBB. See TBB: hardcode SSL cert check to prevent MITM [archive] for further information.

Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png

Share: Twitter | Facebook

Want to help create awesome, up-to-date screenshots for the Whonix wiki? Help is most welcome!

https [archive] | (forcing) onion [archive]

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.


Retrieved from "https://www.whonix.org/w/index.php?title=SSL&oldid=52093"