Actions

Transport Layer Security (TLS)

From Whonix



TLS1432.jpg

TLS[edit]

Introduction[edit]

Transport Layer Security (TLS) is a cryptographic protocol that is designed to provide secure communications over a computer network. TLS has replaced the deprecated Secure Sockets Layer (SSL) predecessor and is intended to enforce privacy and data integrity between two or more communicating computer applications. [1] TLS is utilized for a host of online activities, such as web browsing, email, instant messaging and VOIP applications. It ensures the client (like a web browser) is securely communicating with a server (such as whonix.org), meaning the connection is private, authenticated and reliable. For a detailed overview of the TLS design, refer to this Wikipedia entry [archive].

TLS Attacks[edit]

A significant number of attacks have been demonstrated against the SSL/TLS protocol in the recent past, including: [2]

  • BEAST attack: violation of same origin policy constraints.
  • ChangeCipherSpec injection attack [archive]: a specially crafted handshake forces the use of weak keyring material, allowing decryption and modification of traffic in transit.
  • Cross protocol attacks: servers are attacked by exploiting their support of obsolete, insecure SSL protocols to leverage attacks on connections using up-to-date protocols.
  • Heartbleed [archive]: private keys are stolen from servers, allowing anyone to read the memory of protected systems.
  • POODLE attack [archive]: padding attacks which reveal the contents of encrypted messages.
  • Protocol downgrade [archive]: web servers are tricked into negotiating connections with earlier versions of TLS that are insecure.
  • RC4 attack [archive]: recovery of plain text relying on the RC4 cipher suite.
  • Renegotiation attack [archive]: plaintext injection attacks via the hijacking of the https connection.
  • TLS Compression (CRIME attack) [archive]: session hijacking of web sessions via recovery of secret authentication cookies.
  • Truncation attack: victim logout requests are blocked so the user remains logged into a web service.
  • Unholy PAC attack: URLs are exposed when a user attempts to reach a TLS-enabled web link.

In addition, little trust should be placed in the public TLS certificate authority (CA) system, since it relies on a third-party correctly establishing the authenticity of certificates. If/once the CA is subverted, then the security of the entire system is lost, and potentially all entities relying on the trust of the compromised CA are affected. [3]

The Snowden leaks confirmed that CAs were a weakpoint targeted by the IC, allowing for Man-in-the-middle attacks if the CAs were either compromised or cooperative. Examples of CA security breaches include DigiNotar [archive], Comodo [archive] and Turktrust [archive].

Whonix ™ Technical Design[edit]

TLS certificates, especially for https://check.torproject.org [archive] (check.tpo) are not yet pinned in Whonix ™; this is a future goal that requires further discussion. How pinning could be technically achieved is documented under Dev/SSL Certificate Pinning. At present this is a low priority for Whonix ™, since

  • not even the Tor Browser Bundle pins the check.tpo TLS certificate (which is a much bigger issue). [4]
  • only used when whonixcheck is used with command line parameter --leak-tests which does not happen by default.

Footnotes[edit]

  1. https://en.wikipedia.org/wiki/Transport_Layer_Security [archive]
  2. https://en.wikipedia.org/wiki/Transport_Layer_Security#Attacks_against_TLS/SSL [archive]
  3. https://en.wikipedia.org/wiki/Certificate_authority#CA_compromise [archive]
  4. Whonix ™ developer Patrick Schleizer does not agree with "low priority" assigned to this issue in TBB. See TBB: hardcode SSL cert check to prevent MITM [archive] for further information.

text=Jobs in USA
Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png Iconfinder Apple Mail 2697658.png Reddit.jpg Hacker.news.jpg 200px-Mastodon Logotype (Simple).svg.png

Are you proficient with iptables? Want to contribute? Check out possible improvements to iptables. Please come and introduce yourself in the development forum.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.

Retrieved from "https://www.whonix.org/w/index.php?title=SSL&oldid=64103"
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.
More information