Actions

Transport Layer Security (TLS)

From Whonix

TLS[edit]

Introduction[edit]

Transport Layer Security (TLS) is a cryptographic protocol that is designed to provide secure communications over a computer network. TLS has replaced the deprecated Secure Sockets Layer (SSL) predecessor and is intended to enforce privacy and data integrity between two or more communicating computer applications. [1] TLS is utilized for a host of online activities, such as web browsing, email, instant messaging and VOIP applications. It ensures the client (like a web browser) is securely communicating with a server (such as whonix.org), meaning the connection is private, authenticated and reliable. For a detailed overview of the TLS design, refer to this Wikipedia entry.

TLS Attacks[edit]

A significant number of attacks have been demonstrated against the SSL/TLS protocol in the recent past, including: [2]

  • BEAST attack: violation of same origin policy constraints.
  • ChangeCipherSpec injection attack: a specially crafted handshake forces the use of weak keyring material, allowing decryption and modification of traffic in transit.
  • Cross protocol attacks: servers are attacked by exploiting their support of obsolete, insecure SSL protocols to leverage attacks on connections using up-to-date protocols.
  • Heartbleed: private keys are stolen from servers, allowing anyone to read the memory of protected systems.
  • POODLE attack: padding attacks which reveal the contents of encrypted messages.
  • Protocol downgrade: web servers are tricked into negotiating connections with earlier versions of TLS that are insecure.
  • RC4 attack: recovery of plain text relying on the RC4 cipher suite.
  • Renegotiation attack: plaintext injection attacks via the hijacking of the https connection.
  • TLS Compression (CRIME attack): session hijacking of web sessions via recovery of secret authentication cookies.
  • Truncation attack: victim logout requests are blocked so the user remains logged into a web service.
  • Unholy PAC attack: URLs are exposed when a user attempts to reach a TLS-enabled web link.

In addition, little trust should be placed in the public TLS certificate authority (CA) system, since it relies on a third-party correctly establishing the authenticity of certificates. If/once the CA is subverted, then the security of the entire system is lost, and potentially all entities relying on the trust of the compromised CA are affected. [3]

The Snowden leaks confirmed that CAs were a weakpoint targeted by the IC, allowing for Man-in-the-middle attacks if the CAs were either compromised or cooperative. Examples of CA security breaches include DigiNotar, Comodo and Turktrust.

Whonix ™ Technical Design[edit]

TLS certificates, especially for https://check.torproject.org (check.tpo) are not yet pinned in Whonix ™; this is a future goal that requires further discussion. How pinning could be technically achieved is documented under Dev/SSL Certificate Pinning. At present this is a low priority for Whonix ™, since not even the Tor Browser Bundle pins the check.tpo TLS certificate (which is a much bigger issue). [4]

Footnotes[edit]

  1. https://en.wikipedia.org/wiki/Transport_Layer_Security
  2. https://en.wikipedia.org/wiki/Transport_Layer_Security#Attacks_against_TLS/SSL
  3. https://en.wikipedia.org/wiki/Certificate_authority#CA_compromise
  4. Whonix ™ developer Patrick Schleizer does not agree with "low priority" assigned to this issue in TBB. See TBB: hardcode SSL cert check to prevent MITM for further information.

[advertisement] Looking to Sell Your Company? Contact me.


Are you proficient with iptables? Want to contribute? Check out possible improvements to iptables. Please come and introduce yourself in the development forum.

https | (forcing) onion
Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png 1024px-Telegram 2019 Logo.svg.png

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.

Retrieved from "http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/w/index.php?title=SSL&oldid=51584"