Transport Layer Security (TLS)
From Whonix
TLS[edit]
Introduction[edit]
Transport Layer Security (TLS) is a cryptographic protocol that is designed to provide secure communications over a computer network. TLS has replaced the deprecated Secure Sockets Layer (SSL) predecessor and is intended to enforce privacy and data integrity between two or more communicating computer applications. [1] TLS is utilized for a host of online activities, such as web browsing, email, instant messaging and VOIP applications. It ensures the client (like a web browser) is securely communicating with a server (such as whonix.org), meaning the connection is private, authenticated and reliable. For a detailed overview of the TLS design, refer to this Wikipedia entry [archive].
TLS Attacks[edit]
A significant number of attacks have been demonstrated against the SSL/TLS protocol in the recent past, including: [2]
- BEAST attack: violation of same origin policy constraints.
- ChangeCipherSpec injection attack [archive]: a specially crafted handshake forces the use of weak keyring material, allowing decryption and modification of traffic in transit.
- Cross protocol attacks: servers are attacked by exploiting their support of obsolete, insecure SSL protocols to leverage attacks on connections using up-to-date protocols.
- Heartbleed [archive]: private keys are stolen from servers, allowing anyone to read the memory of protected systems.
- POODLE attack [archive]: padding attacks which reveal the contents of encrypted messages.
- Protocol downgrade [archive]: web servers are tricked into negotiating connections with earlier versions of TLS that are insecure.
- RC4 attack [archive]: recovery of plain text relying on the RC4 cipher suite.
- Renegotiation attack [archive]: plaintext injection attacks via the hijacking of the https connection.
- TLS Compression (CRIME attack) [archive]: session hijacking of web sessions via recovery of secret authentication cookies.
- Truncation attack: victim logout requests are blocked so the user remains logged into a web service.
- Unholy PAC attack: URLs are exposed when a user attempts to reach a TLS-enabled web link.
In addition, little trust should be placed in the public TLS certificate authority (CA) system, since it relies on a third-party correctly establishing the authenticity of certificates. If/once the CA is subverted, then the security of the entire system is lost, and potentially all entities relying on the trust of the compromised CA are affected. [3]
The Snowden leaks confirmed that CAs were a weakpoint targeted by the IC, allowing for Man-in-the-middle attacks if the CAs were either compromised or cooperative. Examples of CA security breaches include DigiNotar [archive], Comodo [archive] and Turktrust [archive].
Whonix ™ Technical Design[edit]
TLS certificates, especially for https://check.torproject.org [archive] (check.tpo) are not yet pinned in Whonix ™; this is a future goal that requires further discussion. How pinning could be technically achieved is documented under Dev/SSL Certificate Pinning. At present this is a low priority for Whonix ™, since not even the Tor Browser Bundle pins the check.tpo TLS certificate (which is a much bigger issue). [4]
Footnotes[edit]
- ↑ https://en.wikipedia.org/wiki/Transport_Layer_Security [archive]
- ↑ https://en.wikipedia.org/wiki/Transport_Layer_Security#Attacks_against_TLS/SSL [archive]
- ↑ https://en.wikipedia.org/wiki/Certificate_authority#CA_compromise [archive]
- ↑ Whonix ™ developer Patrick Schleizer does not agree with "low priority" assigned to this issue in TBB. See TBB: hardcode SSL cert check to prevent MITM [archive] for further information.
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
Want to help create awesome, up-to-date screenshots for the Whonix wiki? Help is most welcome!
https [archive] | (forcing) onion [archive]
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].
Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.