Saturday, July 13, 2019

Stop Referrering to TLS as SSL!

Having worked in the Information Security field for close to 20 years now, one of my biggest pet peeves is when Security professionals use technical terms that no longer comport to current realities. So as a word of warning this blog post is going to be a rant.

It is first important to understand some basic history around the progression of the protocol from SSL to TLS. As is the case with most security protocols each new version is created to address security defects in the previous version.

 SSL/TLS Implementation Timeline - SSL First Introducted in 1993-1994 by Netscape - SSL 1.0 was never released due to serious security flaws - SSL 2.0 released in 1995 to address the security flaws found in SSL 1.0 - SSL 3.0 released in 1996 as a pretty much rewrite of the protocol to address defects found in SSL 2.0 - TLS 1.0 released in 1999 to address some "minor" issues identified in SSL 3.0 - TLS 1.1 released in 2006 to provide additional security enhancements - TLS 1.2 released in 2008 to provide enhancements around SHA-256 along with support of additional authenticated encryption ciphers.

 SSL/TLS Vulnerability Timeline - 2011 - SSL 3.0 and TLS 1.0 found to be vulnerable to BEAST attack - 2014 - SSL 3.0 found to be vulnerable to the POODLE attack
As can be deduced from the above timelines, no one should be using "SSL" as defined in the RFC's since 1999, but absolutly not since 2011 due to BEAST. Information Security professionals certainly should not be referring to TLS as SSL as I've observed time and time again over the last decade.

What is the big deal you may ask? Certainly everyone knows what you are talking about when you tell a client or a customer, "Just secure the HR website with SSL and you'll be fine.". Your client or customer then does a proverbial Google search and they find that anyone securing their site with SSL is without doubt a psychotic. They then call you and ask you why you would configure their highly sensitive HR website with a protocol that has been exploitable for the past 7+ years. To which you respond, "Oh no, we would never configure your site with SSL as the security best practice is to only enable it with TLS 1.1 or above.".

You have know learned why terminology that reflects actual reality matters.

 References

  1. Transport Layer Security(TLS)
  2. TLS/SSL Explained – Examples of a TLS Vulnerability and Attack, Final Part
-
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Buying Ammo Online

Since firearms sales have been skyrocketing since March 2020 due to the Rona and riots in some of the US larger Democrat controlled cities, ...

  • Emacs 24.X on Kali Linux
    If your an avid Emacs user as I am along with being a security geek then you may be disappointed to know that Emacs 24.X is not available in...
  • Assurance is not for Arminians
    I have been reading through  Thomas Brooks ,  Heaven on Earth  and the book has been focusing a lot on the doctrine of assurance and thought...
  • The Necessity of Security Standards
    Having been working in the Information Security industry for almost two decades, I've seen what has and has not worked well for organiza...