Transport Layer Security

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both frequently referred to as "SSL", are cryptographic protocols that provide communications security over a computer network.[1] Several versions of the protocols find widespread use in applications such as web browsing, email, Internet faxing, instant messaging, and voice-over-IP (VoIP). Websites use TLS to secure all communications between their servers and web browsers.

The Transport Layer Security protocol aims primarily to provide privacy and data integrity between two communicating computer applications.[1]:3 When secured by TLS, connections between a client (e.g., a web browser) and a server (e.g., wikipedia.org) have one or more of the following properties:

In addition to the properties above, careful configuration of TLS can provide additional privacy-related properties such as forward secrecy, ensuring that any future disclosure of encryption keys cannot be used to decrypt any TLS communications recorded in the past.[2]

TLS supports many different methods for exchanging keys, encrypting data, and authenticating message integrity (see Algorithm below). As a result, secure configuration of TLS involves many configurable parameters, and not all choices provide all of the privacy-related properties described in the list above (see authentication and key exchange table, cipher security table, and data integrity table).

Attempts have been made to subvert aspects of the communications security that TLS seeks to provide and the protocol has been revised several times to address these security threats (see Security). Developers of web browsers have also revised their products to defend against potential security weaknesses after these were discovered (see TLS/SSL support history of web browsers.)

The TLS protocol comprises two layers: the TLS record protocol and the TLS handshake protocol.

TLS is a proposed Internet Engineering Task Force (IETF) standard, first defined in 1999 and updated in RFC 5246 (August 2008) and RFC 6176 (March 2011). It builds on the earlier SSL specifications (1994, 1995, 1996) developed by Netscape Communications[3] for adding the HTTPS protocol to their Navigator web browser.

Description

Client-server applications use the TLS protocol to communicate across a network in a way designed to prevent eavesdropping and tampering.

Since protocols can operate either with or without TLS (or SSL), it is necessary for the client to indicate to the server the setup of a TLS connection. There are two main ways of achieving this. One option is to use a different port number for TLS connections (for example, port 443 for HTTPS). The other is for the client to use a protocol-specific mechanism (for example, STARTTLS for mail and news protocols) to request that the server switch the connection to TLS.

Once the client and server have agreed to use TLS, they negotiate a stateful connection by using a handshaking procedure.[4] During this handshake, the client and server agree on various parameters used to establish the connection's security:

This concludes the handshake and begins the secured connection, which is encrypted and decrypted with the session key until the connection closes. If any one of the above steps fail, the TLS handshake fails, and the connection is not created.

TLS and SSL are defined as 'operating over some reliable transport layer', which places them as application layer protocols in the TCP/IP reference model and as presentation layer protocols in the OSI model. The protocols use a handshake with an asymmetric cipher to establish cipher settings and a shared key for a session; the rest of the communication is encrypted using a symmetric cipher and the session key.

History and development

Defined
Protocol Year
SSL 1.0 n/a
SSL 2.0 1995
SSL 3.0 1996
TLS 1.0 1999
TLS 1.1 2006
TLS 1.2 2008
TLS 1.3 TBD

Secure Network Programming

Early research efforts towards transport layer security included the Secure Network Programming (SNP) application programming interface (API), which in 1993 explored the approach of having a secure transport layer API closely resembling Berkeley sockets, to facilitate retrofitting preexisting network applications with security measures.[5]

SSL 1.0, 2.0 and 3.0

Netscape developed the original SSL protocols.[6] Version 1.0 was never publicly released because of serious security flaws in the protocol; version 2.0, released in February 1995, "contained a number of security flaws which ultimately led to the design of SSL version 3.0".[7] Released in 1996, SSL version 3.0 represented a complete redesign of the protocol produced by Paul Kocher working with Netscape engineers Phil Karlton and Alan Freier, with a reference implementation by Christopher Allen and Tim Dierks of Consensus Development. Newer versions of SSL/TLS are based on SSL 3.0. The 1996 draft of SSL 3.0 was published by IETF as a historical document in RFC 6101.

Dr. Taher Elgamal, chief scientist at Netscape Communications from 1995 to 1998, is recognized as the "father of SSL".[8][9]

As of 2014 the 3.0 version of SSL is considered insecure as it is vulnerable to the POODLE attack that affects all block ciphers in SSL; and RC4, the only non-block cipher supported by SSL 3.0, is also feasibly broken as used in SSL 3.0.[10]

SSL 2.0 was deprecated (prohibited) in 2011 by RFC 6176.

SSL 3.0 was deprecated in June 2015 by RFC 7568.

TLS 1.0

TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0, and written by Christopher Allen and Tim Dierks of Consensus Development. As stated in the RFC, "the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to preclude interoperability between TLS 1.0 and SSL 3.0". TLS 1.0 does include a means by which a TLS implementation can downgrade the connection to SSL 3.0, thus weakening security.[11]:1–2

TLS 1.1

TLS 1.1 was defined in RFC 4346 in April 2006.[12] It is an update from TLS version 1.0. Significant differences in this version include:

TLS 1.2

TLS 1.2 was defined in RFC 5246 in August 2008. It is based on the earlier TLS 1.1 specification. Major differences include:

All TLS versions were further refined in RFC 6176 in March 2011 removing their backward compatibility with SSL such that TLS sessions never negotiate the use of Secure Sockets Layer (SSL) version 2.0.

TLS 1.3 (draft)

As of July 2016, TLS 1.3 is a working draft, and details are provisional and incomplete.[14][15] It is based on the earlier TLS 1.2 specification. Major differences from TLS 1.2 include:

Digital certificates

A digital certificate certifies the ownership of a public key by the named subject of the certificate, and indicates certain expected usages of that key. This allows others (relying parties) to rely upon signatures or on assertions made by the private key that corresponds to the certified public key.

Certificate authorities

Main article: Certificate authority

TLS typically relies on a set of trusted third-party certificate authorities to establish the authenticity of certificates. Trust is usually anchored in a list of certificates distributed with user agent software,[16] and can be modified by the relying party.

According to Netcraft, who monitors active TLS certificates, the market-leading CA has been Symantec since the beginning of their survey (or VeriSign before the authentication services business unit was purchased by Symantec). Symantec currently accounts for just under a third of all certificates and 44% of the valid certificates used by the 1 million busiest websites, as counted by Netcraft.[17]

As a consequence of choosing X.509 certificates, certificate authorities and a public key infrastructure are necessary to verify the relation between a certificate and its owner, as well as to generate, sign, and administer the validity of certificates. While this can be more beneficial than verifying the identities via a web of trust, the 2013 mass surveillance disclosures made it more widely known that certificate authorities are a weak point from a security standpoint, allowing man-in-the-middle attacks (MITM).[18][19]

Algorithm

See also: Cipher suite

Key exchange or key agreement

Before a client and server can begin to exchange information protected by TLS, they must securely exchange or agree upon an encryption key and a cipher to use when encrypting data (see Cipher). Among the methods used for key exchange/agreement are: public and private keys generated with RSA (denoted TLS_RSA in the TLS handshake protocol), Diffie-Hellman (TLS_DH), ephemeral Diffie-Hellman (TLS_DHE), Elliptic Curve Diffie-Hellman (TLS_ECDH), ephemeral Elliptic Curve Diffie-Hellman (TLS_ECDHE), anonymous Diffie-Hellman (TLS_DH_anon),[1] pre-shared key (TLS_PSK)[20] and Secure Remote Password (TLS_SRP).[21]

The TLS_DH_anon and TLS_ECDH_anon key agreement methods do not authenticate the server or the user and hence are rarely used because those are vulnerable to Man-in-the-middle attack. Only TLS_DHE and TLS_ECDHE provide forward secrecy.

Public key certificates used during exchange/agreement also vary in the size of the public/private encryption keys used during the exchange and hence the robustness of the security provided. In July 2013, Google announced that it would no longer use 1024 bit public keys and would switch instead to 2048 bit keys to increase the security of the TLS encryption it provides to its users.[22]

Key exchange/agreement and authentication
Algorithm SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3
(Draft)
Status
RSA Yes Yes Yes Yes Yes No Defined for TLS 1.2 in RFCs
DH-RSA No Yes Yes Yes Yes No
DHE-RSA (forward secrecy) No Yes Yes Yes Yes Yes
ECDH-RSA No No Yes Yes Yes No
ECDHE-RSA (forward secrecy) No No Yes Yes Yes Yes
DH-DSS No Yes Yes Yes Yes No
DHE-DSS (forward secrecy) No Yes Yes Yes Yes No[23]
ECDH-ECDSA No No Yes Yes Yes No
ECDHE-ECDSA (forward secrecy) No No Yes Yes Yes Yes
PSK No No Yes Yes Yes
PSK-RSA No No Yes Yes Yes
DHE-PSK (forward secrecy) No No Yes Yes Yes
ECDHE-PSK (forward secrecy) No No Yes Yes Yes
SRP No No Yes Yes Yes
SRP-DSS No No Yes Yes Yes
SRP-RSA No No Yes Yes Yes
Kerberos No No Yes Yes Yes
DH-ANON (insecure) No Yes Yes Yes Yes
ECDH-ANON (insecure) No No Yes Yes Yes
GOST R 34.10-94 / 34.10-2001[24] No No Yes Yes Yes Proposed in RFC drafts

Cipher

Cipher security against publicly known feasible attacks
Cipher Protocol version Status
Type Algorithm Nominal strength (bits) SSL 2.0 SSL 3.0
[n 1][n 2][n 3][n 4]
TLS 1.0
[n 1][n 3]
TLS 1.1
[n 1]
TLS 1.2
[n 1]
TLS 1.3
(Draft)
Block cipher
with
mode of operation
AES GCM[25][n 5] 256, 128 N/A N/A N/A N/A Secure Secure Defined for TLS 1.2 in RFCs
AES CCM[26][n 5] N/A N/A N/A N/A Secure Secure
AES CBC[n 6] N/A N/A Depends on mitigations Secure Secure N/A
Camellia GCM[27][n 5] 256, 128 N/A N/A N/A N/A Secure Secure
Camellia CBC[28][n 6] N/A N/A Depends on mitigations Secure Secure N/A
ARIA GCM[29][n 5] 256, 128 N/A N/A N/A N/A Secure Secure
ARIA CBC[29][n 6] N/A N/A Depends on mitigations Secure Secure N/A
SEED CBC[30][n 6] 128 N/A N/A Depends on mitigations Secure Secure N/A
3DES EDE CBC[n 6] 112[n 7] Insecure Insecure Insecure Insecure Insecure N/A
GOST 28147-89 CNT[24] 256 N/A N/A Secure Secure Secure Defined in RFC 4357
IDEA CBC[n 6][n 8] 128 Insecure Insecure Insecure Insecure N/A N/A Removed from TLS 1.2
DES CBC[n 6][n 8] 56 Insecure Insecure Insecure Insecure N/A N/A
40[n 9] Insecure Insecure Insecure N/A N/A N/A Forbidden in TLS 1.1 and later
RC2 CBC[n 6] 40[n 9] Insecure Insecure Insecure N/A N/A N/A
Stream cipher ChaCha20-Poly1305[34][n 5] 256 N/A N/A N/A N/A Secure Secure Defined for TLS 1.2 in RFCs
RC4[n 10] 128 Insecure Insecure Insecure Insecure Insecure N/A Prohibited in all versions of TLS by RFC 7465
40[n 9] Insecure Insecure Insecure N/A N/A N/A
None Null[n 11] - N/A Insecure Insecure Insecure Insecure Insecure Defined for TLS 1.2 in RFCs
Notes
  1. 1 2 3 4 RFC 5746 must be implemented to fix a renegotiation flaw that would otherwise break this protocol.
  2. If libraries implement fixes listed in RFC 5746, this violates the SSL 3.0 specification, which the IETF cannot change unlike TLS. Fortunately, most current libraries implement the fix and disregard the violation that this causes.
  3. 1 2 the BEAST attack breaks all block ciphers (CBC ciphers) used in SSL 3.0 and TLS 1.0 unless mitigated by the client and/or the server. See #Web browsers.
  4. The POODLE attack breaks all block ciphers (CBC ciphers) used in SSL 3.0 unless mitigated by the client and/or the server. See #Web browsers.
  5. 1 2 3 4 5 AEAD ciphers (such as GCM and CCM) can be used in only TLS 1.2.
  6. 1 2 3 4 5 6 7 8 CBC ciphers can be attacked with the Lucky Thirteen attack if the library is not written carefully to eliminate timing side channels.
  7. Although the key length of 3DES is 168 bits, effective security strength of 3DES is only 112 bits,[31] which is below the recommended minimum of 128 bits.[32]
  8. 1 2 IDEA and DES have been removed from TLS 1.2.[33]
  9. 1 2 3 40 bits strength of cipher suites were designed to operate at reduced key lengths to comply with US regulations about the export of cryptographic software containing certain strong encryption algorithms (see Export of cryptography from the United States). These weak suites are forbidden in TLS 1.1 and later.
  10. Use of RC4 in all versions of TLS is prohibited by RFC 7465. (Due RC4 attacks weaken or break RC4 used in SSL/TLS)
  11. authentication only, no encryption

Data integrity

Message authentication code (MAC) is used for data integrity. HMAC is used for CBC mode of block ciphers and stream ciphers. AEAD is used for Authenticated encryption such as GCM mode and CCM mode.

Data integrity
Algorithm SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3
(Draft)
Status
HMAC-MD5 Yes Yes Yes Yes Yes Defined for TLS 1.2 in RFCs
HMAC-SHA1 No Yes Yes Yes Yes
HMAC-SHA256/384 No No No No Yes
AEAD No No No No Yes
GOST 28147-89 IMIT[24] No No Yes Yes Yes Proposed in RFC drafts
GOST R 34.11-94[24] No No Yes Yes Yes

Applications and adoption

In applications design, TLS is usually implemented on top of Transport Layer protocols, encrypting all of the protocol-related data of protocols such as HTTP, FTP, SMTP, NNTP and XMPP.

Historically, TLS has been used primarily with reliable transport protocols such as the Transmission Control Protocol (TCP). However, it has also been implemented with datagram-oriented transport protocols, such as the User Datagram Protocol (UDP) and the Datagram Congestion Control Protocol (DCCP), usage of which has been standardized independently using the term Datagram Transport Layer Security (DTLS).

Websites

A prominent use of TLS is for securing World Wide Web traffic between a website and a web browser encoded with the HTTP protocol. This use of TLS to secure HTTP traffic constitutes the HTTPS protocol.[35]

Website protocol support
Protocol
version
Website
support[36]
Security[36][37]
SSL 2.0 6.7% (-0.2%) Insecure
SSL 3.0 20.7% (±0.0%) Insecure[38]
TLS 1.0 96.1% (-0.1%) Depends on cipher[n 1] and client mitigations[n 2]
TLS 1.1 78.3% (+0.7%) Depends on cipher[n 1] and client mitigations[n 2]
TLS 1.2 80.7% (+0.7%) Depends on cipher[n 1] and client mitigations[n 2]
TLS 1.3
(Draft)
N/A
Notes

Web browsers

Further information: Comparison of web browsers

As of April 2016, the latest versions of all major web browsers support TLS 1.0, 1.1, and 1.2, and have them enabled by default. However, not all supported Microsoft operating systems support the latest version of IE. Additionally many operating systems currently support multiple versions of IE, but this will change according to Microsoft's Internet Explorer Support Lifecycle Policy FAQ, "beginning January 12, 2016, only the most current version of Internet Explorer available for a supported operating system will receive technical support and security updates." The page then goes on to list the latest supported version of IE at that date for each operating system. The next critical date would be when an operating system reaches the end of life stage, which is in Microsoft's Windows lifecycle fact sheet.

There are still problems on several browser versions:

Mitigations against known attacks are not enough yet:

TLS/SSL support history of web browsers
Browser Version Platforms SSL protocols TLS protocols Certificate Support Vulnerabilities fixed[n 1] Protocol selection by user
[n 2]
SSL 2.0 (insecure) SSL 3.0 (insecure) TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 (proposed) EV
[n 3][39]
SHA-2
[40]
ECDSA
[41]
BEAST[n 4] CRIME[n 5] POODLE (SSLv3)[n 6] RC4[n 7] FREAK[42][43] Logjam
Google Chrome
(Chrome for Android)
[n 8]
[n 9]
1–9 Windows (7+)
OS X (10.9+)
Linux
Android (4.1+)
iOS (9.0+)
Chrome OS
Disabled by default Enabled by default Yes No No No Yes
(only desktop)
needs SHA-2 compatible OS[40] needs ECC compatible OS[41] Not affected
[48]
Vulnerable
(HTTPS)
Vulnerable Vulnerable Vulnerable
(except Windows)
Vulnerable Yes[n 10]
10–20 No[49] Enabled by default Yes No No No Yes
(only desktop)
needs SHA-2 compatible OS[40] needs ECC compatible OS[41] Not affected Vulnerable
(HTTPS/SPDY)
Vulnerable Vulnerable Vulnerable
(except Windows)
Vulnerable Yes[n 10]
21 No Enabled by default Yes No No No Yes
(only desktop)
needs SHA-2 compatible OS[40] needs ECC compatible OS[41] Not affected Mitigated
[50]
Vulnerable Vulnerable Vulnerable
(except Windows)
Vulnerable Yes[n 10]
22–25 No Enabled by default Yes Yes[51] No[51][52][53][54] No Yes
(only desktop)
needs SHA-2 compatible OS[40] needs ECC compatible OS[41] Not affected Mitigated Vulnerable Vulnerable Vulnerable
(except Windows)
Vulnerable Temporary
[n 11]
26–29 No Enabled by default Yes Yes No No Yes
(only desktop)
needs SHA-2 compatible OS[40] needs ECC compatible OS[41] Not affected Mitigated Vulnerable Vulnerable Vulnerable
(except Windows)
Vulnerable Temporary
[n 11]
30–32 No Enabled by default Yes Yes Yes[52][53][54] No Yes
(only desktop)
needs SHA-2 compatible OS[40] needs ECC compatible OS[41] Not affected Mitigated Vulnerable Vulnerable Vulnerable
(except Windows)
Vulnerable Temporary
[n 11]
33–37 No Enabled by default Yes Yes Yes No Yes
(only desktop)
needs SHA-2 compatible OS[40] needs ECC compatible OS[41] Not affected Mitigated Partly mitigated
[n 12]
Lowest priority
[57][58][59]
Vulnerable
(except Windows)
Vulnerable Temporary
[n 11]
38, 39 No Enabled by default Yes Yes Yes No Yes
(only desktop)
Yes needs ECC compatible OS[41] Not affected Mitigated Partly mitigated Lowest priority Vulnerable
(except Windows)
Vulnerable Temporary
[n 11]
40 No Disabled by default
[56][60]
Yes Yes Yes No Yes
(only desktop)
Yes needs ECC compatible OS[41] Not affected Mitigated Mitigated
[n 13]
24, 25.0.0
ESR 24.0–24.1.0
No Enabled by default Yes Disabled by default Disabled by default
[76]
No Yes Yes Yes Not affected Mitigated Vulnerable Vulnerable Not affected Vulnerable Yes[n 18]
25.0.1, 26
ESR 24.1.1
No Enabled by default Yes Disabled by default Disabled by default No Yes Yes Yes Not affected Mitigated Vulnerable Lowest priority
[73][74]
Not affected Vulnerable Yes[n 18]
27–33
ESR 31.0–31.2
No Enabled by default Yes Yes[77][78] Yes[79][78] No Yes Yes Yes Not affected Mitigated Vulnerable Lowest priority Not affected Vulnerable Yes[n 18]
34, 35
ESR 31.3–31.7
No Disabled by default
[80][81]
Yes Yes Yes No Yes Yes Yes Not affected Mitigated Mitigated
[n 19]
Lowest priority Not affected Vulnerable Yes[n 18]
ESR 31.8 No Disabled by default Yes Yes Yes No Yes Yes Yes Not affected Mitigated Mitigated Lowest priority Not affected Mitigated[84] Yes[n 18]
36–38
ESR 38.0
No Disabled by default Yes Yes Yes No Yes Yes Yes Not affected Mitigated Mitigated Only as fallback
[n 15][85]
Not affected Vulnerable Yes[n 18]
ESR 38.1–38.8 No Disabled by default Yes Yes Yes No Yes Yes Yes Not affected Mitigated Mitigated Only as fallback
[n 15]
Not affected Mitigated[84] Yes[n 18]
39–43 No No[86] Yes Yes Yes No Yes Yes Yes Not affected Mitigated Not affected Only as fallback
[n 15]
Not affected Mitigated[84] Yes[n 18]
44–48
ESR 45.0–45.4
ESR 45.5 No No Yes Yes Yes No Yes Yes Yes Not affected Mitigated Not affected Disabled by default[n 16][87][88][89][90] Not affected Mitigated Yes[n 18]
49 50 No No Yes Yes Yes Disabled by default[91] Yes Yes Yes Not affected Mitigated Not affected Disabled by default[n 16] Not affected Mitigated Yes[n 18]
52 No No Yes Yes Yes Yes[92] Yes Yes Yes Not affected Mitigated Not affected Disabled by default[n 16] Not affected Mitigated Yes[n 18]
Browser Version Platforms SSL 2.0 (insecure) SSL 3.0 (insecure) TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 (proposed) EV certificate SHA-2 certificate ECDSA certificate BEAST CRIME POODLE (SSLv3) RC4 FREAK Logjam Protocol selection by user
Microsoft Internet Explorer
[n 20]
1.x Windows 3.1, 95, NT[n 21],[n 22]
Mac OS 7, 8
No SSL/TLS support
2 Yes No No No No No No No No No SSL 3.0 or TLS support Vulnerable Vulnerable Vulnerable N/A
3 Yes Yes[95] No No No No No No No Vulnerable Not affected Vulnerable Vulnerable Vulnerable Vulnerable Unknown
4, 5 Windows 3.1, 95, 98, NT[n 21],[n 22]
Mac OS 7.1, 8, X,
Solaris,HP-UX
Enabled by default Enabled by default Disabled by default
[95]
No No No No No No Vulnerable Not affected Vulnerable Vulnerable Vulnerable Vulnerable Yes[n 10]
6 Windows 98, ME, NT[n 21], 2000[n 22] Enabled by default Enabled by default Disabled by default
[95]
No No No No No No Vulnerable Not affected Vulnerable Vulnerable Vulnerable Vulnerable Yes[n 10]
6 Windows XP[n 22] Enabled by default Enabled by default Disabled by default No No No No Yes
[n 23][96]
No Mitigated Not affected Vulnerable Vulnerable Vulnerable Vulnerable Yes[n 10]
6 Server 2003[n 22] Enabled by default Enabled by default Disabled by default No No No No Yes
[n 23][96]
No Mitigated Not affected Vulnerable Vulnerable Mitigated
[99]
Mitigated
[100]
Yes[n 10]
7, 8 Windows XP[n 22] Disabled by default
[101]
Enabled by default Yes[101] No No No Yes Yes
[n 23][96]
No Mitigated Not affected Vulnerable Vulnerable Vulnerable Vulnerable Yes[n 10]
7, 8 Server 2003[n 22] Disabled by default
[101]
Enabled by default Yes[101] No No No Yes Yes
[n 23][96]
No Mitigated Not affected Vulnerable Vulnerable Mitigated
[99]
Mitigated
[100]
Yes[n 10]
7, 8[n 24] 9 Windows Vista Disabled by default Enabled by default Yes No No No Yes Yes Yes[41] Mitigated Not affected Vulnerable Vulnerable Mitigated
[99]
Mitigated
[100]
Yes[n 10]
7, 8[n 24] 9 Server 2008 Disabled by default Enabled by default Yes No No No Yes Yes Yes[41] Mitigated Not affected Vulnerable Vulnerable Mitigated
[99]
Mitigated
[100]
Yes[n 10]
8, 9, 10[n 24] Windows 7 Disabled by default Enabled by default Yes Disabled by default
[103]
Disabled by default
[103]
No Yes Yes Yes Mitigated Not affected Vulnerable Lowest priority
[104][n 25]
Mitigated
[99]
Mitigated
[100]
Yes[n 10]
Server 2008 R2
10[n 24] Windows 8 Disabled by default Enabled by default Yes Disabled by default
[103]
Disabled by default
[103]
No Yes Yes Yes Mitigated Not affected Vulnerable Lowest priority
[104][n 25]
Mitigated
[99]
Mitigated
[100]
Yes[n 10]
10 Server 2012 Disabled by default Enabled by default Yes Disabled by default
[103]
Disabled by default
[103]
No Yes Yes Yes Mitigated Not affected Vulnerable Lowest priority
[104][n 25]
Mitigated
[99]
Mitigated
[100]
Yes[n 10]
11 Windows 7 Disabled by default Disabled by default
[n 26]
Yes Yes[106] Yes[106] No Yes Yes Yes Mitigated Not affected Mitigated
[n 26]
Disabled by default[110] Mitigated
[99]
Mitigated
[100]
Yes[n 10]
Server 2008 R2
11 Windows 8.1 Disabled by default Disabled by default
[n 26]
Yes Yes[106] Yes[106] No Yes Yes Yes Mitigated Not affected Mitigated
[n 26]
Disabled by default[n 16] Mitigated
[99]
Mitigated
[100]
Yes[n 10]
Server 2012 R2
Microsoft Edge[n 27]
and (as fallback)
Internet Explorer[n 20]
IE 11 Edge 12 Windows 10 v1507 Disabled by default Disabled by default Yes Yes Yes No Yes Yes Yes Mitigated Not affected Mitigated Disabled by default[n 16] Mitigated Mitigated Yes[n 10]
Windows 10 LTSB 2015[n 28]
IE 11 Edge 13 Windows 10 v1511 Disabled by default Disabled by default Yes Yes Yes No Yes Yes Yes Mitigated Not affected Mitigated Disabled by default[n 16] Mitigated Mitigated Yes[n 10]
IE 11 Edge 14 Windows 10 v1607 Disabled by default Disabled by default Yes Yes Yes No Yes Yes Yes Mitigated Not affected Mitigated Disabled by default[n 16] Mitigated Mitigated Yes[n 10]
Windows 10 LSTB 2016
IE 11 Server 2016 Disabled by default Disabled by default Yes Yes Yes No Yes Yes Yes Mitigated Not affected Mitigated Disabled by default[n 16] Mitigated Mitigated Yes[n 10]
Microsoft Internet Explorer Mobile
[n 20]
7, 9 Windows Phone 7, 7.5, 7.8 Disabled by default
[101]
Enabled by default Yes No
No
No No
Yes Yes[67] Unknown Not affected Vulnerable Vulnerable Vulnerable Vulnerable Only with 3rd party tools[n 29]
10 Windows Phone 8 Disabled by default Enabled by default Yes Disabled by default
[113]
Disabled by default
[113]
No No
Yes Yes[114] Mitigated Not affected Vulnerable Vulnerable Vulnerable Vulnerable Only with 3rd party tools[n 29]
11 Windows Phone 8.1 Disabled by default Enabled by default Yes Yes[115] Yes[115] No No
Yes Yes Mitigated Not affected Vulnerable Only as fallback
[n 15][116][117]
Vulnerable Vulnerable Only with 3rd party tools[n 29]
Microsoft Edge
[n 27]
Edge 13 Windows 10 Mobile v1511 Disabled by default Disabled by default Yes Yes Yes No Yes Yes Yes Mitigated Not affected Mitigated Disabled by default[n 16] Mitigated Mitigated Unknown
Edge 14 Windows 10 Mobile v1607 Disabled by default Disabled by default Yes Yes Yes No Yes Yes Yes Mitigated Not affected Mitigated Disabled by default[n 16] Mitigated Mitigated Unknown
Browser Version Platforms SSL 2.0 (insecure) SSL 3.0 (insecure) TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 (proposed) EV certificate SHA-2 certificate ECDSA certificate BEAST CRIME POODLE (SSLv3) RC4 FREAK Logjam Protocol selection by user
Opera Browser
(Opera Mobile)
(Pre-Presto and Presto)
[n 30]
1-2 Windows
OS X
Linux
Android
Symbian S60
Maemo
Windows Mobile
No SSL/TLS support[119]
3 Yes[120] No No No No No No No No No SSL 3.0 or TLS support Vulnerable Unknown Unknown N/A
4 Yes Yes[121] No No No No No No No Vulnerable Not affected Vulnerable Vulnerable Unknown Unknown Unknown
5 Enabled by default Enabled by default Yes[122] No No No No No No Vulnerable Not affected Vulnerable Vulnerable Unknown Unknown Yes[n 10]
6-7 Enabled by default Enabled by default Yes[122] No No No No Yes[40] No Vulnerable Not affected Vulnerable Vulnerable Unknown Unknown Yes[n 10]
8 Enabled by default Enabled by default Yes Disabled by default
[123]
No No No Yes No Vulnerable Not affected Vulnerable Vulnerable Unknown Unknown Yes[n 10]
9 Disabled by default
[124]
Enabled by default Yes Yes No No since v9.5
(only desktop)
Yes No Vulnerable Not affected Vulnerable Vulnerable Unknown Unknown Yes[n 10]
10–11.52 No[125] Enabled by default Yes Disabled by default Disabled by default
[125]
No Yes
(only desktop)
Yes No Vulnerable Not affected Vulnerable Vulnerable Unknown Unknown Yes[n 10]
11.60–11.64 No Enabled by default Yes Disabled by default Disabled by default No Yes
(only desktop)
Yes No Mitigated
[126]
Not affected Vulnerable Vulnerable Unknown Unknown Yes[n 10]
12–12.14 No Disabled by default
[n 31]
Yes Disabled by default Disabled by default No Yes
(only desktop)
Yes No Mitigated Not affected Mitigated
[n 31]
Vulnerable Unknown Mitigated[128] Yes[n 10]
12.15–12.17 No Disabled by default Yes Disabled by default Disabled by default No Yes
(only desktop)
Yes No Mitigated Not affected Mitigated Partly mitigated
[129][130]
Unknown Mitigated[128] Yes[n 10]
12.18 No Disabled by default Yes Yes[131] Yes[131] No Yes
(only desktop)
Yes Yes[131] Mitigated Not affected Mitigated Disabled by default[n 16][131] Mitigated[131] Mitigated[128] Yes[n 10]
Opera Browser
(Opera Mobile)
(Webkit and Blink)
[n 32]
14–16 Windows (7+)
OS X (10.9+)
Linux
Android (4.0+)
No Enabled by default Yes Yes[134] No[134] No Yes
(only desktop)
needs SHA-2 compatible OS[40] needs ECC compatible OS[41] Not affected Mitigated Vulnerable Vulnerable Vulnerable
(except Windows)
Vulnerable Temporary
[n 11]
17–19 No Enabled by default Yes Yes[135] Yes[135] No Yes
(only desktop)
needs SHA-2 compatible OS[40] needs ECC compatible OS[41] Not affected Mitigated Vulnerable Vulnerable Vulnerable
(except Windows)
Vulnerable Temporary
[n 11]
20–24 No Enabled by default Yes Yes Yes No Yes
(only desktop)
needs SHA-2 compatible OS[40] needs ECC compatible OS[41] Not affected Mitigated Partly mitigated
[n 33]
Lowest priority
[136]
Vulnerable
(except Windows)
Vulnerable Temporary
[n 11]
25, 26 No Enabled by default
[n 34]
1 Mac OS X 10.2, 10.3 No[138] Yes Yes No No No No No No Vulnerable Not affected Vulnerable Vulnerable Vulnerable Vulnerable No
2–5 Mac OS X 10.4, 10.5, Win XP No Yes Yes No No No since v3.2 No No Vulnerable Not affected Vulnerable Vulnerable Vulnerable Vulnerable No
3–5 Vista,Win 7 No Yes Yes No No No since v3.2 No Yes[67] Vulnerable Not affected Vulnerable Vulnerable Vulnerable Vulnerable No
4–6 Mac OS X 10.6, 10.7 No Yes Yes No No No Yes Yes[40] Yes[41] Vulnerable Not affected Vulnerable Vulnerable Vulnerable Vulnerable No
6 OS X 10.8 No Yes Yes No No No Yes Yes Yes[41] Mitigated
[n 39]
Not affected Mitigated
[n 40]
Vulnerable
[n 40]
Mitigated
[144]
Vulnerable No
7, 9 OS X 10.9 No Yes Yes Yes[145] Yes[145] No Yes Yes Yes Mitigated
[140]
Not affected Mitigated
[n 40]
Vulnerable
[n 40]
Mitigated
[144]
Vulnerable No
8, 9 10 OS X 10.10 No Yes Yes Yes Yes No Yes Yes Yes Mitigated Not affected Mitigated
[n 40]
Lowest priority
[146][n 40]
Mitigated
[144]
Mitigated
[147]
No
9 10 OS X 10.11 No No Yes Yes Yes No Yes Yes Yes Mitigated Not affected Not affected Lowest priority Mitigated Mitigated No
10 macOS 10.12 No No Yes Yes Yes No Yes Yes Yes Mitigated Not affected Not affected Disabled by default[n 16] Mitigated Mitigated No
Apple Safari
(mobile)
[n 41]
3 iPhone OS 1, 2 No[151] Yes Yes No No No No No Unknown Vulnerable Not affected Vulnerable Vulnerable Vulnerable Vulnerable No
4, 5 iPhone OS 3, iOS 4 No Yes Yes No No No Yes[152] Yes since iOS 4[67] Vulnerable Not affected Vulnerable Vulnerable Vulnerable Vulnerable No
5, 6 iOS 5, 6 No Yes Yes Yes[148] Yes[148] No Yes Yes Yes Vulnerable Not affected Vulnerable Vulnerable Vulnerable Vulnerable No
7 iOS 7 No Yes Yes Yes Yes No Yes Yes Yes[153] Mitigated
[154]
Not affected Vulnerable Vulnerable Vulnerable Vulnerable No
8 iOS 8 No Yes Yes Yes Yes No Yes Yes Yes Mitigated Not affected Mitigated
[n 40]
Lowest priority
[155][n 40]
Mitigated
[156]
Mitigated
[157]
No
9 iOS 9 No No Yes Yes Yes No Yes Yes Yes Mitigated Not affected Not affected Lowest priority Mitigated Mitigated No
10 iOS 10 No No Yes Yes Yes No Yes Yes Yes Mitigated Not affected Not affected Disabled by default[n 16] Mitigated Mitigated No
Browser Version Platforms SSL 2.0 (insecure) SSL 3.0 (insecure) TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 (proposed) EV
[n 3]
SHA-2 ECDSA BEAST[n 4] CRIME[n 5] POODLE (SSLv3)[n 6] RC4[n 7] FREAK[42][43] Logjam Protocol selection by user
SSL protocols TLS protocols Certificate Support Vulnerabilities fixed
Color or Note Significance
Browser version Platform
Browser version Operating system Future release; under development
Browser version Operating system Current latest release
Browser version Operating system Former release; still supported
Browser version Operating system Former release; long-term support still active, but will end in less than 12 months
Browser version Operating system Former release; no longer supported
n/a Operating system Mixed / Unspecified
Operating system (Version+) Minimum required operating system version (for the current latest version of the browser)
Operating system No longer supported for this operating system
Notes
  1. Does the browser have mitigations or is not vulnerable for the known attacks. Note actual security depends on other factors such as negotiated cipher, encryption strength etc (see #Cipher table).
  2. Whether a user or administrator can choose the protocols to be used or not. If yes, several attacks such as BEAST (vulnerable in SSL 3.0 and TLS 1.0) or POODLE (vulnerable in SSL 3.0) can be avoided.
  3. 1 2 Whether EV SSL and DV SSL (normal SSL) can be distinguished by indicators (green lock icon, green address bar, etc.) or not.
  4. 1 2 e.g. 1/n-1 record splitting.
  5. 1 2 e.g. Disabling header compression in HTTPS/SPDY.
  6. 1 2
    • Complete mitigations; disabling SSL 3.0 itself, "anti-POODLE record splitting". "Anti-POODLE record splitting" is effective only with client-side implementation and valid according to the SSL 3.0 specification, however, it may also cause compatibility issues due to problems in server-side implementations.
    • Partial mitigations; disabling fallback to SSL 3.0, TLS_FALLBACK_SCSV, disabling cipher suites with CBC mode of operation. If the server also supports TLS_FALLBACK_SCSV, the POODLE attack will fail against this combination of server and browser, but connections where the server does not support TLS_FALLBACK_SCSV and does support SSL 3.0 will still be vulnerable. If disabling cipher suites with CBC mode of operation in SSL 3.0, only cipher suites with RC4 are available, RC4 attacks become easier.
    • When disabling SSL 3.0 manually, POODLE attack will fail.
  7. 1 2
    • Complete mitigation; disabling cipher suites with RC4.
    • Partial mitigations to keeping compatibility with old systems; setting the priority of RC4 to lower.
  8. Google Chrome (and Chromium) supports TLS 1.0, and TLS 1.1 from version 22 (it was added, then dropped from version 21). TLS 1.2 support has been added, then dropped from Chrome 29.[44][45][46]
  9. Uses the TLS implementation provided by BoringSSL for Android, OS X, and Windows[47] or by NSS for Linux. Google is switching the TLS library used in Chrome to BoringSSL from NSS completely.
  10. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 configure enabling/disabling of each protocols via setting/option (menu name is dependent on browsers)
  11. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 configure the maximum and the minimum version of enabling protocols with command-line option
  12. TLS_FALLBACK_SCSV is implemented.[55] Fallback to SSL 3.0 is disabled since version 39.[56]
  13. In addition to TLS_FALLBACK_SCSV and disabling a fallback to SSL 3.0, SSL 3.0 itself is disabled by default.[56]</ref> p="n" name="rfc5746">RFC 5746 must be implemented to fix a renegotiation flaw that would oLowest priority his protocol.</ref><ref group="n" name="renegotiation">If libraries implement fixes Vulnerable
    (except Windows) pecification, which the IETF cannot change unlike TLS. Fortunately, most current libVulnerable ement the fix and disregard the violation that this causes.</ref><ref group="n" name=Yes[n 14]
  14. 1 2 3 configure the minimum version of enabling protocols via chrome://flags[60] (the maximum version can be configured with command-line option)</ref> "P ODLEciphertable">The [[#POODLE|POODLE]] atta 41, 42 s all block ciphers (CBC ciphers) used in SSL 3.0 unless mitigated by the client and/No the server. See [[#Web browsers]].</ref> ! TLS 1.0<br /><ref group="n" name="rfc5746"Disabled by default e="BEAST"/> ! TLS 1.1<br /><ref group="n" name="rfc5746"/> ! TLS 1.2<br /><ref group=Yes name="rfc5746"/> ! TLS 1.3<br /><small>(Draft)</small> |- ! rowspan="14"|[[Block ciphYes <br/>with<br/>[[Block cipher mode of operation|mode of operation]] ![[Advanced EncrypYes Standard|AES]] [[Galois/Counter Mode|GCM]]<ref name=aes-gcm>RFC 5288, RFC 5289</refNo ef group="n" name="aead">[[AEAD block cipher modes of operation|AEAD]] ciphers (such Yes
    (only desktop) CM mode|CCM]]) can be used in only TLS 1.2.</ref> | rowspan="3"| 256, 128 | {{N/a}} |Yes N/a}} || {{N/a}} || {{N/a}} || {{Good|Secure}} || {{Good|Secure}} || rowspan="9"| Defined needs ECC compatible OS[41] ES]] [[CCM mode|CCM]]<ref name=aes-ccm>RFC 6655, RFC 7251</ref><ref group="n" name="aNot affected a}} || {{N/a}} || {{N/a}} || {{N/a}} || {{Good|Secure}} || {{Good|Secure}} |- ![[AdvaMitigated ption Standard|AES]] [[Cipher block chaining|CBC]]<ref group="n" name="Lucky13"/> | {Mitigated {{N/a}} || {{Depends|Depends on mitigations}} || {{Good|Secure}} || {{Good|Secure}} || {{NLowest priority lia (cipher)|Camellia]] [[Galois/Counter Mode|GCM]]<ref name=camellia-gcm>RFC 6367</rMitigated oup="n" name="aead"/> | rowspan="2"| 256, 128 | {{N/a}} || {{N/a}} || {{N/a}} || {{NVulnerable ood|Secure}} || {{Good|Secure}} |- ![[Camellia (cipher)|Camellia]] [[Cipher block chaYes[n 14] 93 , RFC 6367</ref><ref group="n" name="Lucky 43 > | {{N/a}} || {{N/a}} || {{Depends|Depends on mitigations}} || {{Good|Secure}} || {{No d|Secure}} || {{N/a}} |- ![[ARIA (cipher)|ARIA]] [[Galois/Counter Mode|GCM]]<ref nameDisabled by default " name="aead"/> | rowspan="2"| 256, 128 | {{N/a}} || {{N/a}} || {{N/a}} || {{N/a}} ||Yes ood|Secure}} || {{Good|Secure}} |- ![[ARIA (cipher)|ARIA]] [[Cipher block chaining|CBYes ref name=aria>RFC 6209</ref><ref group="n" name="Lucky13"/> | {{N/a}} || {{N/a}} || {Yes ends|Depends on mitigations}} || {{Good|Secure}} || {{Good|Secure}} || {{N/a}} |- ![No ED (cipher)|SEED]] [[Cipher block chaining|CBC]]<ref name="seed-cbc">RFC 4162</ref><rYes
    (only desktop) {{N/a}} || {{N/a}} || {{Depends|Depends on mitigations}} || {{Good|Secure}} || {{GoodYes ure}} || {{N/a}} |- ! [[Triple DES|3DES EDE]] [[Cipher block chaining|CBC]]<ref group="n" needs ECC compatible OS[41] cky Thirteen attack]] if the library is not written carefully to eliminate timing sidNot affected ref> | 112{{refn|group="n"|name="3des"|Although the key length of 3DES is 168 bits, eMitigated ecurity strength of 3DES is only 112 bits,<ref name=NIST_SP_800-57>{{cite web|url=httMitigated ist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf |title=NIST SpOnly as fallback
    [n 15][61] ublications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf |archivedate=June Mitigated </ref> which is below the recommended minimum of 128 bits.<ref name="best-practices"Vulnerable |url=https://www.ssllabs.com/projects/best-practices/index.html|title=SSL/TLS DeploymYes[n 14] bs ccessdate=2 June 2015}}</ref>}} | {{Bad|In 44–47 } || {{Bad|Insecure}} || {{Bad|Insecure}} || {{Bad|Insecure}} || {{Bad|Insecure}} || No N/a}} |- ![[GOST 28147-89]] [[Block cipher mode of operation#Counter (CTR)|CNT]]<ref No[62] oup="n"|name="removal_from_tls1.2"|IDEA and DES have been removed from TLS 1.2.<ref>RYes 469</ref>}} | 128 | {{Bad|Insecure}} || {{Bad|Insecure}} || {{Bad|Insecure}} || {{BadYes ecure}} || {{N/a}} || {{N/a}} || rowspan="2"| Removed from TLS 1.2 |- !rowspan="2"| [Yes a Encryption Standard|DES]] [[Cipher block chaining|CBC]]<ref group="n" name="Lucky1No ><ref group="n" name="removal_from_tls1.2"/> | {{0}}56 | {{Bad|Insecure}} || {{Bad|InYes
    (only desktop) Insecure}} || {{N/a}} || {{N/a}} |- | {{0}}40<ref group="n" name="EXPORT">40 bits strYes h of cipher suites were designed to operate at reduced key lengths to comply with US regulneeds ECC compatible OS[41] ning certain strong encryption algorithms (see [[Export of cryptography from the UnitNot affected These weak suites are forbidden in TLS 1.1 and later.</ref> | {{Bad|Insecure}} || {{Mitigated re}} || {{Bad|Insecure}} || {{N/a}} || {{N/a}} || {{N/a}} || rowspan="2"| Forbidden iNot affected later |- ![[RC2]] [[Cipher block chaining|CBC]]<ref group="n" name="Lucky13"/> | {{0}}40<Only as fallback
    [n 15] |Insecure}} || {{Bad|Insecure}} || {{N/a}} || {{N/a}} || {{N/a}} |- ! rowspan="3"|[[SMitigated er]] ![[ChaCha20]]-[[Poly1305]]<ref name="chacha20poly1305">RFC 7905</ref><ref group=Mitigated[63] is prohibited by RFC 7465. (Due [[#RC4 attacks|RC4 attacks]] weaken or break RC4 used in Temporary
    [n 11] cu e}} || {{Bad|Insecure}} || {{Bad|Insecure} 48, 49 ad|Insecure}} || {{N/a}} || rowspan="2"| Prohibited in all versions of TLS by RFC 746No - | {{0}}40<ref group="n" name="EXPORT"/> | {{Bad|Insecure}} || {{Bad|Insecure}} || {No d|Insecure}} || {{N/a}} || {{N/a}} || {{N/a}} |- ! None ! Null<ref group="n">authentiYes on only, no encryption</ref> | - | {{N/a}} || {{Bad|Insecure}} || {{Bad|Insecure}} ||Yes ad|Insecure}} || {{Bad|Insecure}} || {{Bad|Insecure}} || Defined for TLS 1.2 in RFCs Yes Notes {{reflist|group="n"}} ===Data integrity=== [[Message authentication code]] (MNo is used for data integrity. [[HMAC]] is used for [[Cipher block chaining|CBC]] mode Yes
    (only desktop) [AEAD block cipher modes of operation|AEAD]] is used for [[Authenticated encryption]]Yes h as [[Galois/Counter Mode|GCM mode]] and [[CCM mode]]. {{Anchor|integrity-table}} {| clasneeds ECC compatible OS[41] y ! Algorithm !! SSL 2.0 !! SSL 3.0 !! TLS 1.0 !! TLS 1.1 !! TLS 1.2 !! TLS 1.3<br />Not affected )</small> !! Status |- ! [[HMAC]]-[[MD5]] | {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} Mitigated || || rowspan="4" | Defined for TLS 1.2 in RFCs |- ! [[HMAC]]-[[SHA-1|SHA1]] | {{No}Not affected || {{Yes}} || {{Yes}} || {{Yes}} || |- ! [[HMAC]]-[[SHA-2|SHA256/384]] | {{No}} || {{Disabled by default[n 16][64][65] n, TLS is usually implemented on top of [[Transport Layer]] protocols, encrypting allMitigated otocol-related data of protocols such as [[Hypertext Transfer Protocol|HTTP]], [[FileMitigated Protocol|FTP]], [[Simple Mail Transfer Protocol|SMTP]], [[Network News Transfer Protocol|NTemporary
    [n 11] l| MPP]]. Historically, TLS has 50–54 ed primarily with reliable tran 55 t protocols such as the [[Transmission Control Protocol]] (TCP). However, it has alsoNo en implemented with datagram-oriented transport protocols, such as the [[User DatagraNo rotocol]] (UDP) and the [[Datagram Congestion Control Protocol]] (DCCP), usage of whiYes as been standardized independently using the term [[Datagram Transport Layer SecurityYes DTLS). ===Websites=== A prominent use of TLS is for securing [[World Wide Web]] trafYes between a [[website]] and a [[web browser]] encoded with the HTTP protocol. This usNo f TLS to secure HTTP traffic constitutes the [[https|HTTPS]] protocol.<ref>{{cite webYes
    (only desktop) ertificate-products/https.html |title= Http vs https |accessdate=2015-02-12}}</ref> Yes ass="wikitable" style="text-align: center;" |+Website protocol support |- !Protocol<bYes version !Website<br />support<ref name="trustworthy_ssl_pulse">As of October 3, 2016.Not affected rl=https://www.trustworthyinternet.org/ssl-pulse/|title=SSL Pulse: Survey of the SSL Mitigated tion of the Most Popular Web Sites|accessdate=2016-10-03}}</ref> !Security<ref name="Not affected sl_pulse"/><ref name="community.qualys">{{cite web|url=https://community.qualys.com/bDisabled by default[n 16][64][65] sers]] and [[#Attacks against TLS/SSL]] sections</ref>}} |- !TLS 1.1 |78.3% (+0.7%) |Mitigated Depends on cipher<ref group="n" name="ciphers"/> and client mitigations<ref group="n"Mitigated igations"/>}} |- !TLS 1.2 |80.7% (+0.7%) |{{Depends|Depends on cipher<ref group="n" name="Temporary
    [n 11] "m tigations"/>}} Google Android OS Browser
    [66] rt TLS 1.0, 1.1, and 1.2, and have them en Android 1.0, 1.1, 1.5, 1.6, 2.0–2.1, 2.2–2.2.3 pport multiple versions of IE, but this will change according to Microsoft's [https:/No pport.microsoft.com/en-us/gp/microsoft-internet-explorer Internet Explorer Support LEnabled by default ], "beginning January 12, 2016, only the most current version of Internet Explorer avYes ble for a supported operating system will receive technical support and security updNo s." The page then goes on to list the latest supported version of IE at that date fNo each operating system. The next critical date would be when an operating system reaNo s the end of life stage, which is in Microsoft's [http://windows.microsoft.com/en-us/windows/lifecycle Windows lifecycle fact sheet]. There aUnknown problems on several browser versions: * TLS 1.1 and 1.2 supported, but disabled by No ault: Internet Explorer 10 for Server 2012 * TLS 1.1 and 1.2 not supported: InternetNo plorer 9 for Windows Vista and Server 2008 Mitigations against known attacks are not enough yet: * Mitigations against [[#POODLE attack|POODLUnknown ]]: Some browsers already prevent fallback to SSL 3.0; however, this mitigation needs to be supported by not only clients, but also servers. Unknown g SSL 3.0 itself, implementation of "anti-POODLE record splitting", or denying CBC cVulnerable SL 3.0 is required. ** Google Chrome: Complete (TLS_FALLBACK_SCSV is implemented sinVulnerable 33, fallback to SSL 3.0 is disabled since version 39, SSL 3.0 itself is disabled by Vulnerable ce version 40. Support of SSL 3.0 itself was dropped since version 44.) ** Mozilla FVulnerable plete (SSL 3.0 itself is disabled by default and fallback to SSL 3.0 are disabled siNo v rsion 34, TLS_FALLBACK_SCSV is implemented Android 2.3–2.3.7, 3.0–3.2.6, 4.0–4.0.4 Support of SSL 3.0 itself is dropped since version 39.) ** Internet Explorer: PartialNo nly in version 11, SSL 3.0 is disabled by default since April 2015. Version 10 and oEnabled by default erable against POODLE.) ** Opera: Complete (TLS_FALLBACK_SCSV is implemented since veYes n 20, "anti-POODLE record splitting", which is effective only with client-side impleNo tation, is implemented since version 25, SSL 3.0 itself is disabled by default sinceNo rsion 27. Support of SSL 3.0 itself will be dropped since version 31.) ** Safari: CoNo ete (Only on OS X 10.8 and later and iOS 8, CBC ciphers during fallback to SSL 3.0 is denied, but this means it will use RC4, which is not recUnknown as well. Support of SSL 3.0 itself is dropped on OS X 10.11 and later and iOS 9.) * Yes[40] C4 attacks|RC4 attacks]]: ** Google Chrome disabled RC4 except as a fallback since versionsince Android OS 3.0[67] ra 35. ** Internet Explorer for Windows 7 / Server 2008 R2 and for Windows 8 / Server 2012 have set the priority of RC4 to lowest and can alsoUnknown RC4 except as a fallback through registry settings. Internet Explorer 11 Mobile 11 for Windows Phone 8.1 disable RC4 except as a fallback if Unknown enabled algorithm works. Edge and IE 11 disable RC4 completely in August 2016. * MiVulnerable ainst [[#FREAK|FREAK attack]]: ** The Android Browser of Android 4 and older are stiVulnerable le to the FREAK attack. ** Internet Explorer 11 Mobile is still vulnerable to the FRVulnerable ** Google Chrome, Internet Explorer (desktop), Safari (desktop & mobile), and OperaVulnerable ave FREAK mitigations in place. ** Mozilla Firefox on all platforms and Google ChromNo n indows were not affected by FREAK. {{clea Android 4.1–4.3.1, 4.4–4.4.4 article|Comparison of TLS implementations}} Most SSL and TLS programming libraries arNo [free and open source software]]. * [[OpenSSL#BoringSSL|BoringSSL]], a fork of OpenSEnabled by default ium and Android as well as other Google applications. * [[Botan (programming library)Yes an]], a BSD-licensed cryptographic library written in C++. * [[cryptlib]]: a portable openDisabled by default[68] TLS]]: a free implementation (LGPL licensed) * [[Java Secure Socket Extension]]: a [[Java Disabled by default[68] ed in the [[Java Runtime Environment]] supports TLS 1.1 and 1.2 from Java 7, althougNo s disabled by default for client, and enabled by default for server.<ref>{{cite web |author=Oracle |url=http://docs.oracle.com/javase/7/docs/tUnknown /guides/security/SunProviders.html|title=Java Cryptography Architecture Oracle ProvidYes Documentation |accessdate=2012-08-16}}</ref> Java 8 supports TLS 1.1 and 1.2 enabled Yes[41] d server by default.<ref>{{cite web |author=Oracle |url=//docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html|title=JDUnknown rity Enhancements |accessdate=2015-02-25}}</ref> * [[LibreSSL]]: a fork of OpenSSL by OpenBSD project. * [[MatrixSSL]]: a dual licensed implemUnknown * [[mbed TLS]] (previously PolarSSL): A tiny SSL library implementation for embeddeVulnerable hat is designed for ease of use * [[Network Security Services]]: [[FIPS 140]] validaVulnerable urce library * [[OpenSSL]]: a free implementation (BSD license with some extensions)Vulnerable ty Support Provider Interface|SChannel]]: an implementation of SSL and TLS [[MicrosoVulnerable ] as part of its package. * [[Secure Transport]]: an implementation of SSL and TLS No d n [[OS X]] and [[iOS]] as part of their p Android 5.0-5.0.2 L): Embedded SSL/TLS Library with a strong focus on speed and size. {| class="wikitaNo " |+ Library support for TLS/SSL |- ! Implementation ! SSL 2.0 (insecure) ! SSL 3.0 Enabled by default 0 ! TLS 1.1 ! TLS 1.2 ! TLS 1.3<br /><small>(Draft)</small> |- ! [[Botan (programmingYes rary)|Botan]] | {{Yes|No}} | {{yes|No}}<ref name="Botan 1.11.13">{{cite web|url=http:Yes[68][69] {yes}} | {{yes}} | |- ! [[GnuTLS]] | {{Yes|No}}{{cref2|group=protocollibrary-table|a}Yes[68][69] web|url=http://lists.gnutls.org/pipermail/gnutls-devel/2015-April/007535.html|titleNo nutls-devel] GnuTLS 3.4.0 released|date=2015-04-08|accessdate=2015-04-16}}</ref> | {{yes}} | {{yes}} | {{yes}} | |- ! [[Java Secure Socket ExtUnknown | {{Yes|No}}{{cref2|group=protocollibrary-table|a}} | {{Yes|Disabled by default}}<reYes cite web|url=http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.htmlYes le=Java™ SE Development Kit 8, Update 31 Release Notes|accessdate=2015-01-22}}</ref> | {{yes}} | {{yes}} | {{yes}} | |- ! [[LibreSSL]] | {{YesUnknown f name=OpenBSD5.6>{{cite web|url=https://marc.info/?l=openbsd-announce&m=141486254309079&w=2|title=OpenBSD 5.6 Released|date=2014-11-01|accessUnknown 5-01-20}}</ref> | {{yes|No}}<ref name=libressl-2.3>{{cite web| title = LibreSSL 2.3.Vulnerable url = https://marc.info/?l=openbsd-announce&m=144304330731220| date = 2015-09-23| aVulnerable 2015-09-24}}</ref> | {{yes}} | {{yes}} | {{yes}} | |- ! [[MatrixSSL]] | {{Yes|No}} Vulnerable abled by default at compile time}}<ref name=Matrix-POODLE>{{cite web|url=http://www.Vulnerable rg/news.html|title=MatrixSSL - News|accessdate=2014-11-09}}</ref> | {{yes}} | {{yes}No { yes}} | |- ! [[mbed TLS]] (previously Pol Android 5.1-5.1.1 default}}<ref name=mbed-2.0>{{cite web | title = mbed TLS 2.0.0 released | url = httpNo /tls.mbed.org/tech-updates/releases/mbedtls-2.0.0-released | date = 2015-07-10 | acceNo
    015-05-06}}</ref> | {{yes}} | {{yes}}<ref name=NSS-3.14>{{cite web|url=https://develoYes mozilla.org/en-US/docs/NSS/NSS_3.14_release_notes|work=Mozilla Developer Network|titlYes S 3.14 release notes|publisher=Mozilla|accessdate=2012-10-27}}</ref> | {{yes}}<ref naYes SS-3.15.1>{{cite web|url=https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.1_relNo e_notes|work=Mozilla Developer Network|title=NSS 3.15.1 release notes|publisher=Mozilla|accessdate=2013-08-10}}</ref> | |- ! [[OpenSSL]] | {{YUnknown ref>{{cite web|url=https://www.openssl.org/news/openssl-1.1.0-notes.html|title=OpenSSYes 1.0 Series Release Notes |accessdate=2016-10-02}}</ref> | {{No|Enabled by default}} |Yes es}} | {{yes}}<ref name=openssl-1.0.1-note>{{cite web|title=Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012] |url=https://Unknown ssl.org/news/openssl-1.0.1-notes.html |date=2012-03-14 |accessdate=2015-01-20 |deadurl=yes |archiveurl=https://web.archive.org/web/20150120120Unknown s://www.openssl.org/news/openssl-1.0.1-notes.html |archivedate=January 20, 2015 }}</rNot affected <ref name=openssl-1.0.1-note /> | |- ! [[RSA BSAFE]]<ref name=RSABSAFETECH>{{cite web| titOnly as fallback
    [n 15] url = http://www.emc.com/collateral/data-sheet/11433-bsafe-tech-table.pdf}}</ref> | Mitigated | {{No|Yes}} | {{yes}} | {{yes}} | {{yes}} | |- ! [[SChannel|SChannel XP / 2003]]<reMitigated 003schannel>[https://msdn.microsoft.com/en-us/library/windows/desktop/aa380512%28v=vNo 5% 9.aspx TLS cipher suites in Microsoft Win Android 6.0-6.0.1, 7.0 | {{No|Enabled by default}} | {{partial|Enabled by default by MSIE 7}} | {{no}} | {{No } | |- ! [[SChannel|SChannel Vista / 2008]]<ref name=Vista2008schannel>[https://msdn.No
    ites in SChannel for Windows 7, 2008R2, 8, 2012]</ref> | {{Yes|Disabled by default}} Yes partial|Disabled by default in MSIE 11}} | {{yes}} | {{partial|Enabled by default by Yes 11}} | {{partial|Enabled by default by MSIE 11}} | |- ! [[SChannel|SChannel 8 / 2012Yes ef name=Windows7schannel/> | {{Yes|Disabled by default}} | {{No|Enabled by default}}No {{yes}} | {{partial|Disabled by default}} | {{partial|Disabled by default}} | |- ! [[SChannel|SChannel 8.1 / 2012 R2, 10]]<ref name=Windows7scUnknown | {{Yes|Disabled by default}} | {{partial|Disabled by default in MSIE 11}} | {{yes}}Yes {yes}} | {{yes}} | |- ! Secure Transport OS X 10.2-10.8 / iOS 1-4 | {{No|Yes}} | {{NoYes }} | {{yes}} | {{no}} | {{no}} | |- ! Secure Transport OS X 10.9-10.10 / iOS 5-8 | {{Yes|No}}{{cref2|group=protocollibrary-table|c}} | {{No|YeUnknown yes}} | {{yes}}{{cref2|group=protocollibrary-table|c}} | {{yes}}{{cref2|group=protocollibrary-table|c}} | |- ! Secure Transport OS X 10.11 / iUnknown {Yes|No}} | {{Yes|No}}{{cref2|group=protocollibrary-table|c}} | {{yes}} | {{yes}} | {Not affected SharkSSL | {{Yes|No}} | {{Yes|Disabled by default}} | {{yes}} | {{yes}} | {{yes}} | Disabled by default eviously CyaSSL) | {{Yes|No}} | {{Yes|Disabled by default}}<ref name=wolfSSL-3.6.6>{{Mitigated rl=http://wolfssl.com/wolfSSL/Blog/Entries/2015/8/24_wolfSSL_3.6.6_is_Now_Available.hMitigated [wolfssl] wolfSSL 3.6.6 Released|date=2015-08-20|accessdate=2015-08-25}}</ref> | {{yNo } {{yes}} | {{yes}} | |- class="sortbottom" Android 7.1 ecure) ! SSL 3.0 (insecure) ! TLS 1.0 ! TLS 1.1 ! TLS 1.2 ! TLS 1.3<br /><small>(DrafNo /small> |} {{cnote2 begin | liststyle=lower-alpha}} {{cnote2 | group=protocollibrary-No
    /Mozilla/Projects/NSS/NSS_3.24_release_notes|work=Mozilla Developer Network|title=NSSYes 4 release notes|publisher=Mozilla|accessdate=2016-06-19}}</ref>}} {{cnote2 | group=prYes ollibrary-table | c | Secure Transport: SSL 2.0 was discontinued in OS X 10.8. SSL 3.Yes s discontinued in OS X 10.11 and iOS 9. TLS 1.1 and 1.2 are available on iOS 5.0 andNo ter, and OS X 10.9 and later.<ref>{{cite web|url=http://developer.apple.com/library/ios/technotes/tn2287/|work=iOS Developer Library|title=TecUnknown ote TN2287: iOS 5 and TLS 1.2 Interoperability Issues|publisher=Apple Inc.|accessdateYes 2-05-03}}</ref>}}<ref>[https://dev.ssllabs.com/ssltest/clients.html Qualys SSL Labs -Yes jects / User Agent Capabilities<!-- Bot generated title -->]</ref> {{cnote2 end}} A paper presented at the 2012 [[Association for Computing MUnknown |ACM]] [[Computer security conference|conference on computer and communications security]]<ref>{{cite book|author=Georgiev, Martin and IyengarUnknown and Jana, Suman and Anubhai, Rishita and Boneh, Dan and Shmatikov, Vitaly|title=The Not affected s code in the world: validating SSL certificates in non-browser software. ProceedingsDisabled by default ference on Computer and communications security|year=2012|isbn=978-1-4503-1651-4|url=Mitigated texas.edu/~shmat/shmat_ccs12.pdf|pages=38–49}}</ref> showed that few applications useMitigated these SSL libraries correctly, leading to vulnerabilities. According to the authors <blockquote>"the root cause of most of these vulnerabilitiUnknown e e Browser sign of the API Version u Platforms S SSL 2.0 (insecure) SSL 3.0 (insecure) e TLS 1.0 i TLS 1.1 t TLS 1.2 t TLS 1.3 (proposed) EV certificate a SHA-2 certificate t ECDSA certificate w BEAST d CRIME o POODLE (SSLv3) o RC4 a FREAK i Logjam o Protocol selection by user lo ers often use SS Mozilla Firefox
    (Firefox for mobile)
    [n 17] arry TLS's encryption and authentication c 1.0 lities with auth Windows (XP SP2+)
    OS X (10.9+)
    Linux
    Android (4.0.3+)
    iOS (8.2+)
    Firefox OS
    Maemo

    ESR only for:
    Windows (XP SP2+)
    OS X (10.6+)
    Linux o a standard method to protect [[Session Initiation Protocol]] (SIP) application sigEnabled by default
    [70] curity== ===SSL 2.0=== SSL 2.0 is flawed in a variety of ways:<ref>{{cite journal|uEnabled by default
    [70] 67404802003127|title=On the Security of Today's Online Electronic Banking Systems|autYes[70] tin Dem |author3=Danny De Cock |author4=Bart Preneel |author5=Joos Vandewalle |journNo Computers & Security|volume=21|issue=3|year=2002|pages=253–265|doi=10.1016/S0167-404No 2)00312-7}}</ref> * Identical cryptographic keys are used for [[message authenticatiNo ] and encryption. <!-- please explain how this affects security --> (In SSL 3.0, MACNo crets may be larger than encryption keys, so messages can remain tamper resistant eveYes[40] e broken.<ref name=RFC6101 />) * SSL 2.0 has a weak MAC construction that uses the MNo hash function with a secret prefix, making it vulnerable to [[length extension attackNot affected
    [71] , leaving the recipient unaware of an illegitimate end of data message (SSL 3.0 fixesNot affected by having an explicit closure alert). * SSL 2.0 assumes a single service and a fixeVulnerable rtificate, which clashes with the standard feature of virtual hosting in Web serversVulnerable s that most websites are practically impaired from using SSL. SSL 2.0 is disabled byNot affected inning with [[Internet Explorer 7]],<ref>{{cite web|url=http://blogs.msdn.com/ie/arcVulnerable 0/22/483795.aspx|title=IEBlog: Upcoming HTTPS Improvements in Internet Explorer 7 BetYes[n 10] e| irst=Eric|date=2005-10-22|publisher=[[Micr 1.5 Developer Network|MSDN]] Blogs}}</ref> [[Mozilla Firefox]] 2,<ref>{{cite web|url=htEnabled by default lla.org/show_bug.cgi?id=236933|title=Bugzilla@Mozilla&nbsp;— Bug 236933 – Disable SSEnabled by default iphers|accessdate=2007-11-25|publisher=[[Mozilla Corporation]]}}</ref> [[Opera (web bYes er)|Opera]] 9.5,<ref>[http://www.opera.com/docs/changelogs/windows/950/ "Opera 9.5 fNo Windows Changelog"] at [[Opera.com]]: "Disabled SSL v2 and weak ciphers."</ref> and No afari (web browser)|Safari]]. After it sends a TLS "ClientHello", if Mozilla FirefoxNo nds that the server is unable to complete the handshake, it will attempt to fall bacNo o using SSL 3.0 with an SSL 3.0 "ClientHello" in SSL 2.0 format to maximize the likelYes d of successfully handshaking with older servers.<ref>{{cite web|url=https://bugzillNo ozilla.org/show_bug.cgi?id=454759|title=Firefox still sends SSLv2 handshake even thouNot affected ol is disabled|date=2008-09-11}}</ref> Support for SSL 2.0 (and weak [[40-bit encryptNot affected and 56-bit ciphers) has been removed completely from Opera as of version 10<!--9.5=dVulnerable 0=removed, see changelogs-->.<ref>[http://www.opera.com/docs/changelogs/windows/1000Vulnerable for Windows changelog"] at [[Opera.com]]: "Removed support for SSL v2 and weak cipheNot affected >{{cite web|url=http://my.opera.com/yngve/blog/2007/04/30/10-years-of-ssl-in-opera |Vulnerable ars of SSL in Opera&nbsp;— Implementer's notes |accessdate=2007-11-25 |last=PettersenYes[n 10] he =[[Opera Software]] |deadurl=yes |archiveu 2 https://web.archive.org/web/20071012205124/http://my.opera.com/yngve/blog/2007/04/30/Disabled by default
    [70][72] ould be considered less desirable than TLS 1.0. The SSL 3.0 cipher suites have a weaEnabled by default process; half of the master key that is established is fully dependent on the MD5 hasYes nction, which is not resistant to collisions and is, therefore, not considered securNo Under TLS 1.0, the master key that is established depends on both MD5 and SHA-1 so iNo derivation process is not currently considered weak. It is for this reason that SSL No implementations cannot be validated under FIPS 140-2.<ref>{{cite web|author=NationaNo nstitute of Standards and Technology |title=Implementation Guidance for FIPS PUB 140-Yes d the Cryptographic Module Validation Program |date=December 2010 |url=http://csrc.niYes[41] p/documents/fips140-2/FIPS1402IG.pdf |deadurl=yes |archiveurl=https://web.archive.orgNot affected 130105/http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf |archiNot affected er 6, 2010 }}</ref> In October 2014, the vulnerability in the design of SSL 3.0 hasVulnerable ted, which makes CBC mode of operation with SSL 3.0 vulnerable to the padding attackVulnerable ODLE attack]]). ===TLS=== TLS has a variety of security measures: * Protection againNot affected e of the protocol to a previous (less secure) version or a weaker cipher suite. * NuVulnerable sequent Application records with a sequence number and using this sequence number in Yes[n 10] MA s). * Using a message digest enhanced with 3–7 y (so only a key-holder can check the MAC). The [[HMAC]] construction used by most TLDisabled by default pecified in RFC 2104 (SSL 3.0 used a different hash-based MAC). * The message that eEnabled by default "Finished") sends a hash of all the exchanged handshake messages seen by both partiesYes The [[pseudorandomness|pseudorandom]] function splits the input data in half and proNo ses each one with a different hashing algorithm ([[MD5]] and [[SHA-1]]), then [[exclNo ve or|XORs]] them together to create the MAC. This provides protection even if one oNo hese algorithms is found to be vulnerable. ===Attacks against TLS/SSL=== SignificantYes acks against TLS/SSL are listed below: Note: In February 2015, IETF issued an informYes nal RFC<ref>{{cite web|title=RFC 7457 : Summarizing Known Attacks on Transport Layer Yes rity (TLS) and Datagram TLS (DTLS)|url=https://tools.ietf.org/html/rfc7457}}</ref> suNot affected various known attacks against TLS/SSL. ====Renegotiation attack==== A vulnerabilityNot affected otiation procedure was discovered in August 2009 that can lead to plaintext injectioVulnerable gainst SSL 3.0 and all current versions of TLS.<ref>{{cite web|url=http://cve.mitre.Vulnerable /cvename.cgi?name=CVE-2009-3555|title=CVE - CVE-2009-3555}}</ref> For example, it allNot affected er who can hijack an https connection to splice their own requests into the beginninVulnerable nversation the client has with the web server. The attacker can't actually decrypt thYes[n 10] s ifferent from a typical man-in-the-middle 8–10
    ESR 10 stop allowing renegotiation, which typically will not require other changes unless [No[72] uthentication is used. To fix the vulnerability, a renegotiation indication extensioEnabled by default TLS. It will require the client and server to include and verify information about prYes us handshakes in any renegotiation handshakes.<ref>{{cite web|author=Eric Rescorla|tNo e=Understanding the TLS Renegotiation Attack|work=Educated Guesswork|accessdate=2009No -27|date=2009-11-05|url=http://www.educatedguesswork.org/2009/11/understanding_the_tNo renegoti.html}}</ref> This extension has become a proposed standard and has been assiYes the number RFC 5746. The RFC has been implemented by several libraries.<ref>{{cite wYes itle=SSL_CTX_set_options SECURE_RENEGOTIATION|work=OpenSSL Docs|accessdate=2010-11-18Yes e=2010-02-25|url=https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html#SECURE_RENNot affected /ref><ref>{{cite web|title=GnuTLS 2.10.0 released|work=GnuTLS release notes|accessdatNot affected date=2010-06-25|url=http://article.gmane.org/gmane.network.gnutls.general/2046}}</reVulnerable te web|title=NSS 3.12.6 release notes |work=NSS release notes |accessdate=2011-07-24Vulnerable -03-03 |url=https://developer.mozilla.org/NSS_3.12.6_release_notes |deadurl=yes |archNot affected //web.archive.org/web/20120306184633/https://developer.mozilla.org/NSS_3.12.6_releasVulnerable chivedate=March 6, 2012 }}</ref> ====Protocol downgrade attacks==== A protocol downgYes[n 10] ll ack attack) tricks a web server into negot 11–14 connections with previous versions of TLS (such as SSLv2) that have long since been aNo doned as insecure. Previous modifications to the original protocols, like '''False Enabled by default web|title=Transport Layer Security (TLS) False Start|url=//tools.ietf.org/html/draftYes eller-tls-falsestart-00|work=Internet Engineering Task Force|publisher=IETF|accessdaNo 31 July 2013|author=A. Langley|author2=N. Modadugu |author3=B. Moeller |date=2 June No 0}}</ref> (adopted and enabled by Google Chrome<ref>{{cite web | last = Wolfgang | fNo t = Gruener | title = False Start: Google Proposes Faster Web, Chrome Supports It AlrYes | url = http://www.conceivablytech.com/3299/products/false-start-google-proposes-fasYes web-chrome-supports-it-already|accessdate= 9 March 2011 |archiveurl= https://web.archYes org/web/20101007061707/http://www.conceivablytech.com/3299/products/false-start-googlNot affected ster-web-chrome-supports-it-already/ |archivedate= October 7, 2010 }}</ref>) or '''SVulnerable
    (SPDY)[50] cks<ref>{{cite web|last= Brian|first=Smith|title= Limited rollback attacks in False Vulnerable nap Start|url= http://www.ietf.org/mail-archive/web/tls/current/msg06933.html|accessVulnerable ch 2011}}</ref> or allowed modifications to the cipher suite list sent by the client Not affected . In doing so, an attacker might succeed in influencing the cipher suite selection iVulnerable t to downgrade the cipher suite negotiated to use either a weaker symmetric encryptioYes[n 10] ef {{cite web|last=Adrian|first=Dimcev|title= 15–22
    ESR 17.0–17.0.10 m-SSLTLS-101-False-Start.aspx|work=Random SSL/TLS 101|accessdate=9 March 2011}}</ref>No A paper presented at an [[Association for Computing Machinery]] (ACM) [[Computer secEnabled by default nference on computer and communications security]] in 2012 demonstrated that the FalsYes art extension was at risk: in certain circumstances it could allow an attacker to reNo er the encryption keys offline and to access the encrypted data.<ref>{{cite book|autNo =Mavrogiannopoulos, Nikos and Vercautern, Frederik and Velichkov, Vesselin and PreneNo Bart|title=A cross-protocol attack on the TLS protocol. Proceedings of the 2012 ACM Yes erence on Computer and communications security|year=2012|isbn=978-1-4503-1651-4|url=hYes ://www.cosic.esat.kuleuven.be/publications/article-2216.pdf|pages=62–72}}</ref> ====Yes s-protocol attacks: DROWN==== {{Main article|DROWN attack}} The [[DROWN attack]] is aNot affected t attacks servers supporting contemporary SSL/TLS protocol suites by exploiting theirMitigated or the obsolete, insecure, SSLv2 protocol to leverage an attack on connections usingVulnerable protocols that would otherwise be secure.<ref>{{Cite web | url = http://www.theregiVulnerable 2016/03/01/drown_tls_protocol_flaw/ | title = One-third of all HTTPS websites open toNot affected | last = Leyden | first = John | date = 1 March 2016 | website = The Register | accVulnerable 2016-03-02 }}</ref><ref name=ars201603>{{Cite web | url = http://arstechnica.com/secuYes[n 10] s- ebsites-imperiled-by-new-decryption-attack ESR 17.0.11 bsites imperiled by new decryption attack | website = Ars Technica | access-date = 20No 03-02 }}</ref> DROWN exploits a vulnerability in the protocols used and the configurEnabled by default , rather than any specific implementation error. Full details of DROWN were announcedYes March 2016, together with a patch for the exploit. As of March 2016, more than 81,00No f the top 1 million most popular Web sites are among the TLS protected web sites thaNo re vulnerable to the DROWN attack.<ref name=ars201603/> ===={{Anchor|BEAST}}BEAST aNo ck==== On September 23, 2011 researchers Thai Duong and Juliano Rizzo demonstrated a Yes f of concept called '''BEAST''' ('''Browser Exploit Against SSL/TLS''')<ref name=DuonYes zo>{{cite web|url=https://bug665814.bugzilla.mozilla.org/attachment.cgi?id=540839|titYes ere Come The ⊕ Ninjas|date=2011-05-13|author1=Thai Duong |author2=Juliano Rizzo |lasNot affected s }}</ref> using a [[Java applet]] to violate [[same origin policy]] constraints, forMitigated own [[cipher block chaining]] (CBC) vulnerability in TLS 1.0:<ref name=DanGoodin>{{cVulnerable =http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/|title=Hackers break SSLowest priority
    [73][74] oodin}}</ref><ref name=combinator>{{cite web|url=http://news.ycombinator.com/item?id=Not affected =Y Combinator comments on the issue|date=2011-09-20}}</ref> an attacker observing 2 Vulnerable ciphertext blocks C0, C1 can test if the plaintext block P1 is equal to x by choosinYes[n 10] ^ C1; due to how CBC works C2 will be equal 23 1 if x = P1. Practical [[Exploit (computer security)|exploits]] had not been previousNo demonstrated for this [[Vulnerability (computing)|vulnerability]], which was originaEnabled by default [Phillip Rogaway]]<ref>{{cite web|url=http://www.openssl.org/~bodo/tls-cbc.txt|archivYes =https://web.archive.org/web/20120630143111/http://www.openssl.org/~bodo/tls-cbc.txt|archiDisabled by default
    [75] 1.1 had not seen wide adoption prior to this attack demonstration. [[RC4]] as a strNo cipher is immune to BEAST attack. Therefore, RC4 was widely used as a way to mitigaNo BEAST attack on the server side. However, in 2013, researchers found more weaknesses Yes C4. Thereafter enabling RC4 on server side was no longer recommended.<ref>{{cite web Yes l=https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat Yes tle=Is BEAST Still a Threat? | date=Sep 10, 2013 | accessdate=8 October 2014 | authorNot affected }}</ref> Chrome and Firefox themselves are not vulnerable to BEAST attack,<ref name=Mitigated T>{{cite web|url=http://googlechromereleases.blogspot.jp/2011/10/chrome-stable-releaVulnerable le=Chrome Stable Release|work=Chrome Releases|publisher=Google|date=2011-10-25|accesVulnerable 02-01}}</ref><ref>{{cite web|url=https://blog.mozilla.org/security/2011/09/27/attack-Not affected rotected-communications/|title=Attack against TLS-protected communications|work=MoziVulnerable y Blog|publisher=Mozilla|date=2011-09-27|accessdate=2015-02-01}}</ref> however, MozilYes<ref name='aboutconfig' group='n'>configure the maximum and the minimum version of enabling protocols via about:config or add-on<ref name='FxSSLVersionControl'>SSL Version Control :: Add-ons for Firefox
  15. 1 2 3 4 5 6 7 8 9 Only when no cipher suites with other than RC4 is available, cipher suites with RC4 will be used as a fallback.
  16. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 All RC4 cipher-suites is disabled by default.
  17. Uses the TLS implementation provided by NSS. As of Firefox 22, Firefox supports only TLS 1.0 despite the bundled NSS supporting TLS 1.1. Since Firefox 23, TLS 1.1 can be enabled, but was not enabled by default due to issues. Firefox 24 has TLS 1.2 support disabled by default. TLS 1.1 and TLS 1.2 have been enabled by default in Firefox 27 release.
  18. 1 2 3 4 5 6 7 8 9 10 11
  19. SSL 3.0 itself is disabled by default.[80] In addition, fallback to SSL 3.0 is disabled since version 34,[82] and TLS_FALLBACK_SCSV is implemented since 35.0 and ESR 31.3.[80][83]
  20. 1 2 3 IE uses the TLS implementation of the Microsoft Windows operating system provided by the SChannel security support provider. TLS 1.1 and 1.2 are disabled by default until IE11.[93][94]
  21. 1 2 3 Windows NT 3.1 supports IE 1–2, Windows NT 3.5 supports IE 1–3, Windows NT 3.51 and Windows NT 4.0 supports IE 1–6
  22. 1 2 3 4 5 6 7 Windows XP as well as Server 2003 and older support only weak ciphers like 3DES and RC4 out of the box.[97] The weak ciphers of these SChannel version are not only used for IE, but also for other Microsoft products running on this OS, like Office or Windows Update. Only Windows Server 2003 can get a manually update to support AES ciphers by KB948963[98]
  23. 1 2 3 4 MS13-095 or MS14-049 for 2003 and XP-64 or SP3 for XP (32-bit)
  24. 1 2 3 4 Internet Explorer Support Announcement[102]
  25. 1 2 3 RC4 can be disabled except as a fallback (Only when no cipher suites with other than RC4 is available, cipher suites with RC4 will be used as a fallback.)[105]
  26. 1 2 3 4 Fallback to SSL 3.0 is sites blocked by default in Internet Explorer 11 for Protected Mode.[107][108] SSL 3.0 is disabled by default in Internet Explorer 11 since April 2015.[109]
  27. 1 2 Edge (formerly known as Project Spartan) is based on a fork of the Internet Explorer 11 rendering engine.
  28. Except Windows 10 LTSB 2015 (LongTermSupportBranch)[111]
  29. 1 2 3 Could be disabled via registry editing but need 3rd Party tools to do this.[112]
  30. Opera 10 added support for TLS 1.2 as of Presto 2.2. Previous support was for TLS 1.0 and 1.1. TLS 1.1 and 1.2 are disabled by default (except for version 9[118] that enabled TLS 1.1 by default).
  31. 1 2 SSL 3.0 is disabled by default remotely since October 15, 2014[127]
  32. TLS support of Opera 14 and above is same as that of Chrome, because Opera has migrated to Chromium backend (Opera 14 for Android is based on Chromium 26 with WebKit,[132] and Opera 15 and above are based on Chromium 28 and above with Blink[133]).
  33. TLS_FALLBACK_SCSV is implemented.[136]
  34. SSL 3.0 is enabled by default, with some mitigations against known vulnerabilities such as BEAST and POODLE implemented.[127]</ref> Yes Yes Yes No Yes
    (only desktop) Yes needs ECC compatible OS[41] Not affected Mitigated Mitigated
    [n 35]
  35. In addition to TLS_FALLBACK_SCSV, "anti-POODLE record splitting" is implemented.[127]</ref> Lowest priority Vulnerable
    (except Windows) Vulnerable Temporary
    [n 11] 27 No Disabled by default
    [60] Yes Yes Yes No Yes
    (only desktop) Yes needs ECC compatible OS[41] Not affected Mitigated Mitigated
    [n 36] Qualys SSL report simulates Safari 5.1.9 connecting with TLS 1.0 not 1.1 or 1.2<ref>Qualys SSL Report: google.co.uk (simulation Safari 5.1.9 TLS 1.0)
  36. In addition to TLS_FALLBACK_SCSV and "anti-POODLE record splitting", SSL 3.0 itself is disabled by default.[60]</ref> Lowest priority Vulnerable
    (except Windows) Vulnerable Yes[n 37] Safari 5 is the last version available for Windows. OS X 10.8 on have SecureTransport support for TLS 1.1 and 1.2<ref>"Curl: Patch to add TLS 1.1 and 1.2 support & replace deprecated functions in SecureTransport".
  37. 1 2 3 configure the minimum version of enabling protocols via opera://flags[60] (the maximum version can be configured with command-line option)</ref>
    (only desktop) 28, 29 No Disabled by default Yes Yes Yes No Yes
    (only desktop) Yes needs ECC compatible OS[41] Not affected Mitigated Mitigated Lowest priority Mitigated Vulnerable Yes[n 37]
    (only desktop) 30 No Disabled by default Yes Yes Yes No Yes
    (only desktop) Yes needs ECC compatible OS[41] Not affected Mitigated Mitigated Only as fallback
    [n 15][61] Mitigated Mitigated[128] Yes[n 37]
    (only desktop) 31–34 No No[62] Yes Yes Yes No Yes
    (only desktop) Yes needs ECC compatible OS[41] Not affected Mitigated Not affected Only as fallback
    [n 15][61] Mitigated Mitigated Temporary
    [n 11] 35 36
    (XP,Vista)[137] No No Yes Yes Yes No Yes
    (only desktop) Yes needs ECC compatible OS[41] Not affected Mitigated Not affected Disabled by default[n 16][64][65] Mitigated Mitigated Temporary
    [n 11] 37–40 41 No No Yes Yes Yes No Yes
    (only desktop) Yes Yes Not affected Mitigated Not affected Disabled by default[n 16][64][65] Mitigated Mitigated Temporary
    [n 11] Browser Version Platforms SSL 2.0 (insecure) SSL 3.0 (insecure) TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 (proposed) EV certificate SHA-2 certificate ECDSA certificate BEAST CRIME POODLE (SSLv3) RC4 FREAK Logjam Protocol selection by user Apple Safari
    [n 38] with unknown version,<ref>Apple (2009-06-10). "Features". Retrieved 2009-06-10.
  38. Safari uses the operating system implementation on Mac OS X, Windows (XP, Vista, 7)<ref>Adrian, Dimcev. "Common browsers/libraries/servers and the associated cipher suites implemented". TLS Cipher Suites Project.
  39. In September 2013, Apple implemented BEAST mitigation in OS X 10.8 (Mountain Lion), but it was not turned on by default resulting in Safari still being theoretically vulnerable to the BEAST attack on that platform.[139][140] BEAST mitigation has been enabled by default from OS X 10.8.5 updated in February 2014.[141]
  40. 1 2 3 4 5 6 7 8 Because Apple removed support for all CBC protocols in SSL 3.0 to mitigate POODLE[142][143], this leaves only RC4 which is also completely broken by the RC4 attacks in SSL 3.0.
  41. Mobile Safari and third-party software utilizing the system UIWebView library use the iOS operating system implementation, which supports TLS 1.2 as of iOS 5.0.[148][149][150]

Libraries

Most SSL and TLS programming libraries are free and open source software.

Library support for TLS/SSL
Implementation SSL 2.0 (insecure) SSL 3.0 (insecure) TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3
(Draft)
Botan No No[160] Yes Yes Yes
cryptlib No Enabled by default Yes Yes Yes
GnuTLS No[a] Disabled by default[161] Yes Yes Yes
Java Secure Socket Extension No[a] Disabled by default[162] Yes Yes Yes
LibreSSL No[163] No[164] Yes Yes Yes
MatrixSSL No Disabled by default at compile time[165] Yes Yes Yes
mbed TLS (previously PolarSSL) No Disabled by default[166] Yes Yes Yes
Network Security Services No[b] Disabled by default[167] Yes Yes[168] Yes[169]
OpenSSL No[170] Enabled by default Yes Yes[171] Yes[171]
RSA BSAFE[172] No Yes Yes Yes Yes
SChannel XP / 2003[173] Disabled by default by MSIE 7 Enabled by default Enabled by default by MSIE 7 No No
SChannel Vista / 2008[174] Disabled by default Enabled by default Yes No No
SChannel 7 / 2008 R2[175] Disabled by default Disabled by default in MSIE 11 Yes Enabled by default by MSIE 11 Enabled by default by MSIE 11
SChannel 8 / 2012[175] Disabled by default Enabled by default Yes Disabled by default Disabled by default
SChannel 8.1 / 2012 R2, 10[175] Disabled by default Disabled by default in MSIE 11 Yes Yes Yes
Secure Transport OS X 10.2-10.8 / iOS 1-4 Yes Yes Yes No No
Secure Transport OS X 10.9-10.10 / iOS 5-8 No[c] Yes Yes Yes[c] Yes[c]
Secure Transport OS X 10.11 / iOS 9 No No[c] Yes Yes Yes
SharkSSL No Disabled by default Yes Yes Yes
wolfSSL (previously CyaSSL) No Disabled by default[176] Yes Yes Yes
Implementation SSL 2.0 (insecure) SSL 3.0 (insecure) TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3
(Draft)
  1. ^ SSL 2.0 client hello is supported even though SSL 2.0 is not supported or is disabled because of the backward compatibilities.
  2. ^ Server-side implementation of the SSL/TLS protocol still supports processing of received v2-compatible client hello messages.[177]
  3. ^ Secure Transport: SSL 2.0 was discontinued in OS X 10.8. SSL 3.0 was discontinued in OS X 10.11 and iOS 9. TLS 1.1 and 1.2 are available on iOS 5.0 and later, and OS X 10.9 and later.[178]
  4. [179]

A paper presented at the 2012 ACM conference on computer and communications security[180] showed that few applications used some of these SSL libraries correctly, leading to vulnerabilities. According to the authors

"the root cause of most of these vulnerabilities is the terrible design of the APIs to the underlying SSL libraries. Instead of expressing high-level security properties of network tunnels such as confidentiality and authentication, these APIs expose low-level details of the SSL protocol to application developers. As a consequence, developers often use SSL APIs incorrectly, misinterpreting and misunderstanding their manifold parameters, options, side effects, and return values."

Other uses

The Simple Mail Transfer Protocol (SMTP) can also be protected by TLS. These applications use public key certificates to verify the identity of endpoints.

TLS can also be used to tunnel an entire network stack to create a VPN, as is the case with OpenVPN and OpenConnect. Many vendors now marry TLS's encryption and authentication capabilities with authorization. There has also been substantial development since the late 1990s in creating client technology outside of the browser to enable support for client/server applications. When compared against traditional IPsec VPN technologies, TLS has some inherent advantages in firewall and NAT traversal that make it easier to administer for large remote-access populations.

TLS is also a standard method to protect Session Initiation Protocol (SIP) application signaling. TLS can be used to provide authentication and encryption of the SIP signaling associated with VoIP and other SIP-based applications.

Security

SSL 2.0

SSL 2.0 is flawed in a variety of ways:[181]

SSL 2.0 is disabled by default, beginning with Internet Explorer 7,[182] Mozilla Firefox 2,[183] Opera 9.5,[184] and Safari. After it sends a TLS "ClientHello", if Mozilla Firefox finds that the server is unable to complete the handshake, it will attempt to fall back to using SSL 3.0 with an SSL 3.0 "ClientHello" in SSL 2.0 format to maximize the likelihood of successfully handshaking with older servers.[185] Support for SSL 2.0 (and weak 40-bit and 56-bit ciphers) has been removed completely from Opera as of version 10.[186][187]

SSL 3.0

SSL 3.0 improved upon SSL 2.0 by adding SHA-1–based ciphers and support for certificate authentication.

From a security standpoint, SSL 3.0 should be considered less desirable than TLS 1.0. The SSL 3.0 cipher suites have a weaker key derivation process; half of the master key that is established is fully dependent on the MD5 hash function, which is not resistant to collisions and is, therefore, not considered secure. Under TLS 1.0, the master key that is established depends on both MD5 and SHA-1 so its derivation process is not currently considered weak. It is for this reason that SSL 3.0 implementations cannot be validated under FIPS 140-2.[188]

In October 2014, the vulnerability in the design of SSL 3.0 has been reported, which makes CBC mode of operation with SSL 3.0 vulnerable to the padding attack (see #POODLE attack).

TLS

TLS has a variety of security measures:

Attacks against TLS/SSL

Significant attacks against TLS/SSL are listed below:

Note: In February 2015, IETF issued an informational RFC[189] summarizing the various known attacks against TLS/SSL.

Renegotiation attack

A vulnerability of the renegotiation procedure was discovered in August 2009 that can lead to plaintext injection attacks against SSL 3.0 and all current versions of TLS.[190] For example, it allows an attacker who can hijack an https connection to splice their own requests into the beginning of the conversation the client has with the web server. The attacker can't actually decrypt the client-server communication, so it is different from a typical man-in-the-middle attack. A short-term fix is for web servers to stop allowing renegotiation, which typically will not require other changes unless client certificate authentication is used. To fix the vulnerability, a renegotiation indication extension was proposed for TLS. It will require the client and server to include and verify information about previous handshakes in any renegotiation handshakes.[191] This extension has become a proposed standard and has been assigned the number RFC 5746. The RFC has been implemented by several libraries.[192][193][194]

Protocol downgrade attacks

A protocol downgrade attacks (also called a version rollback attack) tricks a web server into negotiating connections with previous versions of TLS (such as SSLv2) that have long since been abandoned as insecure.

Previous modifications to the original protocols, like False Start[195] (adopted and enabled by Google Chrome[196]) or Snap Start, reportedly introduced limited TLS protocol downgrade attacks[197] or allowed modifications to the cipher suite list sent by the client to the server. In doing so, an attacker might succeed in influencing the cipher suite selection in an attempt to downgrade the cipher suite negotiated to use either a weaker symmetric encryption algorithm or a weaker key exchange[198]). A paper presented at an Association for Computing Machinery (ACM) conference on computer and communications security in 2012 demonstrated that the False Start extension was at risk: in certain circumstances it could allow an attacker to recover the encryption keys offline and to access the encrypted data.[199]

Cross-protocol attacks: DROWN

Main article: DROWN attack

The DROWN attack is an exploit that attacks servers supporting contemporary SSL/TLS protocol suites by exploiting their support for the obsolete, insecure, SSLv2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure.[200][201] DROWN exploits a vulnerability in the protocols used and the configuration of the server, rather than any specific implementation error. Full details of DROWN were announced in March 2016, together with a patch for the exploit. As of March 2016, more than 81,000 of the top 1 million most popular Web sites are among the TLS protected web sites that are vulnerable to the DROWN attack.[201]

BEAST attack

On September 23, 2011 researchers Thai Duong and Juliano Rizzo demonstrated a proof of concept called BEAST (Browser Exploit Against SSL/TLS)[202] using a Java applet to violate same origin policy constraints, for a long-known cipher block chaining (CBC) vulnerability in TLS 1.0:[203][204] an attacker observing 2 consecutive ciphertext blocks C0, C1 can test if the plaintext block P1 is equal to x by choosing the next plaintext block P2 = x ^ C0 ^ C1; due to how CBC works C2 will be equal to C1 if x = P1. Practical exploits had not been previously demonstrated for this vulnerability, which was originally discovered by Phillip Rogaway[205] in 2002. The vulnerability of the attack had been fixed with TLS 1.1 in 2006, but TLS 1.1 had not seen wide adoption prior to this attack demonstration.

RC4 as a stream cipher is immune to BEAST attack. Therefore, RC4 was widely used as a way to mitigate BEAST attack on the server side. However, in 2013, researchers found more weaknesses in RC4. Thereafter enabling RC4 on server side was no longer recommended.[206]

Chrome and Firefox themselves are not vulnerable to BEAST attack,[48][207] however, Mozilla updated their NSS libraries to mitigate BEAST-like attacks. NSS is used by Mozilla Firefox and Google Chrome to implement SSL. Some web servers that have a broken implementation of the SSL specification may stop working as a result.[208]

Microsoft released Security Bulletin MS12-006 on January 10, 2012, which fixed the BEAST vulnerability by changing the way that the Windows Secure Channel (SChannel) component transmits encrypted network packets from the server end.[209] Users of Internet Explorer (prior to version 11) that run on older versions of Windows (Windows 7, Windows 8 and Windows Server 2008 R2z) can restrict use of TLS to 1.1 or higher.

Apple fixed BEAST vulnerability by implementing 1/n-1 split and turning it on by default in OS X Mavericks, released on October 22, 2013.[210]

CRIME and BREACH attacks

The authors of the BEAST attack are also the creators of the later CRIME attack, which can allow an attacker to recover the content of web cookies when data compression is used along with TLS.[211][212] When used to recover the content of secret authentication cookies, it allows an attacker to perform session hijacking on an authenticated web session.

While the CRIME attack was presented as a general attack that could work effectively against a large number of protocols, including but not limited to TLS, and application-layer protocols such as SPDY or HTTP, only exploits against TLS and SPDY were demonstrated and largely mitigated in browsers and servers. The CRIME exploit against HTTP compression has not been mitigated at all, even though the authors of CRIME have warned that this vulnerability might be even more widespread than SPDY and TLS compression combined. In 2013 a new instance of the CRIME attack against HTTP compression, dubbed BREACH, was announced. Based on the CRIME attack a BREACH attack can extract login tokens, email addresses or other sensitive information from TLS encrypted web traffic in as little as 30 seconds (depending on the number of bytes to be extracted), provided the attacker tricks the victim into visiting a malicious web link or is able to inject content into valid pages the user is visiting (ex: a wireless network under the control of the attacker).[213] All versions of TLS and SSL are at risk from BREACH regardless of the encryption algorithm or cipher used.[214] Unlike previous instances of CRIME, which can be successfully defended against by turning off TLS compression or SPDY header compression, BREACH exploits HTTP compression which cannot realistically be turned off, as virtually all web servers rely upon it to improve data transmission speeds for users.[213] This is a known limitation of TLS as it is susceptible to chosen-plaintext attack against the application-layer data it was meant to protect.

Timing attacks on padding

Earlier TLS versions were vulnerable against the padding oracle attack discovered in 2002. A novel variant, called the Lucky Thirteen attack, was published in 2013.

Some experts[32] also recommended avoiding Triple-DES CBC. Since the last supported ciphers developed to support any program using Windows XP's SSL/TLS library like Internet Explorer on Windows XP are RC4 and Triple-DES, and since RC4 is now deprecated (see discussion of RC4 attacks), this makes it difficult to support any version of SSL for any program using this library on XP.

A fix was released as the Encrypt-then-MAC extension to the TLS specification, released as RFC 7366.[215] The Lucky Thirteen attack can be mitigated in TLS 1.2 by using only AES_GCM ciphers; AES_CBC remains vulnerable.

POODLE attack

Main article: POODLE

On October 14, 2014, Google researchers published a vulnerability in the design of SSL 3.0, which makes CBC mode of operation with SSL 3.0 vulnerable to a padding attack (CVE-2014-3566). They named this attack POODLE (Padding Oracle On Downgraded Legacy Encryption). On average, attackers only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages.[38]

Although this vulnerability only exists in SSL 3.0 and most clients and servers support TLS 1.0 and above, all major browsers voluntarily downgrade to SSL 3.0 if the handshakes with newer versions of TLS fail unless they provide the option for a user or administrator to disable SSL 3.0 and the user or administrator does so. Therefore, the man-in-the-middle can first conduct a version rollback attack and then exploit this vulnerability.[38]

In general, graceful security degradation for the sake of interoperability is difficult to carry out in a way that cannot be exploited. This is challenging especially in domains where fragmentation is high.[216]

On December 8, 2014, a variant of POODLE was announced that impacts TLS implementations that do not properly enforce padding byte requirements.[217]

RC4 attacks

Main article: RC4 § Security

Despite the existence of attacks on RC4 that broke its security, cipher suites in SSL and TLS that were based on RC4 were still considered secure prior to 2013 because the way in which they were used in SSL and TLS. In 2011, the RC4 suite was actually recommended as a work around for the BEAST attack.[218] New forms of attack disclosed in March 2013 conclusively demonstrated the feasibility of breaking RC4 in TLS, suggesting it was not a good workaround for BEAST.[37] An attack scenario was proposed by AlFardan, Bernstein, Paterson, Poettering and Schuldt that used newly discovered statistical biases in the RC4 key table[219] to recover parts of the plaintext with a large number of TLS encryptions.[220][221] An attack on RC4 in TLS and SSL that requires 13 × 220 encryptions to break RC4 was unveiled on 8 July 2013 and later described as "feasible" in the accompanying presentation at a USENIX Security Symposium in August 2013.[222][223] In July 2015, subsequent improvements in the attack make it increasingly practical to defeat the security of RC4-encrypted TLS.[224]

As many modern browsers have been designed to defeat BEAST attacks (except Safari for Mac OS X 10.7 or earlier, for iOS 6 or earlier, and for Windows; see #Web browsers), RC4 is no longer a good choice for TLS 1.0. The CBC ciphers which were affected by the BEAST attack in the past have become a more popular choice for protection.[32] Mozilla and Microsoft recommend disabling RC4 where possible.[225][226] RFC 7465 prohibits the use of RC4 cipher suites in all versions of TLS.

On September 1, 2015, Microsoft, Google and Mozilla announced that RC4 cipher suites would be disabled by default in their browsers (Microsoft Edge, Internet Explorer 11 on Windows 7/8.1/10, Firefox, and Chrome) in early 2016.[227][228][229]

Truncation attack

A TLS (logout) truncation attack blocks a victim's account logout requests so that the user unknowingly remains logged into a web service. When the request to sign out is sent, the attacker injects an unencrypted TCP FIN message (no more data from sender) to close the connection. The server therefore doesn't receive the logout request and is unaware of the abnormal termination.[230]

Published in July 2013,[231][232] the attack causes web services such as Gmail and Hotmail to display a page that informs the user that they have successfully signed-out, while ensuring that the user's browser maintains authorization with the service, allowing an attacker with subsequent access to the browser to access and take over control of the user's logged-in account. The attack does not rely on installing malware on the victim's computer; attackers need only place themselves between the victim and the web server (e.g., by setting up a rogue wireless hotspot).[230] This vulnerability also requires access to the victim's computer. Another possibility is when using FTP the data connection can have a false FIN in the data stream, and if the protocol rules for exchanging close_notify alerts is not adhered to a file can be truncated.

Downgrade attacks: FREAK attack and Logjam attack

Encryption downgrade attacks can force servers and clients to negotiate a connection using cryptographically weak keys. In 2014, a man-in-the-middle attack called FREAK was discovered affecting the OpenSSL stack, the default Android web browser, and some Safari browsers.[233] The attack involved tricking servers into negotiating a TLS connection using cryptographically weak 512 bit encryption keys.

Logjam is a security exploit discovered in May 2015 that exploits the option of using legacy "export-grade" 512-bit Diffie–Hellman groups dating back to the 1990s.[234] It forces susceptible servers to downgrade to cryptographically weak 512 bit Diffie-Hellman groups. An attacker can then deduce the keys the client and server determine using the Diffie–Hellman key exchange.

Unholy PAC attack

This attack, discovered in mid-2016, exploits weaknesses in the Web Proxy Autodiscovery Protocol (WPAD) to expose the URL that a web user is attempting to reach via a TLS-enabled web link.[235] Disclosure of a URL can violate a user's privacy, not because of the web site accessed, but also because URLs are sometimes used to authenticate users. Document sharing services, such as those offered by Google and Dropbox, also work by sending a user a security token that's included in the URL. An attacker who obtains such URLs may be able to gain full access to a victim's account or data.

The exploit works against almost all browsers and operating systems.

Sweet32 attack

The Sweet32 attack breaks all 64-bit block ciphers used in CBC mode as used in TLS by exploiting a birthday attack and either a man-in-the-middle attack or injection of a malicious JavaScript into a web page. The purpose of the man-in-the-middle attack or the JavaScript injection is to allow the attacker to capture enough traffic to mount a birthday attack.[236]

Implementation errors: Heartbleed bug, BERserk attack, and others

Main article: Heartbleed

The Heartbleed bug is a serious vulnerability specific to the implementation of SSL/TLS in the popular OpenSSL cryptographic software library, affecting versions 1.0.1 to 1.0.1f. This weakness, reported in April 2014, allows attackers to steal private keys from servers that should normally be protected.[237] The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret private keys associated with the public certificates used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.[238] The vulnerability is caused by a buffer over-read bug in the OpenSSL software, rather than a defect in the SSL or TLS protocol specification.

In September 2014, a variant of Daniel Bleichenbacher’s PKCS#1 v1.5 RSA Signature Forgery vulnerability[239] was announced by Intel Security Advanced Threat Research. This attack, dubbed BERserk, is a result of incomplete ASN.1 length decoding of public key signatures in some SSL implementations, and allows a man-in-the-middle attack by forging a public key signature.[240]

In February 2015, after media reported the hidden pre-installation of Superfish adware on some Lenovo notebooks,[241] a researcher found a trusted root certificate on affected Lenovo machines to be insecure, as the keys could easily be accessed using the company name, Komodia, as a passphrase.[242] The Komodia library was designed to intercept client-side TLS/SSL traffic for parental control and surveillance, but it was also used in numerous adware programs, including Superfish, that were often surreptitiously installed unbeknownst to the computer user. In turn, these potentially unwanted programs installed the corrupt root certificate, allowing attackers to completely control web traffic and confirm false web sites as authentic.

In May 2016, it was reported that dozens of Danish HTTPS-protected websites belonging to Visa Inc. were vulnerable to attacks allowing hackers to inject malicious code and forged content into the browsers of visitors.[243] The attacks worked because the TLS implementation used on the affected servers incorrectly reused random numbers (nonces) that are intended be used only once, ensuring that each TLS handshake is unique.[243]

Survey of websites vulnerable to attacks

As of October 2016, Trustworthy Internet Movement estimate the ratio of websites that are vulnerable to TLS attacks.[36]

Survey of the TLS vulnerabilities of the most popular websites
Attacks Security
Insecure Depends Secure Other
Renegotiation attack 1.2% (-0.1%)
support insecure renegotiation
0.4% (±0.0%)
support both
96.2% (+0.1%)
support secure renegotiation
2.2% (±0.0%)
no support
RC4 attacks <0.1% (±0.0%)
support only RC4 suites
6.0% (-0.3%)
support RC4 suites used with modern browsers
28.5% (-0.7%)
support some RC4 suites
65.5% (+1.0%)
no support
N/A
CRIME attack 2.4% (-0.1%)
vulnerable
N/A N/A N/A
Heartbleed 0.1% (±0.0%)
vulnerable
N/A N/A N/A
ChangeCipherSpec injection attack 0.8% (±0.0%)
vulnerable and exploitable
4.7% (-0.2%)
vulnerable, not exploitable
92.6% (+0.4%)
not vulnerable
1.9% (+0.1%)
unknown
POODLE attack against TLS
(Original POODLE against SSL 3.0 is not included)
2.1% (-0.1%)
vulnerable and exploitable
N/A 97.1% (+0.2%)
not vulnerable
0.8% (-0.1%)
unknown
Protocol downgrade 23.2% (-0.4%)
TLS_FALLBACK_SCSV not supported
N/A 67.6% (+0.7%)
TLS_FALLBACK_SCSV supported
9.1% (-0.4%)
unknown

Forward secrecy

Main article: Forward secrecy

Forward secrecy is a property of cryptographic systems which ensures that a session key derived from a set of public and private keys will not be compromised if one of the private keys is compromised in the future.[244] Without forward secrecy, if the server's private key is compromised, not only will all future TLS-encrypted sessions using that server certificate be compromised, but also any past sessions that used it as well (provided of course that these past sessions were intercepted and stored at the time of transmission).[245] An implementation of TLS can provide forward secrecy by requiring the use of ephemeral Diffie-Hellman key exchange to establish session keys, and some notable TLS implementations do so exclusively: e.g., Gmail and other Google HTTPS services that use OpenSSL.[246] However, many clients and servers supporting TLS (including browsers and web servers) are not configured to implement such restrictions.[247][248] In practice, unless a web service uses Diffie-Hellman key exchange to implement forward secrecy, all of the encrypted web traffic to and from that service can be decrypted by a third party if it obtains the server's master (private) key; e.g., by means of a court order.[249]

Even where Diffie-Hellman key exchange is implemented, server-side session management mechanisms can impact forward secrecy. The use of TLS session tickets (a TLS extension) causes the session to be protected by AES128-CBC-SHA256 regardless of any other negotiated TLS parameters, including forward secrecy ciphersuites, and the long-lived TLS session ticket keys defeat the attempt to implement forward secrecy.[250][251][252] Stanford University research in 2014 also found that of 473,802 TLS servers surveyed, 82.9% of the servers deploying ephemeral Diffie-Hellman (DHE) key exchange to support forward secrecy were using weak Diffie Hellman parameters. These weak parameter choices could potentially compromise the effectiveness of the forward secrecy that the servers sought to provide.[253]

Since late 2011, Google has provided forward secrecy with TLS by default to users of its Gmail service, along with Google Docs and encrypted search among other services.[254] Since November 2013, Twitter has provided forward secrecy with TLS to users of its service.[255] As of June 2016, 51.9% of TLS-enabled websites are configured to use cipher suites that provide forward secrecy to modern web browsers.[36]

Dealing with man-in-the-middle attacks

Certificate pinning

One way to detect and block many kinds of man-in-the-middle attacks is "certificate pinning", sometimes called "SSL pinning", but more accurately called "public key pinning".[256] A client that does key pinning adds an extra step beyond the normal X.509 certificate validation: After obtaining the server's certificate in the standard way, the client checks the public key(s) in the server's certificate chain against a set of (hashes of) public keys for the server name. Typically the public key hashes are bundled with the application. For example, Google Chrome includes public key hashes for the *.google.com certificate that detected fraudulent certificates in 2011. (Chromium does not enforce the hardcoded key pins.) Since then, Mozilla has introduced Public Key Pinning to its Firefox browser.[257]

In other systems the client hopes that the first time it obtains a server's certificate it is trustworthy and stores it; during later sessions with that server, the client checks the server's certificate against the stored certificate to guard against later MITM attacks.

Perspectives Project

The Perspectives Project[258] operates network notaries that clients can use to detect if a site's certificate has changed. By their nature, man-in-the-middle attacks place the attacker between the destination and a single specific target. As such, Perspectives would warn the target that the certificate delivered to the web browser does not match the certificate seen from other perspectives - the perspectives of other users in different times and places. Use of network notaries from a multitude of perspectives makes it possible for a target to detect an attack even if a certificate appears to be completely valid. Other projects, such as the EFF's SSL Observatory, also make use of notaries or similar reporters in discovering Man In The Middle attacks.

DNSChain

DNSChain[259] relies on the security that "block chains" provide to distribute public keys. It uses one pin to secure the connection to the DNSChain server itself, after which all other public keys (that are stored in a block chain) become accessible over a secure channel.

Protocol details

The TLS protocol exchanges records—which encapsulate the data to be exchanged in a specific format (see below). Each record can be compressed, padded, appended with a message authentication code (MAC), or encrypted, all depending on the state of the connection. Each record has a content type field that designates the type of data encapsulated, a length field and a TLS version field. The data encapsulated may be control or procedural messages of the TLS itself, or simply the application data needed to be transferred by TLS. The specifications (cipher suite, keys etc.) required to exchange application data by TLS, are agreed upon in the "TLS handshake" between the client requesting the data and the server responding to requests. The protocol therefore defines both the structure of payloads transferred in TLS and the procedure to establish and monitor the transfer.

TLS handshake

When the connection starts, the record encapsulates a "control" protocol—the handshake messaging protocol  (content type 22). This protocol is used to exchange all the information required by both sides for the exchange of the actual application data by TLS. It defines the messages formatting or containing this information and the order of their exchange. These may vary according to the demands of the client and server—i.e., there are several possible procedures to set up the connection. This initial exchange results in a successful TLS connection (both parties ready to transfer application data with TLS) or an alert message (as specified below).

Basic TLS handshake

A typical connection example follows, illustrating a handshake where the server (but not the client) is authenticated by its certificate:

  1. Negotiation phase:
    • A client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and suggested compression methods. If the client is attempting to perform a resumed handshake, it may send a session ID. If the client can use Application-Layer Protocol Negotiation, it may include a list of supported application protocols, such as HTTP/2.
    • The server responds with a ServerHello message, containing the chosen protocol version, a random number, CipherSuite and compression method from the choices offered by the client. To confirm or allow resumed handshakes the server may send a session ID. The chosen protocol version should be the highest that both the client and server support. For example, if the client supports TLS version 1.1 and the server supports version 1.2, version 1.1 should be selected; version 1.0 should not be selected.
    • The server sends its Certificate message (depending on the selected cipher suite, this may be omitted by the server).[260]
    • The server sends its ServerKeyExchange message (depending on the selected cipher suite, this may be omitted by the server). This message is sent for all DHE and DH_anon ciphersuites.[1]
    • The server sends a ServerHelloDone message, indicating it is done with handshake negotiation.
    • The client responds with a ClientKeyExchange message, which may contain a PreMasterSecret, public key, or nothing. (Again, this depends on the selected cipher.) This PreMasterSecret is encrypted using the public key of the server certificate.
    • The client and server then use the random numbers and PreMasterSecret to compute a common secret, called the "master secret". All other key data for this connection is derived from this master secret (and the client- and server-generated random values), which is passed through a carefully designed pseudorandom function.
  2. The client now sends a ChangeCipherSpec record, essentially telling the server, "Everything I tell you from now on will be authenticated (and encrypted if encryption parameters were present in the server certificate)." The ChangeCipherSpec is itself a record-level protocol with content type of 20.
    • Finally, the client sends an authenticated and encrypted Finished message, containing a hash and MAC over the previous handshake messages.
    • The server will attempt to decrypt the client's Finished message and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be torn down.
  3. Finally, the server sends a ChangeCipherSpec, telling the client, "Everything I tell you from now on will be authenticated (and encrypted, if encryption was negotiated)."
    • The server sends its authenticated and encrypted Finished message.
    • The client performs the same decryption and verification.
  4. Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with content type of 23. Application messages exchanged between client and server will also be authenticated and optionally encrypted exactly like in their Finished message. Otherwise, the content type will return 25 and the client will not authenticate.

Client-authenticated TLS handshake

The following full example shows a client being authenticated (in addition to the server as in the example above) via TLS using certificates exchanged between both peers.

  1. Negotiation Phase:
    • A client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods.
    • The server responds with a ServerHello message, containing the chosen protocol version, a random number, cipher suite and compression method from the choices offered by the client. The server may also send a session id as part of the message to perform a resumed handshake.
    • The server sends its Certificate message (depending on the selected cipher suite, this may be omitted by the server).[260]
    • The server sends its ServerKeyExchange message (depending on the selected cipher suite, this may be omitted by the server). This message is sent for all DHE and DH_anon ciphersuites.[1]
    • The server requests a certificate from the client, so that the connection can be mutually authenticated, using a CertificateRequest message.
    • The server sends a ServerHelloDone message, indicating it is done with handshake negotiation.
    • The client responds with a Certificate message, which contains the client's certificate.
    • The client sends a ClientKeyExchange message, which may contain a PreMasterSecret, public key, or nothing. (Again, this depends on the selected cipher.) This PreMasterSecret is encrypted using the public key of the server certificate.
    • The client sends a CertificateVerify message, which is a signature over the previous handshake messages using the client's certificate's private key. This signature can be verified by using the client's certificate's public key. This lets the server know that the client has access to the private key of the certificate and thus owns the certificate.
    • The client and server then use the random numbers and PreMasterSecret to compute a common secret, called the "master secret". All other key data for this connection is derived from this master secret (and the client- and server-generated random values), which is passed through a carefully designed pseudorandom function.
  2. The client now sends a ChangeCipherSpec record, essentially telling the server, "Everything I tell you from now on will be authenticated (and encrypted if encryption was negotiated). " The ChangeCipherSpec is itself a record-level protocol and has type 20 and not 22.
    • Finally, the client sends an encrypted Finished message, containing a hash and MAC over the previous handshake messages.
    • The server will attempt to decrypt the client's Finished message and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be torn down.
  3. Finally, the server sends a ChangeCipherSpec, telling the client, "Everything I tell you from now on will be authenticated (and encrypted if encryption was negotiated). "
    • The server sends its own encrypted Finished message.
    • The client performs the same decryption and verification.
  4. Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with content type of 23. Application messages exchanged between client and server will also be encrypted exactly like in their Finished message.

Resumed TLS handshake

Public key operations (e.g., RSA) are relatively expensive in terms of computational power. TLS provides a secure shortcut in the handshake mechanism to avoid these operations: resumed sessions. Resumed sessions are implemented using session IDs or session tickets.

Apart from the performance benefit, resumed sessions can also be used for Single sign-on, as it guarantees that both the original session and any resumed session originate from the same client. This is of particular importance for the FTP over TLS/SSL protocol, which would otherwise suffer from a man-in-the-middle attack in which an attacker could intercept the contents of the secondary data connections.[261]

Session IDs

In an ordinary full handshake, the server sends a session id as part of the ServerHello message. The client associates this session id with the server's IP address and TCP port, so that when the client connects again to that server, it can use the session id to shortcut the handshake. In the server, the session id maps to the cryptographic parameters previously negotiated, specifically the "master secret". Both sides must have the same "master secret" or the resumed handshake will fail (this prevents an eavesdropper from using a session id). The random data in the ClientHello and ServerHello messages virtually guarantee that the generated connection keys will be different from in the previous connection. In the RFCs, this type of handshake is called an abbreviated handshake. It is also described in the literature as a restart handshake.

  1. Negotiation phase:
    • A client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods. Included in the message is the session id from the previous TLS connection.
    • The server responds with a ServerHello message, containing the chosen protocol version, a random number, cipher suite and compression method from the choices offered by the client. If the server recognizes the session id sent by the client, it responds with the same session id. The client uses this to recognize that a resumed handshake is being performed. If the server does not recognize the session id sent by the client, it sends a different value for its session id. This tells the client that a resumed handshake will not be performed. At this point, both the client and server have the "master secret" and random data to generate the key data to be used for this connection.
  2. The server now sends a ChangeCipherSpec record, essentially telling the client, "Everything I tell you from now on will be encrypted." The ChangeCipherSpec is itself a record-level protocol and has type 20 and not 22.
    • Finally, the server sends an encrypted Finished message, containing a hash and MAC over the previous handshake messages.
    • The client will attempt to decrypt the server's Finished message and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be torn down.
  3. Finally, the client sends a ChangeCipherSpec, telling the server, "Everything I tell you from now on will be encrypted. "
    • The client sends its own encrypted Finished message.
    • The server performs the same decryption and verification.
  4. Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with content type of 23. Application messages exchanged between client and server will also be encrypted exactly like in their Finished message.
Session tickets

RFC 5077 extends TLS via use of session tickets, instead of session IDs. It defines a way to resume a TLS session without requiring that session-specific state is stored at the TLS server.

When using session tickets, the TLS server stores its session-specific state in a session ticket and sends the session ticket to the TLS client for storing. The client resumes a TLS session by sending the session ticket to the server, and the server resumes the TLS session according to the session-specific state in the ticket. The session ticket is encrypted and authenticated by the server, and the server verifies its validity before using its contents.

One particular weakness of this method with OpenSSL is that it always limits encryption and authentication security of the transmitted TLS session ticket to AES128-CBC-SHA256, no matter what other TLS parameters were negotiated for the actual TLS session.[251] This means that the state information (the TLS session ticket) is not as well protected as the TLS session itself. Of particular concern is OpenSSL's storage of the keys in an application-wide context (SSL_CTX), i.e. for the life of the application, and not allowing for re-keying of the AES128-CBC-SHA256 TLS session tickets without resetting the application-wide OpenSSL context (which is uncommon, error-prone and often requires manual administrative intervention).[252][250]

TLS record

This is the general format of all TLS records.

+ Byte +0 Byte +1 Byte +2 Byte +3
Byte
0
Content type  
Bytes
1..4
Version Length
(Major) (Minor) (bits 15..8) (bits 7..0)
Bytes
5..(m-1)
Protocol message(s)
Bytes
m..(p-1)
MAC (optional)
Bytes
p..(q-1)
Padding (block ciphers only)
Content type
This field identifies the Record Layer Protocol Type contained in this Record.
Content types
Hex Dec Type
0x14 20 ChangeCipherSpec
0x15 21 Alert
0x16 22 Handshake
0x17 23 Application
0x18 24 Heartbeat
Version
This field identifies the major and minor version of TLS for the contained message. For a ClientHello message, this need not be the highest version supported by the client.
Versions
Major
version
Minor
version
Version type
3 0 SSL 3.0
3 1 TLS 1.0
3 2 TLS 1.1
3 3 TLS 1.2
Length
The length of Protocol message(s), MAC and Padding, not to exceed 214 bytes (16 KiB).
Protocol message(s)
One or more messages identified by the Protocol field. Note that this field may be encrypted depending on the state of the connection.
MAC and Padding
A message authentication code computed over the Protocol message, with additional key material included. Note that this field may be encrypted, or not included entirely, depending on the state of the connection.
No MAC or Padding can be present at end of TLS records before all cipher algorithms and parameters have been negotiated and handshaked and then confirmed by sending a CipherStateChange record (see below) for signalling that these parameters will take effect in all further records sent by the same peer.

Handshake protocol

Most messages exchanged during the setup of the TLS session are based on this record, unless an error or warning occurs and needs to be signaled by an Alert protocol record (see below), or the encryption mode of the session is modified by another record (see ChangeCipherSpec protocol below).

+ Byte +0 Byte +1 Byte +2 Byte +3
Byte
0
22  
Bytes
1..4
Version Length
(Major) (Minor) (bits 15..8) (bits 7..0)
Bytes
5..8
Message type Handshake message data length
(bits 23..16) (bits 15..8) (bits 7..0)
Bytes
9..(n-1)
Handshake message data
Bytes
n..(n+3)
Message type Handshake message data length
(bits 23..16) (bits 15..8) (bits 7..0)
Bytes
(n+4)..
Handshake message data
Message type
This field identifies the handshake message type.
Message types
Code Description
0 HelloRequest
1 ClientHello
2 ServerHello
4 NewSessionTicket
11 Certificate
12 ServerKeyExchange
13 CertificateRequest
14 ServerHelloDone
15 CertificateVerify
16 ClientKeyExchange
20 Finished
Handshake message data length
This is a 3-byte field indicating the length of the handshake data, not including the header.

Note that multiple handshake messages may be combined within one record.

Alert protocol

This record should normally not be sent during normal handshaking or application exchanges. However, this message can be sent at any time during the handshake and up to the closure of the session. If this is used to signal a fatal error, the session will be closed immediately after sending this record, so this record is used to give a reason for this closure. If the alert level is flagged as a warning, the remote can decide to close the session if it decides that the session is not reliable enough for its needs (before doing so, the remote may also send its own signal).

+ Byte +0 Byte +1 Byte +2 Byte +3
Byte
0
21  
Bytes
1..4
Version Length
(Major) (Minor) 0 2
Bytes
5..6
Level Description  
Bytes
7..(p-1)
MAC (optional)
Bytes
p..(q-1)
Padding (block ciphers only)
Level
This field identifies the level of alert. If the level is fatal, the sender should close the session immediately. Otherwise, the recipient may decide to terminate the session itself, by sending its own fatal alert and closing the session itself immediately after sending it. The use of Alert records is optional, however if it is missing before the session closure, the session may be resumed automatically (with its handshakes).
Normal closure of a session after termination of the transported application should preferably be alerted with at least the Close notify Alert type (with a simple warning level) to prevent such automatic resume of a new session. Signalling explicitly the normal closure of a secure session before effectively closing its transport layer is useful to prevent or detect attacks (like attempts to truncate the securely transported data, if it intrinsically does not have a predetermined length or duration that the recipient of the secured data may expect).
Alert level types
Code Level type Connection state
1 warning connection or security may be unstable.
2 fatal connection or security may be compromised, or an unrecoverable error has occurred.
Description
This field identifies which type of alert is being sent.
Alert description types
Code Description Level types Note
0 Close notify warning/fatal
10 Unexpected message fatal
20 Bad record MAC fatal Possibly a bad SSL implementation, or payload has been tampered with e.g. FTP firewall rule on FTPS server.
21 Decryption failed fatal TLS only, reserved
22 Record overflow fatal TLS only
30 Decompression failure fatal
40 Handshake failure fatal
41 No certificate warning/fatal SSL 3.0 only, reserved
42 Bad certificate warning/fatal
43 Unsupported certificate warning/fatal e.g. certificate has only Server authentication usage enabled and is presented as a client certificate
44 Certificate revoked warning/fatal
45 Certificate expired warning/fatal Check server certificate expire also check no certificate in the chain presented has expired
46 Certificate unknown warning/fatal
47 Illegal parameter fatal
48 Unknown CA (Certificate authority) fatal TLS only
49 Access denied fatal TLS only – e.g. no client certificate has been presented (TLS: Blank certificate message or SSLv3: No Certificate alert), but server is configured to require one.
50 Decode error fatal TLS only
51 Decrypt error warning/fatal TLS only
60 Export restriction fatal TLS only, reserved
70 Protocol version fatal TLS only
71 Insufficient security fatal TLS only
80 Internal error fatal TLS only
86 Inappropriate Fallback fatal TLS only
90 User canceled fatal TLS only
100 No renegotiation warning TLS only
110 Unsupported extension warning TLS only
111 Certificate unobtainable warning TLS only
112 Unrecognized name warning/fatal TLS only; client's Server Name Indicator specified a hostname not supported by the server
113 Bad certificate status response fatal TLS only
114 Bad certificate hash value fatal TLS only
115 Unknown PSK identity (used in TLS-PSK and TLS-SRP) fatal TLS only
120 No Application Protocol fatal TLS only, client's ALPN did not contain any server-supported protocols

ChangeCipherSpec protocol

+ Byte +0 Byte +1 Byte +2 Byte +3
Byte
0
20  
Bytes
1..4
Version Length
(Major) (Minor) 0 1
Byte
5
CCS protocol type  
CCS protocol type
Currently only 1.

Application protocol

+ Byte +0 Byte +1 Byte +2 Byte +3
Byte
0
23  
Bytes
1..4
Version Length
(Major) (Minor) (bits 15..8) (bits 7..0)
Bytes
5..(m-1)
Application data
Bytes
m..(p-1)
MAC (optional)
Bytes
p..(q-1)
Padding (block ciphers only)
Length
Length of application data (excluding the protocol header and including the MAC and padding trailers)
MAC
20 bytes for the SHA-1-based HMAC, 16 bytes for the MD5-based HMAC.
Padding
Variable length; last byte contains the padding length.

Support for name-based virtual servers

From the application protocol point of view, TLS belongs to a lower layer, although the TCP/IP model is too coarse to show it. This means that the TLS handshake is usually (except in the STARTTLS case) performed before the application protocol can start. In the name-based virtual server feature being provided by the application layer, all co-hosted virtual servers share the same certificate because the server has to select and send a certificate immediately after the ClientHello message. This is a big problem in hosting environments because it means either sharing the same certificate among all customers or using a different IP address for each of them.

There are two known workarounds provided by X.509:

To provide the server name, RFC 4366 Transport Layer Security (TLS) Extensions allow clients to include a Server Name Indication extension (SNI) in the extended ClientHello message. This extension hints the server immediately which name the client wishes to connect to, so the server can select the appropriate certificate to send to the clients.

Standards

Primary standards

The current approved version of TLS is version 1.2, which is specified in:

The current standard replaces these former versions, which are now considered obsolete:

As well as the never standardized SSL 2.0 and 3.0, which are considered obsolete:

Extensions

Other RFCs subsequently extended TLS.

Extensions to TLS 1.0 include:

Extensions to TLS 1.1 include:

Extensions to TLS 1.2 include:

Encapsulations of TLS include:

Informational RFCs

See also

References

  1. 1 2 3 4 5 6 T. Dierks; E. Rescorla (August 2008). "The Transport Layer Security (TLS) Protocol, Version 1.2".
  2. SSL: Intercepted today, decrypted tomorrow, Netcraft, 2013-06-25.
  3. 1 2 A. Freier; P. Karlton; P. Kocher (August 2011). "The Secure Sockets Layer (SSL) Protocol Version 3.0".
  4. "SSL/TLS in Detail". Microsoft TechNet. Updated July 31, 2003.
  5. Thomas Y. C. Woo, Raghuram Bindignavle, Shaowen Su and Simon S. Lam, SNP: An interface for secure network programming Proceedings USENIX Summer Technical Conference, June 1994
  6. "THE SSL PROTOCOL". Netscape Corporation. 2007. Archived from the original on 14 June 1997.
  7. Rescorla 2001
  8. Messmer, Ellen. "Father of SSL, Dr. Taher Elgamal, Finds Fast-Moving IT Projects in the Middle East". Network World. Retrieved 30 May 2014.
  9. Greene, Tim. "Father of SSL says despite attacks, the security linchpin has lots of life left". Network World. Retrieved 30 May 2014.
  10. "POODLE: SSLv3 vulnerability (CVE-2014-3566)". Retrieved 21 October 2014.
  11. 1 2 3 Polk, Tim; McKay, Terry; Chokhani, Santosh (April 2014). "Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations" (PDF). National Institute of Standards and Technology. p. 67. Retrieved 2014-05-07.
  12. Dierks, T. & E. Rescorla (April 2006). "The Transport Layer Security (TLS) Protocol Version 1.1, RFC 4346".
  13. T. Dierks, E. Rescorla (August 2008). "Finished". sec. 7.4.9. RFC 5246. https://tools.ietf.org/html/rfc5246#section-7.4.9.
  14. draft-ietf-tls-tls13-16 - The Transport Layer Security (TLS) Protocol Version 1.3
  15. draft-ietf-tls-tls13-latest
  16. Rea, Scott (2013). "Alternatives to Certification Authorities for a Secure Web" (PDF). RSA Conference Asia Pacific. Retrieved 7 September 2016.
  17. Counting SSL certificates; netcraft; May 13, 2015.
  18. Law Enforcement Appliance Subverts SSL, Wired, 2010-04-03.
  19. New Research Suggests That Governments May Fake SSL Certificates, EFF, 2010-03-24.
  20. P. Eronen, Ed. "RFC 4279: Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)". Internet Engineering Task Force. Retrieved 9 September 2013.
  21. D. Taylor, Ed. "RFC 5054: Using the Secure Remote Password (SRP) Protocol for TLS Authentication". Internet Engineering Task Force. Retrieved December 21, 2014.
  22. Gothard, Peter. "Google updates SSL certificates to 2048-bit encryption". Computing. Incisive Media. Retrieved 9 September 2013.
  23. Sean Turner (September 17, 2015). "Consensus: remove DSA from TLS 1.3".
  24. RFC 5288, RFC 5289
  25. RFC 6655, RFC 7251
  26. RFC 6367
  27. RFC 5932, RFC 6367
  28. 1 2 RFC 6209
  29. RFC 4162
  30. "NIST Special Publication 800-57 Recommendation for Key Management Part 1: General (Revised)" (PDF). 2007-03-08. Archived from the original (PDF) on June 6, 2014. Retrieved 2014-07-03.
  31. 1 2 3 Qualys SSL Labs. "SSL/TLS Deployment Best Practices". Retrieved 2 June 2015.
  32. RFC 5469
  33. RFC 7905
  34. "Http vs https". Retrieved 2015-02-12.
  35. 1 2 3 4 As of October 3, 2016. "SSL Pulse: Survey of the SSL Implementation of the Most Popular Web Sites". Retrieved 2016-10-03.
  36. 1 2 ivanr. "RC4 in TLS is Broken: Now What?". Qualsys Security Labs. Retrieved 2013-07-30.
  37. 1 2 3 Bodo Möller, Thai Duong & Krzysztof Kotowicz. "This POODLE Bites: Exploiting The SSL 3.0 Fallback" (PDF). Retrieved 2014-10-15.
  38. "What browsers support Extended Validation (EV) and display an EV indicator?". Symantec. Retrieved 2014-07-28.
  39. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 "SHA-256 Compatibility". Retrieved 2015-06-12.
  40. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 "ECC Compatibility". Retrieved 2015-06-13.
  41. 1 2 "Tracking the FREAK Attack". Retrieved 2015-03-08.
  42. 1 2 "FREAK: Factoring RSA Export Keys". Retrieved 2015-03-08.
  43. Google (2012-05-29). "Dev Channel Update". Retrieved 2011-06-01.
  44. Google (2012-08-21). "Stable Channel Update". Retrieved 2012-08-22.
  45. Chromium Project (2013-05-30). "Chromium TLS 1.2 Implementation".
  46. "The Chromium Project: BoringSSL". Retrieved 2015-09-05.
  47. 1 2 "Chrome Stable Release". Chrome Releases. Google. 2011-10-25. Retrieved 2015-02-01.
  48. "SVN revision log on Chrome 10.0.648.127 release". Retrieved 2014-06-19.
  49. 1 2 "ImperialViolet - CRIME". 2012-09-22. Retrieved 2014-10-18.
  50. 1 2 "SSL/TLS Overview". 2008-08-06. Retrieved 2013-03-29.
  51. 1 2 "Chromium Issue 90392". 2008-08-06. Retrieved 2013-06-28.
  52. 1 2 "Issue 23503030 Merge 219882". 2013-09-03. Retrieved 2013-09-19.
  53. 1 2 "Issue 278370: Unable to submit client certificates over TLS 1.2 from Windows". 2013-08-23. Retrieved 2013-10-03.
  54. Möller, Bodo (October 14, 2014). "This POODLE bites: exploiting the SSL 3.0 fallback". Google Online Security blog. Google (via Blogspot). Retrieved 2014-10-28.
  55. 1 2 3 "An update on SSLv3 in Chrome.". Security-dev. Google. 2014-10-31. Retrieved 2014-11-04.
  56. "Stable Channel Update". Mozilla Developer Network. Google. 2014-02-20. Retrieved 2014-11-14.
  57. "Changelog for Chrome 33.0.1750.117". Google. Google. Retrieved 2014-11-14.
  58. "Issue 318442: Update to NSS 3.15.3 and NSPR 4.10.2". Retrieved 2014-11-14.
  59. 1 2 3 4 5 "Issue 693963003: Add minimum TLS version control to about:flags and Finch gate it. - Code Review". Retrieved 2015-01-22.
  60. 1 2 3 "Issue 375342: Drop RC4 Support". Retrieved 2015-05-22.
  61. 1 2 "Issue 436391: Add info on end of life of SSLVersionFallbackMin & SSLVersionMin policy in documentation". Retrieved 2015-04-19.
  62. "Issue 490240: Increase minimum DH size to 1024 bits (tracking bug)". Retrieved 2015-05-29.
  63. 1 2 3 4 "Intent to deprecate: RC4". Retrieved 2015-12-21.
  64. 1 2 3 4 "An update on SHA-1 certificates in Chrome". 2015-12-18. Retrieved 2015-12-21.
  65. "SSLSocket | Android Developers". Retrieved 2015-03-11.
  66. 1 2 3 4 "What browsers work with Universal SSL". Retrieved 2015-06-15.
  67. 1 2 3 4 "SSLSocket | Android Developers". Retrieved 2015-12-17.
  68. 1 2 "Android 5.0 Behavior Changes | Android Developers". Retrieved 2015-03-11.
  69. 1 2 3 4 "Security in Firefox 2". 2008-08-06. Retrieved 2009-03-31.
  70. "Attack against TLS-protected communications". Mozilla Security Blog. Mozilla. 2011-09-27. Retrieved 2015-02-01.
  71. 1 2 "Introduction to SSL". MDN. Retrieved 2014-06-19.
  72. 1 2 "NSS 3.15.3 Release Notes". Mozilla Developer Network. Mozilla. Retrieved 2014-07-13.
  73. 1 2 "MFSA 2013-103: Miscellaneous Network Security Services (NSS) vulnerabilities". Mozilla. Mozilla. Retrieved 2014-07-13.
  74. "Bug 565047 – (RFC4346) Implement TLS 1.1 (RFC 4346)". Retrieved 2013-10-29.
  75. "Bug 480514 – Implement support for TLS 1.2 (RFC 5246)". Retrieved 2013-10-29.
  76. "Bug 733647 – Implement TLS 1.1 (RFC 4346) in Gecko (Firefox, Thunderbird), on by default". Retrieved 2013-12-04.
  77. 1 2 "Firefox Notes – Desktop". 2014-02-04. Retrieved 2014-02-04.
  78. "Bug 861266 – Implement TLS 1.2 (RFC 5246) in Gecko (Firefox, Thunderbird), on by default". Retrieved 2013-11-18.
  79. 1 2 3 "The POODLE Attack and the End of SSL 3.0". Mozilla blog. Mozilla. 2014-10-14. Retrieved 2014-10-28.
  80. "Firefox — Notes (34.0) — Mozilla". mozilla.org. 2014-12-01. Retrieved 2015-04-03.
  81. "Bug 1083058 - A pref to control TLS version fallback". bugzilla.mozilla.org. Retrieved 2014-11-06.
  82. "Bug 1036737 - Add support for draft-ietf-tls-downgrade-scsv to Gecko/Firefox". bugzilla.mozilla.org. Retrieved 2014-10-29.
  83. 1 2 3 "Bug 1166031 - Update to NSS 3.19.1". bugzilla.mozilla.org. Retrieved 2015-05-29.
  84. "Bug 1088915 - Stop offering RC4 in the first handshakes". bugzilla.mozilla.org. Retrieved 2014-11-04.
  85. "Firefox — Notes (39.0) — Mozilla". mozilla.org. 2015-06-30. Retrieved 2015-07-03.
  86. "Google, Microsoft, and Mozilla will drop RC4 encryption in Chrome, Edge, IE, and Firefox next year". VentureBeat. 2015-09-01. Retrieved 2015-09-05.
  87. "Intent to ship: RC4 disabled by default in Firefox 44". Retrieved 2015-10-18.
  88. "RC4 is now allowed only on whitelisted sites (Reverted)". Retrieved 2015-11-02.
  89. "Firefox — Notes (44.0) — Mozilla". mozilla.org. 2016-01-26. Retrieved 2016-03-09.
  90. "Bug 1250568 - Allow enabling TLS 1.3". Retrieved 2016-06-24.
  91. "Bug 1310516 - Enable TLS 1.3 by default". Retrieved 2016-09-11.
  92. Microsoft (2012-09-05). "Secure Channel". Retrieved 2012-10-18.
  93. Microsoft (2009-02-27). "MS-TLSP Appendix A". Retrieved 2009-03-19.
  94. 1 2 3 "What browsers only support SSLv2?". Retrieved 2014-06-19.
  95. 1 2 3 4 "SHA2 and Windows - Windows PKI blog - Site Home - TechNet Blogs". 2010-09-30. Retrieved 2014-07-29.
  96. "TLS Cipher Suites". Microsoft.
  97. http://support.microsoft.com/kb/948963
  98. 1 2 3 4 5 6 7 8 9 "Vulnerability in Schannel Could Allow Security Feature Bypass (3046049)". 2015-03-10. Retrieved 2015-03-11.
  99. 1 2 3 4 5 6 7 8 9 "Vulnerability in Schannel Could Allow Information Disclosure (3061518)". 2015-05-12. Retrieved 2015-05-22.
  100. 1 2 3 4 5 "HTTPS Security Improvements in Internet Explorer 7". Retrieved 2013-10-29.
  101. "Microsoft Support Lifecycle". Microsoft.
  102. 1 2 3 4 5 6 "Windows 7 adds support for TLSv1.1 and TLSv1.2 - IEInternals - Site Home - MSDN Blogs". Retrieved 2013-10-29.
  103. 1 2 3 Thomlinson, Matt (2014-11-11). "Hundreds of Millions of Microsoft Customers Now Benefit from Best-in-Class Encryption". Microsoft Security. Retrieved 2014-11-14.
  104. Microsoft security advisory: Update for disabling RC4
  105. 1 2 3 4 Microsoft (2013-09-24). "IE11 Changes". Retrieved 2013-11-01.
  106. "February 2015 security updates for Internet Explorer". 2015-02-11. Retrieved 2015-02-11.
  107. "Update turns on the setting to disable SSL 3.0 fallback for protected mode sites by default in Internet Explorer 11". Retrieved 2015-02-11.
  108. "Vulnerability in SSL 3.0 Could Allow Information Disclosure". 2015-04-14. Retrieved 2015-04-14.
  109. https://blogs.windows.com/msedgedev/2016/08/09/rc4-now-deprecated/
  110. Mary Jo Foley. "Some Windows 10 Enterprise users won't get Microsoft's Edge browser". ZDNet.
  111. "POODLE SSL vulnerability - secure your Windo… - Windows Phone 8 Development and Hacking". XDA Developers.
  112. 1 2 "What TLS version is used in Windows Phone 8 for secure HTTP connections?". Microsoft. Retrieved 2014-11-07.
  113. "Qualys SSL Labs - Projects / User Agent Capabilities: Unknown".
  114. 1 2 "Platform Security". Microsoft. 2014-06-25. Retrieved 2014-11-07.
  115. "Release Notes: Important Issues in Windows 8.1 Preview". Microsoft. 2013-06-24. Retrieved 2014-11-04.
  116. "W8.1(IE11) vs RC4 | Qualys Community". Retrieved 2014-11-04.
  117. "Opera 9.0 for Windows Changelog".
  118. "Opera 2 series". Retrieved 2014-09-20.
  119. "Opera 3 series". Retrieved 2014-09-20.
  120. "Opera 4 series". Retrieved 2014-09-20.
  121. 1 2 "Changelog for Opera 5.x for Windows". Retrieved 2014-06-19.
  122. "Changelog for Opera [8] Beta 2 for Windows". Retrieved 2014-06-19.
  123. "Web Specifications Supported in Opera 9". Retrieved 2014-06-19.
  124. 1 2 "Opera: Opera 10 beta for Windows changelog". Retrieved 2014-06-19.
  125. "About Opera 11.60 and new problems with some secure servers". 2011-12-11. Archived from the original on 2012-01-18.
  126. 1 2 3 "Security changes in Opera 25; the poodle attacks". 2014-10-15. Retrieved 2014-10-28.
  127. 1 2 3 4 "Unjam the logjam". 2015-06-09. Retrieved 2015-06-11.
  128. "Advisory: RC4 encryption protocol is vulnerable to certain brute force attacks". 2013-04-04. Retrieved 2014-11-14.
  129. "On the Precariousness of RC4". 2013-03-20. Archived from the original on 2013-11-12. Retrieved 2014-11-17.
  130. 1 2 3 4 5 "Opera 12 and Opera Mail security update". 2016-02-16. Retrieved 2016-02-17.
  131. "Dev.Opera — Opera 14 for Android Is Out!". 2013-05-21. Retrieved 2014-09-23.
  132. "Dev.Opera — Introducing Opera 15 for Computers, and a Fast Release Cycle". 2013-07-02. Retrieved 2014-09-23.
  133. 1 2 same as Chrome 26–29
  134. 1 2 same as Chrome 30 and later
  135. 1 2 same as Chrome 33 and later
  136. http://www.opera.com/blogs/desktop/2016/08/security-update-windows-xp-vista-users/
  137. "Apple Secures Mac OS X with Mavericks Release - eSecurity Planet". 2013-10-25. Retrieved 2014-06-23.
  138. Ristic, Ivan. "Is BEAST Still a Threat?". qualys.com.
  139. 1 2 Ivan Ristić (2013-10-31). "Apple enabled BEAST mitigations in OS X 10.9 Mavericks". Retrieved 2013-11-07.
  140. Ivan Ristić (2014-02-26). "Apple finally releases patch for BEAST". Retrieved 2014-07-01.
  141. "About Security Update 2014-005".
  142. "About the security content of iOS 8.1".
  143. 1 2 3 "About Security Update 2015-002". Retrieved 2015-03-09.
  144. 1 2 "About the security content of OS X Mavericks v10.9". Retrieved 2014-06-20.
  145. "User Agent Capabilities: Safari 8 / OS X 10.10". Qualsys SSL Labs. Retrieved 2015-03-07.
  146. "About the security content of OS X Yosemite v10.10.4 and Security Update 2015-005". Retrieved 2015-07-03.
  147. 1 2 3 Apple (2011-10-14). "Technical Note TN2287 – iOS 5 and TLS 1.2 Interoperability Issues". Retrieved 2012-12-10.
  148. Liebowitz, Matt (2011-10-13). "Apple issues huge software security patches". NBCNews.com. Retrieved 2012-12-10.
  149. MWR Info Security (2012-04-16). "Adventures with iOS UIWebviews". Retrieved 2012-12-10., section "HTTPS (SSL/TLS)"
  150. "Secure Transport Reference". Retrieved 2014-06-23. kSSLProtocol2 is deprecated in iOS
  151. "iPhone 3.0: Mobile Safari Gets Enhanced Security Certificate Visualization | The iPhone Blog". 2009-03-31. Archived from the original on 2009-04-03.
  152. "Qualys SSL Labs - Projects / User Agent Capabilities: Safari 7 / iOS 7.1".
  153. schurtertom (October 11, 2013). "SOAP Request fails randomly on one Server but works on an other on iOS7". Retrieved January 5, 2014.
  154. "User Agent Capabilities: Safari 8 / iOS 8.1.2". Qualsys SSL Labs. Retrieved 2015-03-07.
  155. "About the security content of iOS 8.2". Retrieved 2015-03-09.
  156. "About the security content of iOS 8.4". Retrieved 2015-07-03.
  157. Oracle. "Java Cryptography Architecture Oracle Providers Documentation". Retrieved 2012-08-16.
  158. Oracle. "JDK 8 Security Enhancements". Retrieved 2015-02-25.
  159. "Version 1.11.13, 2015-01-11 — Botan". 2015-01-11. Retrieved 2015-01-16.
  160. "[gnutls-devel] GnuTLS 3.4.0 released". 2015-04-08. Retrieved 2015-04-16.
  161. "Java™ SE Development Kit 8, Update 31 Release Notes". Retrieved 2015-01-22.
  162. "OpenBSD 5.6 Released". 2014-11-01. Retrieved 2015-01-20.
  163. "LibreSSL 2.3.0 Released". 2015-09-23. Retrieved 2015-09-24.
  164. "MatrixSSL - News". Retrieved 2014-11-09.
  165. "mbed TLS 2.0.0 released". 2015-07-10. Retrieved 2015-07-14.
  166. "NSS 3.19 release notes". Mozilla Developer Network. Mozilla. Retrieved 2015-05-06.
  167. "NSS 3.14 release notes". Mozilla Developer Network. Mozilla. Retrieved 2012-10-27.
  168. "NSS 3.15.1 release notes". Mozilla Developer Network. Mozilla. Retrieved 2013-08-10.
  169. "OpenSSL 1.1.0 Series Release Notes". Retrieved 2016-10-02.
  170. 1 2 "Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]". 2012-03-14. Archived from the original on January 20, 2015. Retrieved 2015-01-20.
  171. "RSA BSAFE Technical Specification Comparison Tables" (PDF).
  172. TLS cipher suites in Microsoft Windows XP and 2003
  173. SChannel Cipher Suites in Microsoft Windows Vista
  174. 1 2 3 TLS Cipher Suites in SChannel for Windows 7, 2008R2, 8, 2012
  175. "[wolfssl] wolfSSL 3.6.6 Released". 2015-08-20. Retrieved 2015-08-25.
  176. "NSS 3.24 release notes". Mozilla Developer Network. Mozilla. Retrieved 2016-06-19.
  177. "Technical Note TN2287: iOS 5 and TLS 1.2 Interoperability Issues". iOS Developer Library. Apple Inc. Retrieved 2012-05-03.
  178. Qualys SSL Labs - Projects / User Agent Capabilities
  179. Georgiev, Martin and Iyengar, Subodh and Jana, Suman and Anubhai, Rishita and Boneh, Dan and Shmatikov, Vitaly (2012). The most dangerous code in the world: validating SSL certificates in non-browser software. Proceedings of the 2012 ACM conference on Computer and communications security (PDF). pp. 38–49. ISBN 978-1-4503-1651-4.
  180. Joris Claessens; Valentin Dem; Danny De Cock; Bart Preneel; Joos Vandewalle (2002). "On the Security of Today's Online Electronic Banking Systems". Computers & Security. 21 (3): 253–265. doi:10.1016/S0167-4048(02)00312-7.
  181. Lawrence, Eric (2005-10-22). "IEBlog: Upcoming HTTPS Improvements in Internet Explorer 7 Beta 2". MSDN Blogs. Retrieved 2007-11-25.
  182. "Bugzilla@Mozilla — Bug 236933 – Disable SSL2 and other weak ciphers". Mozilla Corporation. Retrieved 2007-11-25.
  183. "Opera 9.5 for Windows Changelog" at Opera.com: "Disabled SSL v2 and weak ciphers."
  184. "Firefox still sends SSLv2 handshake even though the protocol is disabled". 2008-09-11.
  185. "Opera 10 for Windows changelog" at Opera.com: "Removed support for SSL v2 and weak ciphers"
  186. Pettersen, Yngve (2007-04-30). "10 years of SSL in Opera — Implementer's notes". Opera Software. Archived from the original on October 12, 2007. Retrieved 2007-11-25.
  187. National Institute of Standards and Technology (December 2010). "Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program" (PDF). Archived from the original (PDF) on November 6, 2010.
  188. "RFC 7457 : Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS)".
  189. "CVE - CVE-2009-3555".
  190. Eric Rescorla (2009-11-05). "Understanding the TLS Renegotiation Attack". Educated Guesswork. Retrieved 2009-11-27.
  191. "SSL_CTX_set_options SECURE_RENEGOTIATION". OpenSSL Docs. 2010-02-25. Retrieved 2010-11-18.
  192. "GnuTLS 2.10.0 released". GnuTLS release notes. 2010-06-25. Retrieved 2011-07-24.
  193. "NSS 3.12.6 release notes". NSS release notes. 2010-03-03. Archived from the original on March 6, 2012. Retrieved 2011-07-24.
  194. A. Langley; N. Modadugu; B. Moeller (2 June 2010). "Transport Layer Security (TLS) False Start". Internet Engineering Task Force. IETF. Retrieved 31 July 2013.
  195. Wolfgang, Gruener. "False Start: Google Proposes Faster Web, Chrome Supports It Already". Archived from the original on October 7, 2010. Retrieved 9 March 2011.
  196. Brian, Smith. "Limited rollback attacks in False Start and Snap Start". Retrieved 9 March 2011.
  197. Adrian, Dimcev. "False Start". Random SSL/TLS 101. Retrieved 9 March 2011.
  198. Mavrogiannopoulos, Nikos and Vercautern, Frederik and Velichkov, Vesselin and Preneel, Bart (2012). A cross-protocol attack on the TLS protocol. Proceedings of the 2012 ACM conference on Computer and communications security (PDF). pp. 62–72. ISBN 978-1-4503-1651-4.
  199. Leyden, John (1 March 2016). "One-third of all HTTPS websites open to DROWN attack". The Register. Retrieved 2016-03-02.
  200. 1 2 "More than 11 million HTTPS websites imperiled by new decryption attack". Ars Technica. Retrieved 2016-03-02.
  201. Thai Duong & Juliano Rizzo (2011-05-13). "Here Come The ⊕ Ninjas".
  202. Dan Goodin (2011-09-19). "Hackers break SSL encryption used by millions of sites".
  203. "Y Combinator comments on the issue". 2011-09-20.
  204. "Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures". 2004-05-20. Archived from the original on 2012-06-30.
  205. Ristic, Ivan (Sep 10, 2013). "Is BEAST Still a Threat?". Retrieved 8 October 2014.
  206. "Attack against TLS-protected communications". Mozilla Security Blog. Mozilla. 2011-09-27. Retrieved 2015-02-01.
  207. Brian Smith (2011-09-30). "(CVE-2011-3389) Rizzo/Duong chosen plaintext attack (BEAST) on SSL/TLS 1.0 (facilitated by websockets −76)".
  208. "Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)". 2012-01-10.
  209. Ristic, Ivan (Oct 31, 2013). "Apple Enabled BEAST Mitigations in OS X 10.9 Mavericks". Retrieved 8 October 2014.
  210. Dan Goodin (2012-09-13). "Crack in Internet's foundation of trust allows HTTPS session hijacking". Ars Technica. Retrieved 2013-07-31.
  211. Dennis Fisher (September 13, 2012). "CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions". ThreatPost. Archived from the original on September 15, 2012. Retrieved 2012-09-13.
  212. 1 2 Goodin, Dan (1 August 2013). "Gone in 30 seconds: New attack plucks secrets from HTTPS-protected pages". Ars Technica. Condé Nast. Retrieved 2 August 2013.
  213. Leyden, John (2 August 2013). "Step into the BREACH: New attack developed to read encrypted web data". The Register. Retrieved 2 August 2013.
  214. P. Gutmann (September 2014). "Encrypt-then-MAC for Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)".
  215. Hagai Bar-El. "Poodle flaw and IoT". Retrieved 15 October 2014.
  216. Langley, Adam (December 8, 2014). "The POODLE bites again". Retrieved 2014-12-08.
  217. security – Safest ciphers to use with the BEAST? (TLS 1.0 exploit) I've read that RC4 is immune – Server Fault
  218. Pouyan Sepehrdad; Serge Vaudenay; Martin Vuagnoux (2011). "Discovery and Exploitation of New Biases in RC4". Lecture Notes in Computer Science. 6544: 74–91. doi:10.1007/978-3-642-19574-7_5.
  219. Green, Matthew. "Attack of the week: RC4 is kind of broken in TLS". Cryptography Engineering. Retrieved March 12, 2013.
  220. Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt. "On the Security of RC4 in TLS". Royal Holloway University of London. Retrieved March 13, 2013.
  221. AlFardan, Nadhem J.; Bernstein, Daniel J.; Paterson, Kenneth G.; Poettering, Bertram; Schuldt, Jacob C. N. (8 July 2013). "On the Security of RC4 in TLS and WPA" (PDF). Retrieved 2 September 2013.
  222. AlFardan, Nadhem J.; Bernstein, Daniel J.; Paterson, Kenneth G.; Poettering, Bertram; Schuldt, Jacob C. N. (15 August 2013). On the Security of RC4 in TLS (PDF). 22nd USENIX Security Symposium. p. 51. Retrieved 2 September 2013. Plaintext recovery attacks against RC4 in TLS are feasible although not truly practical
  223. Goodin, Dan. "Once-theoretical crypto attack against HTTPS now verges on practicality". Ars Technical. Conde Nast. Retrieved 16 July 2015.
  224. "Mozilla Security Server Side TLS Recommended Configurations". Mozilla. Retrieved 2015-01-03.
  225. "Security Advisory 2868725: Recommendation to disable RC4". Microsoft. 2013-11-12. Retrieved 2013-12-04.
  226. "Ending support for the RC4 cipher in Microsoft Edge and Internet Explorer 11". Microsoft Edge Team. September 1, 2015.
  227. Langley, Adam (Sep 1, 2015). "Intent to deprecate: RC4".
  228. Barnes, Richard (Sep 1, 2015). "Intent to ship: RC4 disabled by default in Firefox 44".
  229. 1 2 John Leyden (1 August 2013). "Gmail, Outlook.com and e-voting 'pwned' on stage in crypto-dodge hack". The Register. Retrieved 1 August 2013.
  230. "BlackHat USA Briefings". Black Hat 2013. Retrieved 1 August 2013.
  231. Smyth, Ben; Pironti, Alfredo (2013). "Truncating TLS Connections to Violate Beliefs in Web Applications". 7th USENIX Workshop on Offensive Technologies. Retrieved 15 February 2016.
  232. "SMACK: State Machine AttaCKs".
  233. Dan Goodin (2015-05-20). "HTTPS-crippling attack threatens tens of thousands of Web and mail servers". Ars Technica.
  234. Goodin, Dan. "New attack bypasses HTTPS protection on Macs, Windows, and Linux". Ars Technica. Condé Nast. Retrieved 28 July 2016.
  235. Goodin, Dan (August 24, 2016). "HTTPS and OpenVPN face new attack that can decrypt secret cookies". Ars Technica. Retrieved August 24, 2016.
  236. "Why is it called the 'Heartbleed Bug'?".
  237. "Heartbleed Bug vulnerability [9 April 2014]".
  238. Daniel Bleichenbacher (August 2006). "Bleichenbacher's RSA signature forgery based on implementation error". Archived from the original on December 16, 2014.
  239. Intel Security: Advanced Threat Research (September 2014). "BERserk".
  240. Lenovo PCs ship with Man-In-The-Middle adware that breaks HTTPS connections, Dan Goodin, Arstechnica, February 19, 2015
  241. Komodia Superfish SSL validation is broken
  242. 1 2 Goodin, Dan. ""Forbidden attack" makes dozens of HTTPS Visa sites vulnerable to tampering". Ars Technica. Condé Nast. Retrieved 26 May 2016.
  243. Diffie, Whitfield; van Oorschot, Paul C; Wiener, Michael J. (June 1992). "Authentication and Authenticated Key Exchanges". Designs, Codes and Cryptography. 2 (2): 107–125. doi:10.1007/BF00124891. Retrieved 2008-02-11.
  244. Discussion on the TLS mailing list in October 2007
  245. "Protecting data for the long term with forward secrecy". Retrieved 2012-11-05.
  246. Vincent Bernat. "SSL/TLS & Perfect Forward Secrecy". Retrieved 2012-11-05.
  247. "SSL Labs: Deploying Forward Secrecy". Qualys.com. 25 June 2013. Retrieved 10 July 2013.
  248. Ristic, Ivan (5 August 2013). "SSL Labs: Deploying Forward Secrecy". Qualsys. Retrieved 31 August 2013.
  249. 1 2 Langley, Adam (27 June 2013). "How to botch TLS forward secrecy". imperialviolet.org.
  250. 1 2 Daignière, Florent. "TLS "Secrets": Whitepaper presenting the security implications of the deployment of session tickets (RFC 5077) as implemented in OpenSSL" (PDF). Matta Consulting Limited. Retrieved 7 August 2013.
  251. 1 2 Daignière, Florent. "TLS "Secrets": What everyone forgot to tell you..." (PDF). Matta Consulting Limited. Retrieved 7 August 2013.
  252. L.S. Huang; S. Adhikarla; D. Boneh; C. Jackson (2014). "An Experimental Study of TLS Forward Secrecy Deployments". IEEE Internet Computing. IEEE. 18 (6): 43–51. Retrieved 16 October 2015.
  253. "Protecting data for the long term with forward secrecy". Retrieved 2014-03-07.
  254. Hoffman-Andrews, Jacob. "Forward Secrecy at Twitter". Twitter. Twitter. Retrieved 2014-03-07.
  255. "Certificate Pinning".
  256. "Public key pinning released in Firefox"
  257. Perspectives Project
  258. DNSChain
  259. 1 2 These certificates are currently X.509, but RFC 6091 also specifies the use of OpenPGP-based certificates.
  260. Chris (2009-02-18). "vsftpd-2.1.0 released – Using TLS session resume for FTPS data connection authentication". Scarybeastsecurity. blogspot.com. Retrieved 2012-05-17.
  261. Wildcard SSL Certificate overview, retrieved 2015-07-02
  262. Named-based SSL virtual hosts: how to tackle the problem (PDF), retrieved 2012-05-17

Further reading

External links

Wikimedia Commons has media related to SSL and TLS.

Specifications (see Standards section for older SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1 links)

TLS Version Intolerance
Other

This article is based on material taken from the Free On-line Dictionary of Computing prior to 1 November 2008 and incorporated under the "relicensing" terms of the GFDL, version 1.3 or later.

This article is issued from Wikipedia - version of the 12/5/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.