Actions

Transport Layer Security (TLS)

From Whonix



TLS1432.jpg

TLS[edit]

Introduction[edit]

Transport Layer Security (TLS) is a cryptographic protocol that is designed to provide secure communications over a computer network. TLS has replaced the deprecated Secure Sockets Layer (SSL) predecessor and is intended to enforce privacy and data integrity between two or more communicating computer applications. [1] TLS is utilized for a host of online activities, such as web browsing, email, instant messaging and VOIP applications. It ensures the client (like a web browser) is securely communicating with a server (such as whonix.org), meaning the connection is private, authenticated and reliable. For a detailed overview of the TLS design, refer to this Wikipedia entry [archive].

TLS Attacks[edit]

A significant number of attacks have been demonstrated against the SSL/TLS protocol in the recent past, including: [2]

  • BEAST attack: violation of same origin policy constraints.
  • ChangeCipherSpec injection attack [archive]: a specially crafted handshake forces the use of weak keyring material, allowing decryption and modification of traffic in transit.
  • Cross protocol attacks: servers are attacked by exploiting their support of obsolete, insecure SSL protocols to leverage attacks on connections using up-to-date protocols.
  • Heartbleed [archive]: private keys are stolen from servers, allowing anyone to read the memory of protected systems.
  • POODLE attack [archive]: padding attacks which reveal the contents of encrypted messages.
  • Protocol downgrade [archive]: web servers are tricked into negotiating connections with earlier versions of TLS that are insecure.
  • RC4 attack [archive]: recovery of plain text relying on the RC4 cipher suite.
  • Renegotiation attack [archive]: plaintext injection attacks via the hijacking of the https connection.
  • TLS Compression (CRIME attack) [archive]: session hijacking of web sessions via recovery of secret authentication cookies.
  • Truncation attack: victim logout requests are blocked so the user remains logged into a web service.
  • Unholy PAC attack: URLs are exposed when a user attempts to reach a TLS-enabled web link.

In addition, little trust should be placed in the public TLS certificate authority (CA) system, since it relies on a third-party correctly establishing the authenticity of certificates. If/once the CA is subverted, then the security of the entire system is lost, and potentially all entities relying on the trust of the compromised CA are affected. [3]

The Snowden leaks confirmed that CAs were a weakpoint targeted by the IC, allowing for Man-in-the-middle attacks if the CAs were either compromised or cooperative. Examples of CA security breaches include DigiNotar [archive], Comodo [archive] and Turktrust [archive].

Whonix ™ Technical Design[edit]

TLS certificates, especially for https://check.torproject.org [archive] (check.tpo) are not yet pinned in Whonix ™; this is a future goal that requires further discussion. How pinning could be technically achieved is documented under Dev/SSL Certificate Pinning. At present this is a low priority for Whonix ™, since:

  • Not even the Tor Browser Bundle pins the check.tpo TLS certificate (which is a much bigger issue). [4]
  • It is only used when systemcheck is run with command line parameter --leak-tests which does not happen by default.

Footnotes[edit]

  1. https://en.wikipedia.org/wiki/Transport_Layer_Security [archive]
  2. https://en.wikipedia.org/wiki/Transport_Layer_Security#Attacks_against_TLS/SSL [archive]
  3. https://en.wikipedia.org/wiki/Certificate_authority#CA_compromise [archive]
  4. Whonix ™ developer Patrick Schleizer does not agree with the "low priority" assigned to this issue in TBB. See TBB: hardcode SSL cert check to prevent MITM [archive] for further information.
Fosshost is sponsors Kicksecure ™ stage server 100px
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contribute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png Iconfinder Apple Mail 2697658.png Reddit.jpg Hacker.news.jpg 200px-Mastodon Logotype (Simple).svg.png

Please consider a recurring donation! Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Retrieved from "https://www.whonix.org/w/index.php?title=SSL&oldid=70924"
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.
More information