So, if you’re anything like me, you’ve been around the web and noticed that basically everyone who has a website also has Secure Sockets Layer (SSL) or Transport Layer Security (TLS) enabled for that site. Let’s start by talking a bit about what SSL is, and why much of the internet made the switch to TLS.
SSL is a method which allows for a connection between a client and a server to be secured via the use of public and private keypair encryption. Sound complicated? That’s because it kinda is. It all starts with an SSL handshake; the client tells the server which encryption protocols that it supports, the server replies with its public SSL certificate, the client validates that certificate, and both parties agree on a symmetric encryption key to be used for further communications. After that handshake, any further communications are shielded from prying eyes using industry standard cryptographic algorithms. To understand the security of these algorithms, it helps to understand just how difficult it is to decypher them through sheer brute force. This article, from 2014, says that cracking a 256 bit SSL encryption scheme would be entirely infeasible and improbable. This article, from DigiCert (a trusted and reputable data source in the SSL world), states that cracking a 2048 bit SSL cypher would take something in the order of 6.4 quadrillion years. That’s pretty damn secure, if you ask me.
So, if SSL is so great at security, then why is the industry standard shifting away from SSL to various versions of TLS? Well, it starts with the fact that the newest SSL protocol, SSLv3, is 20 years old and was officially marked as depreciated by the IETF in 2015. Other than that, though, most everything under the hood is similar between the two protocols, except the handshake. The newest version of TLS, version 1.3, improves upon SSL’s connection handshake in a number of ways, but the most important revolve around connection times. TLS version 1.3 is twice as fast on the first page load to a site as TLS version 1.2, requiring only a single round trip instead of two such round trips. On subsequent visits to the same domain, TLS version 1.3 eliminates the need for a round trip at all for sites that support that feature, allowing for even faster page loads.
If you’re a server admin reading this, please disable support for SSLv2, SSLv3, and TLSv1.0 on any servers you control. Supporting legacy browsers, protocols, and clients only broadens your attack surface and makes development substantially more difficult moving forward.
One last thing to note; this is the third week’s entry in a series of blog posts I’ll be doing, so stay tuned for more if you’re enjoying this content!
Stay safe out there!