WJ has talked about this before in the context of IIS but it's always good to revise basic security concepts pertinent to the Windows world. These concepts are becoming increasingly important as programmers are expected to become more cyber-conscious.
SSL is the (now largely legacy) Secure Sockets Layer created in the mid 1990s (the first public version was released in 1995), designed for cryptographically secure data transport (now known not to be so secure). It is technically prohibited by the IETF. The first version was pioneered by Netscape.
TLS is the successor for SSL.
TLS is recommended above SSL due to the POODLE attack (impacting SSLv3) discovered by Google researchers (and publicised October 2014, when SSLv3 was already nearly 18 years old) allowing padding data at the end of the block cipher to be exploited, to iteratively degrade security. It also exploits the tendency of browsers to fall back on earlier protocols when connections fail.
The follow on recommendation was to advise against use of SSLv3.
The POODLE attack is an abbreviation for "Padding Oracle on Downgraded Legacy Encryption" and is a man-in-the-middle exploit.
Padding oracle attacks are associated with block ciphers, which encrypt information in blocks, and may incorporate "padding bits". The attack relies on the presence of a "padding oracle" that responds to answer whether a cryptographic message is correctly padded or not.
Some random facts on TLS, what it stands for etc.
TLS (Version 1.0) was first defined in January 1999. Tim Dierks is one of the original authors.
SSL is the (now largely legacy) Secure Sockets Layer created in the mid 1990s (the first public version was released in 1995), designed for cryptographically secure data transport (now known not to be so secure). It is technically prohibited by the IETF. The first version was pioneered by Netscape.
TLS is the successor for SSL.
TLS is recommended above SSL due to the POODLE attack (impacting SSLv3) discovered by Google researchers (and publicised October 2014, when SSLv3 was already nearly 18 years old) allowing padding data at the end of the block cipher to be exploited, to iteratively degrade security. It also exploits the tendency of browsers to fall back on earlier protocols when connections fail.
The follow on recommendation was to advise against use of SSLv3.
The POODLE attack is an abbreviation for "Padding Oracle on Downgraded Legacy Encryption" and is a man-in-the-middle exploit.
Padding oracle attacks are associated with block ciphers, which encrypt information in blocks, and may incorporate "padding bits". The attack relies on the presence of a "padding oracle" that responds to answer whether a cryptographic message is correctly padded or not.
Some random facts on TLS, what it stands for etc.
TLS (Version 1.0) was first defined in January 1999. Tim Dierks is one of the original authors.
No comments:
Post a Comment