Vector
Vector

Choose your topics

Blogs
What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Third-Party Risk Management
Blogs
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
Blogs
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Vector-1
Cyber Security

Demystifying SSL/TLS I SureCloud

Demystifying SSL/TLS I SureCloud
Written by

Soni

Published on

12 Dec 2016

Demystifying SSL/TLS I SureCloud

 
 

The SSL/TLS family of protocols have been protecting internet communications since 1995, but there are still misunderstandings around what SSL/TLS is, not the least part because of the confusing terminology used. This post will not be an in-depth discussion of the specifics of SSL/TLS but rather a helping hand in decoding the jargon.

Circles Connected | Compliance Management | Risk Management

SSL/TLS

The name SSL/TLS is used for the family of protocols, however, it is also common to see both SSL and TLS names used on their own to describe the full family. From here on in the post we will use SSL/TLS for the family and will specify versions, for examples TLS 1.2, when talking about specific protocols from the family.
The following protocols currently form the SSL/TLS family:

  • SSL 2.0
  • SSL 3.0
  • TLS 1.0
  • TLS 1.1
  • TLS 1.2
  • TLS 1.3 (draft)

Which version of SSL/TLS should we be using?

There are known vulnerabilities in all versions of SSL/TLS before TLS 1.2; SureCloud recommends only supporting TLS 1.2 and above; however there may be business reasons why support for earlier versions of TLS are required. A full discussion on cipher suite selection is beyond the scope of this post, however we will discuss some of the key points later.

What makes up SSL/TLS?

In this post we will discuss the various parts that make up SSL/TLS protocols, as well as few terms that are often discussed alongside SSL/TLS.

  • HTTPS and its relation to SSL/TLS
  • Ciphers and Cipher Suites
  • Key Exchange Mechanisms
  • Message Authentication Codes (MAC)
  • Certificates

HTTPS

HTTPS is an extension to HTTP that uses SSL/TLS to protect web traffic. A URL like https://example.org will instruct a browser to connect to a webserver using HTTPS on the standard TCP port (443).

Requests and responses are still made using the HTTP protocol; they are just wrapped inside the SSL/TLS protocol which provides the encryption, integrity and attribution layers.

Ciphers and Cipher Suites

A cipher is an algorithm that takes a plain text message, in the case of HTTPS your unencrypted HTTP data, and scrambles it up to prevent a third party from being able to read it. Ciphers uses keys/shared secrets to decrypt and encrypt data, it is important that that only trusted parties know these secrets; the method used to decide on this shared secret is called key exchange is discussed further below.

There are a number of ciphers available to use in the various versions of SSL/TLS, to increase the number of clients who are able to connect it is common to support a number of different ciphers; however selecting the right ciphers very important, weaknesses have been found in some ciphers that were once considered secure, and some ciphers have become more vulnerable as computing power has increased. Different versions of SSL/TLS support different ciphers, and some clients may only support a subset of the ciphers supported by a specific version of SSL/TLS.

Choice of ciphers is beyond the scope of this post, however one important factor to consider with ciphers is if they support perfect forward security. TLS 1.3 the upcoming new version of TLS will only support algorithms have perfect forward security.

Cipher suites are a combination of ciphers, key exchange methods and MACs that are typically displayed together in the following format “DHE-RSA-AES256-GCM-SHA384.”

Key Exchange

They key exchange algorithm is the method that SSL/TLS uses to decide on the key to use in the cipher. As with ciphers there are multiple key exchange algorithms that can be used, and different ciphers and different versions of SSL/TLS support different key exchange algorithms.

Message Authentication Code (MAC)

Message authentication codes are generated by algorithms and are used to ensure that the data has not been modified in flight. MACs are similar to error detection codes, however are based on cryptography and are designed to not be forgeable.

Alt Tag: Smalls Squares | Risk Management | GRC Software

Cipher Suite

A cipher suite is SSL/TLS terminology for a set of cipher, key exchange algorithm, MAC code, and a pseudo random number function used to set up the secure communication.  These are the strings that you often see when people are talking about SSL/TLS such as “TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.” A SSL server can have one or more cipher suites enabled and the SSL client and server will negotiate which suite to use when the connection is started, it is by this processes that clients that support older versions of SSL/TLS are still able to communicate new servers.

Certificates

Certification is the process used to prove the identity of an actor in an SSL/TLS communication. Certificates can be used to prove the identify of both parties, however in HTTPS (one of the most common users of SSL/TLS) only the server is usually identified via a certificate.

Certification works via a tree of trust, a small number of parties own certificates that have been pre-trusted with browsers and operating systems. These parties form the root of the trust tree, and can sign certificates of other trusted parties, and these parties may be able to sign further certificates. By following the chain of trust back up to the pre-trusted root certificates it is possible to check the validity of any of any certificate.

There are number of types of certificate issues to websites; that vary in the amount of checks the issuer performs and thus the amount of trust they bestow, and what they can be used for.

One type of certificate you may have heard of is an Extended Validity (EV) certificate; these certificates require more checks, but provide one of the highest levels of trust. Sites using these certificates will receive the green bar in browsers which users are taught to look for.

 

About SureCloud

SureCloud is a provider of cloud-based, Integrated Risk Management products and Cybersecurity services, which reinvent the way you manage risk. SureCloud also offers a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.