" ssl Archives - HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci

Posts Tagged ‘ssl’

What is your browser telling you about SSL/TLS?

Monday, August 7th, 2017

Interpreting a browser’s visual clues about security

The continuous drumbeat of news about pervasive surveillance, security breaches, identity theft, malware, phishing and so forth has had at least one salutary effect on our interactions on the web. The general public is increasingly aware of the need for safe browsing habits, such as not clicking on unknown links in webmail, hovering your cursor over hyperlinks to see if you recognize the URL revealed, and, above all, to “Look for the Lock”.

Such mnemonics and visual aids are important ways to communicate security features to end users, allowing them to take informed decisions on what level of trust they should expect during a particular instance of communications on the web. This post will concentrate on these visual indicators, in particular how browsers represent the identity of the server/site with which an end user would like to interact. The SSL/TLS certificate that the server presents to the browser at the start of the communications is the information source which the browser uses to create the appropriate visual representation that guides the user. Readers would do well to brush up their knowledge on the different types of certificates that are available by reading our previous posts on the subject, as what follows will assume that the reader is aware (at least at a high level) of their basic properties and differences.

Most people are now aware of the need to look for the https://….. in the browser address bar as well as the lock symbol accompanying it. This is the part of the screen that is controlled purely by the browser, which populates it with the site URL and other security information gathered from the SSL/TLS certificate used to secure the connection.

For instance, look at the images below of the luxsci.com website as shown in the address bar of Google’s Chrome, Microsoft’s Internet Explorer (IE), Mozilla’s Firefox and Microsoft’s Edge browsers.


Internet Explorer

Mozilla Firefox

Microsoft Edge

(The screen shots were taken using Chrome version 59.0.3071.115, IE version 11.0.9600, Firefox 10.0.2 and Edge 38.14393.1066.)

Read the rest of this post »

What’s the latest with HTTPS and SSL/TLS Certificates?

Wednesday, August 2nd, 2017

We’ve written quite a lot in past FYI Blog posts about SSL/TLS certificates, the critical building block to secure communication on the Internet. We described what such certificates were, their use in securing the communications channel between a client (browser) and a server, different types of certificates and the pros and cons of using each.

Given the changes in the Internet landscape over the past five years, we feel it is time to revisit these topics. The technical details described in the earlier posts remain unchanged. What has changed, though, are the traffic patterns for HTTPS-based communications, additional vulnerabilities arising as a consequence and ways to mitigate these. This post will provide a general overview of certain changes in the Internet landscape over the past few years, while subsequent blog posts will describe some of the topics identified here in greater detail.SSL TLS Certificates

Read the rest of this post »

What is really protected by SSL and TLS?

Saturday, April 8th, 2017

This question came in via Ask Erik:

Hi Erik,

I stumbled upon your blog while trying to learn a little about SSL/TLS in the context of client/server e-mail sessions, i.e. not web mail which I understand to be an HTTP session.  I am just an ordinary user with no special security needs but I find all this news about corporate and government surveillance to be troubling for both philosophical and practical reasons.  In any case my questions is quite simple.

My e-mail client, apple mail, and my e-mail service provider both support SSL so my e-mail exchanges between my computer and the server are encrypted.  I understand that I can’t control what happens with other e-mail servers.  What I am trying to understand is what does it mean to be encrypted?  When an e-mail leaves my computer how much of the message is encrypted?   Are the e-mail headers encrypted including the sender and recipient e-mail addresses.  I would assume so but nobody talks about the details.  What metadata trail does a user leave when using SSL/TLS.  Is it is as simple as the destination and sending IP address with everything else encrypted?  Reading Data and Goliath right now by Bruce Schneider which talks about a lot of this stuff but again doesn’t give quite enough detail.  At the end of the day I am trying to understand how much protection SSL really provides.

SSL (now TLS) protects data as it travels across the Internet. To understand in detail how SSL works, we recommend reading: How does Secure Socket Layer (SSL andTLS) work?  However, looking at how the protocol works can leave answers to some of these fundamental questions a little unclear.  Lets address them one by one.

SSL and TLS Security

Read the rest of this post »

The US Online Privacy Law Repeal: How It Will Affect You

Wednesday, April 5th, 2017

As with any politicized issue, there is a lot of misinformation surrounding the repeal of the data privacy framework. Regardless of whether you are a Republican or a Democrat, your online security and privacy rights are going to be affected, so let’s just get the story straight.

This whole issue began back in February 2015, when the Federal Communication Commission (FCC) set up an Open Internet Order. This established net neutrality rules and also reclassified ISPs as carriers under Title II of the Communications Act. This meant that ISPs would be subjected to a new set of regulations.

Read the rest of this post »

Google to Strip Trust from Symantec SSL Certificates

Tuesday, March 28th, 2017

Last Thursday, a Google developer announced that Chrome will be reducing its levels of trust in Symantec issued SSL certificates, as well as those issued by its subsidiaries. This comes after a two year skirmish between the two companies, with Google asserting that Symantec has continually failed to follow appropriate verification practices.

Under Google’s proposal, the Extended Validation status from Symantec issued certificates will be removed, the validity period of newly issued Symantec certificates will be gradually reduced to a maximum of nine months, and current Symantec certificates will be incrementally distrusted with each Google Chrome release up to 64. These measures aim to balance out compatibility problems alongside the security risks.

Symantec SSL Certificate

Read the rest of this post »

SSL versus TLS – What’s the difference?

Tuesday, July 19th, 2016

SSL versus TLS

SSL TLSTLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide data encryption and authentication between applications and servers in scenarios where that data is being sent across an insecure network, such as checking your email (How does the Secure Socket Layer work?). The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1. With this said though, is there actually a practical difference between the two?

See also our Infographic which summarizes these differences.

Read the rest of this post »

Infographic – SSL vs TLS: What is the Difference?

Friday, October 9th, 2015

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are foundations of security on the Internet.  However, between colloquial usage and the relationship between these security protocols, there is a lot of confusion regarding how they are related, how they are different, and what to use in what situation.

For a detailed analysis of these differences and similarities, see: TLS versus SSL: What is the Difference?

The following infographic simplifies and summarizes the comparison.

Read the rest of this post »

Enable HSTS (HTTP Strict Transport Security) at LuxSci

Monday, April 27th, 2015

HSTS (HTTP Strict Transport Security) protects your secure web site against “security downgrade attacks”.  E.g. it stops people from accessing insecure versions of your site or pages when secure versions are available.  This, in turn, helps prevent man-in-the-middle and other types of attacks on people using your web site.  HSTS is a very simple and very powerful tool that you can use to lock down the web site security provided by your SSL certificate.

LuxSci web hosting customers with SSL can now enable HSTS for their sites by simply checking the HSTS box in their web site configuration area. 

What are the benefits of HTTP Strict Transport Security?

They are many. HSTS can

Read the rest of this post »

The Case For Email Security

Tuesday, March 31st, 2015

Section 1: Introduction to Email Security

You may already know that email is insecure; however, it may surprise you to learn just how insecure it really is. For example, did you know that messages which you thought were deleted years ago may be sitting on servers half-way around the world? Or that your messages can be read and modified in transit, even before they reach their destination? Or even that the username and password that you use to login to your email servers can be stolen and used by hackers?

This article is designed to teach you about how email really works, what the real security issues are, what solutions exist, and how you can avoid security risks.

Information security and integrity are centrally important  as we use email for personal and business communication: sending confidential and sensitive information over this medium every day. While you are reading this article, imagine how these security problems could affect your business or personal life and your identity…. if they have not already.

Read the rest of this post »

Can S/MIME be trusted when SSL has had so many security issues?

Thursday, March 26th, 2015

SSL and TLS have had a lot of security issues over the past 1-2 years.  While these have been patched quickly, they have been very bad and have changed our view of and trust of the Internet.  S/MIME is really just aspects of SSL/TLS applied to secure email messages (we looked at this previously).  So …. can S/MIME be trusted?  Does it suffer from the same vulnerabilities as SSL?  Is S/MIME a good thing to use for secure email or should it be avoided with a 10-foot pole?

As we shall see, S/MIME is impervious to the majority the issues with SSL due to the fact that there is no real-time negotiation of cryptographic algorithms and there can be no man-in-the-middle.

Lets see…

Read the rest of this post »