" ssl Archives - LuxSci

Posts Tagged ‘ssl’

7 Steps to Make your Web Site HIPAA-Compliant

Tuesday, March 2nd, 2021

Telehealth is the new normal thanks to the Covid-19 pandemic. Many medical providers are finding that not only is telehealth a safer option during the pandemic, it can also help increase patient access to healthcare and improve outcomes. Along with video appointments, the virtual medicine push includes making protected health information available to patients via a web site and collecting similar private information from patients or would-be patients online.

However, where the health information of an identifiable individual is involved, the Health Insurance Portability and Accountability Act (HIPAA) is the official compliance document. The Omnibus rule requires all web sites, old and new, to be properly designed or their owners can face potential financial liability into the millions of dollars.

So, what do these requirements mean and how can HIPAA be followed in the context of a website?

Read the rest of this post »

Enhanced Security: AES-256 Encryption for SSL and TLS

Tuesday, December 1st, 2020

AES-256 EncryptionSSL and TLS play critical roles in securing data transmission over the internet, and AES-256 is integral in their most secure configurations. The original standard was known as Secure Sockets Layer (SSL). Although it was replaced by Transport Layer Security (TLS), many in the industry still refer to TLS by its predecessor’s acronym. While TLS can be relied on for securing information at a high level—such as US Government TOP SECRET data—improper or outdated implementations of the standard may not provide much security at all.

Variations in which cipher is used in TLS impact how secure TLS ultimately is. Some ciphers are fast but insecure, while others are slower, require a greater amount of computational resources, and can provide a higher degree of security. Weaker ciphers—such as the early export-grade ciphers—still exist, but they should no longer be used.

The Advanced Encryption Standard (AES), is an encryption specification that succeeded the Data Encryption Standard (DES). AES was standardized in 2001 after a 5 year review, and is currently one of the most popular algorithms used in symmetric-key cryptography. It is often seen as the gold standard symmetric-key encryption technique, with many security-conscious organizations requiring their employees to use AES-256 for all communications. It is also used prominently in TLS.

Read the rest of this post »

What Level of SSL or TLS is Required for HIPAA Compliance?

Thursday, January 2nd, 2020

SSL and TLS are not actually monolithic encryption entities that you either use or do not use to connect securely to email servers, web sites, and other systems.  SSL and TLS are evolving protocols which have many nuances to how they may be configured.  The “version” of the protocol you are using and the ciphers used directly impact the level of security achievable through your connections.

Some people use the terms SSL and TLS interchangeably, but TLS (version 1.0 and beyond) is actually the successor of SSL (version 3.0). … see SSL versus TLS – what is the difference?  In 2014 we saw that SSL v3 was very weak and should not be used going forward by anyone (see the POODLE attacks, for example); TLS v1.0 or higher must be used.

Among the many configuration nuances of TLS, the protocol versions supported (e.g., 1.0, 1.1, 1.2, and 1.3) anfd which “ciphers” are permitted have the greatest impact on security.  A “cipher” specifies encryption algorithm to be used,  the secure hashing (message fingerprinting / authentication) algorithm to be used, and other related things such as how encryption keys are negotiated.   Some ciphers that have long been used, such as RC4, have become weak over time and should never be used in secure environments.  Other ciphers provide protection against people who record a secure conversation from being able to decrypt it in the future if somehow the server’s private keys are compromised (perfect forward secrecy).

Given the many choices of ciphers and TLS protocol versions, people are often at a loss as to what is specifically needed for HIPAA compliance for an appropriate and compliant level TLS security.  Simply “turning on TLS” without also configuring it appropriately is likely to leave your transmission encryption non-compliant.

Read the rest of this post »

How Can You Tell if an Email Was Transmitted Using TLS Encryption?

Tuesday, October 29th, 2019

Frequently, we are asked to verify if an email that someone sent or received was encrypted using SMTP TLS while being transmitted over the internet.  For example, banks, health care organizations under HIPAA, and other security-aware institutions have a requirement that email be secured at least by TLS encryption from sender to recipient.

Email should always be transmitted with this basic level of email encryption ensure that the email message content cannot be eavesdropped upon.  This check, to see if a message was sent securely, is fairly easy to do by looking the the raw headers of the email message in question.  However, it requires some knowledge and experience.  It is actually easier to tell if a recipient’s server supports TLS than to tell if a particular message was securely transmitted.

To see how to analyze a message for its transmission security, we will look at an example email message sent from Hotmail to LuxSci, and see that Hotmail did not use TLS when sending this message.  Hotmail is not a good provider to use when security or privacy are required.

Read the rest of this post »

SSL versus TLS – What’s the difference?

Saturday, May 12th, 2018

SSL versus TLS

TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide data encryption and authentication between applications and servers in scenarios where that data is being sent across an insecure network, such as checking your email (How does the Secure Socket Layer work?). The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1. With this said though, is there actually a practical difference between the two?

SSL versus TLS: What is the differenc?

See also our Infographic which summarizes these differences.

Read the rest of this post »

LUXSCI