" tls Archives - HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci
LuxSci

Posts Tagged ‘tls’

Neutralizing and protecting against rogue TLS certificates in the wild

Thursday, August 17th, 2017

Techniques for fighting mis-issuance of TLS certificates

The web has reached the tipping point where encrypted traffic – connections protected by HTTPS, which is HTTP over SSL/TLS – has overtaken unencrypted (HTTP) traffic. There are many reasons for this change, variously called HTTPS Everywhere or Always-On SSL, which we described in a previous FYI blog post. While this move certainly improves the security and privacy of interactions on the web, there still remains the Achilles’ heel of this ecosystem – the problem of mis-issuance of cryptographically legitimate certificates to rogue site operators. This blog post describes recent steps taken to guard against such occurrences, using techniques which can raise the necessary alarms before much harm propagates.

The Achilles’ heel of internet security is the mis-issuance of cryptographically legitimate certificates to rogue site operators.

 

SSL and TLS Certificates

The entire edifice of SSL/TLS-based security rests on certificates issued to the legitimate operators of websites, so that browser indicators (the secure lock icon, for example) based on various cryptographic checks can reassure users that they are communicating with their intended destination. Mis-issued certificates, whether available through lax procedures at a certificate authority (CA) or by a malignant act, removes that critical trust. A browser’s cryptographic checks cannot distinguish a duly-vetted legitimate server from a man-in-the-middle that has improperly obtained a cryptographically valid certificate. The latter might arise owing to the (mis)placed trust in a compromised root CA embedded in the browser or one issued by a corrupted intermediate CA that is in a legitimate chain of trusted certificates.  This is, for example, why Google is reducing trust in SSL certificates issued by Symantec and why even Microsoft is the latest and last browser vendor to no longer going to trust anything issued by the WoSign/StartCom certificate authorities.

Some CAs make mistakes and fix them; some have a habit not well controlling certificate issuance.  This seriously damages our trust in a secure internet.

Read the rest of this post »

Why Choose OV TLS Certificates? The dilemma of the middle child

Wednesday, August 9th, 2017

Choosing amongst the different certificate types

Imagine three brothers. The youngest is nimble, outgoing, and popular. He’s also growing very rapidly and will soon be the tallest in the family. The oldest is steady, thoughtful, and circumspect. He’s a high achiever, in a job with lots of responsibilities and makes loads of money. But what about the middle sibling? The classic middle child syndrome would have him struggling to find his niche between these two exemplars.

It’s much the same (as far as analogies go) with the three types of SSL/TLS certificates – Domain Validation (DV), Organization Validation (OV) and Extended Validation (EV) – available for use in the internet security ecosystem.

TLS Certificate Validity

First, just like siblings, all three share the same genes. That is, from a cryptographic point of view, all three certificates provide exactly the same level of confidentiality and integrity protection of the communications channel by using standard security technologies (private/public keys, cipher suites, encryption algorithms, etc.) in exactly the same way using SSL/TLS. The difference, as with siblings, is how they interact with their environment and take advantage of the opportunities presented to create and project their public persona. The choice of a certificate type for a website aims at projecting a particular image of its trustworthiness and dependability.  Is the site trustworthy enough to interact with for the purposes the end user has in mind?     

Read the rest of this post »

What is your browser telling you about SSL/TLS?

Monday, August 7th, 2017

Interpreting a browser’s visual clues about security

The continuous drumbeat of news about pervasive surveillance, security breaches, identity theft, malware, phishing and so forth has had at least one salutary effect on our interactions on the web. The general public is increasingly aware of the need for safe browsing habits, such as not clicking on unknown links in webmail, hovering your cursor over hyperlinks to see if you recognize the URL revealed, and, above all, to “Look for the Lock”.

Such mnemonics and visual aids are important ways to communicate security features to end users, allowing them to take informed decisions on what level of trust they should expect during a particular instance of communications on the web. This post will concentrate on these visual indicators, in particular how browsers represent the identity of the server/site with which an end user would like to interact. The SSL/TLS certificate that the server presents to the browser at the start of the communications is the information source which the browser uses to create the appropriate visual representation that guides the user. Readers would do well to brush up their knowledge on the different types of certificates that are available by reading our previous posts on the subject, as what follows will assume that the reader is aware (at least at a high level) of their basic properties and differences.

Most people are now aware of the need to look for the https://….. in the browser address bar as well as the lock symbol accompanying it. This is the part of the screen that is controlled purely by the browser, which populates it with the site URL and other security information gathered from the SSL/TLS certificate used to secure the connection.

For instance, look at the images below of the luxsci.com website as shown in the address bar of Google’s Chrome, Microsoft’s Internet Explorer (IE), Mozilla’s Firefox and Microsoft’s Edge browsers.

Chrome

Internet Explorer

Mozilla Firefox

Microsoft Edge

(The screen shots were taken using Chrome version 59.0.3071.115, IE version 11.0.9600, Firefox 10.0.2 and Edge 38.14393.1066.)

Read the rest of this post »

What’s the latest with HTTPS and SSL/TLS Certificates?

Wednesday, August 2nd, 2017

We’ve written quite a lot in past FYI Blog posts about SSL/TLS certificates, the critical building block to secure communication on the Internet. We described what such certificates were, their use in securing the communications channel between a client (browser) and a server, different types of certificates and the pros and cons of using each.

Given the changes in the Internet landscape over the past five years, we feel it is time to revisit these topics. The technical details described in the earlier posts remain unchanged. What has changed, though, are the traffic patterns for HTTPS-based communications, additional vulnerabilities arising as a consequence and ways to mitigate these. This post will provide a general overview of certain changes in the Internet landscape over the past few years, while subsequent blog posts will describe some of the topics identified here in greater detail.SSL TLS Certificates

Read the rest of this post »

Do you expect email carriers to require TLS v1.2 or better in the future?

Friday, July 28th, 2017

Our latest “Ask Erik” question involves the future of TLS delivery:.

Hello Erik,

I am aware of an e-mail server of a Carrier refuses any TLS connections that are not using TLS v1.2. Is it reasonable to expect more Carriers to follow this tact in the future?

Thank you.

This question involves the use of “TLS” to transparently encrypt email communications between email servers over the SMTP protocol.  For a little background, see: “All about secure email delivery over TLS“.

Read the rest of this post »

Email Encryption Showdown: SMTP TLS vs PGP vs S/MIME vs Portal Pickup

Monday, May 29th, 2017

While messaging apps may have become more popular over the last ten or so years, email remains an important method of communication, particularly for business. Despite its common use, there are many security problems associated with regular email:

Message Tampering

False messages are a significant threat, particularly when it comes to business and legal issues. Imagine someone else sends an email from your account – how can you prove it wasn’t you? There are many viruses that spread in this way, and with regular email, there is no concrete way to tell whether a message is false or not.

Email Encryption

Normal emails can also be modified by anyone with system-administrator access to the SMTP servers that your emails pass through. They can alter or completely delete the message, and your recipient has no way of knowing if the message has been tampered with or not.

In the same way, messages can be saved by the SMTP system administrator, then altered and sent again at a later time. This means that subsequent messages may appear valid, even if they are actually just copies that have been faked.

Read the rest of this post »

Kick Your Privacy Up a Notch with Tor

Monday, May 8th, 2017

Online privacy is becoming more important as our lives increasingly migrate to the internet. With government surveillance intensifying, you may have come across the term Tor as a way to protect yourself. So what exactly is it?

The Onion Router (TOR), is an open source project that aims to provide anonymous communication for its users. The underlying technology was initially developed by the United States Naval Research Laboratory in the nineties as a way to protect communications within the intelligence community. Tor has since moved over to the open source community, supported by a range of volunteers, privacy advocacy groups, various US government departments and others.

Tor - The Onin Router

Tor allows web browsing, messaging and chat, as well as access to .onion websites, which are a secretive side of the internet. Unfortunately, Tor cannot give a user complete anonymity, particularly from government level surveillance. This is because these entities have the capability to correlate the traffic that goes into Tor with the traffic that exits. Despite this, it is still a useful tool that can help to enhance privacy in a range of use cases.

Read the rest of this post »

What is really protected by SSL and TLS?

Saturday, April 8th, 2017

This question came in via Ask Erik:

Hi Erik,

I stumbled upon your blog while trying to learn a little about SSL/TLS in the context of client/server e-mail sessions, i.e. not web mail which I understand to be an HTTP session.  I am just an ordinary user with no special security needs but I find all this news about corporate and government surveillance to be troubling for both philosophical and practical reasons.  In any case my questions is quite simple.

My e-mail client, apple mail, and my e-mail service provider both support SSL so my e-mail exchanges between my computer and the server are encrypted.  I understand that I can’t control what happens with other e-mail servers.  What I am trying to understand is what does it mean to be encrypted?  When an e-mail leaves my computer how much of the message is encrypted?   Are the e-mail headers encrypted including the sender and recipient e-mail addresses.  I would assume so but nobody talks about the details.  What metadata trail does a user leave when using SSL/TLS.  Is it is as simple as the destination and sending IP address with everything else encrypted?  Reading Data and Goliath right now by Bruce Schneider which talks about a lot of this stuff but again doesn’t give quite enough detail.  At the end of the day I am trying to understand how much protection SSL really provides.

SSL (now TLS) protects data as it travels across the Internet. To understand in detail how SSL works, we recommend reading: How does Secure Socket Layer (SSL andTLS) work?  However, looking at how the protocol works can leave answers to some of these fundamental questions a little unclear.  Lets address them one by one.

SSL and TLS Security

Read the rest of this post »

Am I at HIPAA-risk if a patient replies to my secure email message?

Tuesday, January 31st, 2017

Here is a question from “Ask Erik:”

Dear Dr. Kangas,  When I write an email to a patient from my LuxSci account, it is encrypted and therefore HIPPA compliant.  When they write me back from their regular email address (it’s often hard to get them to sign up at LuxSci), they are putting [PHI /Medical Information] out without security, but that is not my HIPPA violation as I understand it because patients are not required to keep their PHI secure.  Yet often a patient replying to my email simply hits ‘reply’ and my email is attached to their reply, putting my original email in an insecure from on the Internet.  Does that become therefore a HIPPA violation of mine, especially if I continue to allow this without telling the patient to stop doing this?

Read the rest of this post »

SSL versus TLS – What’s the difference?

Tuesday, July 19th, 2016

SSL versus TLS

SSL TLSTLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide data encryption and authentication between applications and servers in scenarios where that data is being sent across an insecure network, such as checking your email (How does the Secure Socket Layer work?). The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1. With this said though, is there actually a practical difference between the two?

See also our Infographic which summarizes these differences.

Read the rest of this post »