Security in Distributed Systems - SSL/TLS Cheat Sheet

1. What is SSL? 🛡️

SSL (Secure Sockets Layer) is a standard security protocol used to establish encrypted links between a web server and a browser (client). The primary purpose of SSL is to ensure the confidentiality, integrity, and authenticity of the data exchanged between two communicating systems over the internet. It was initially developed by Netscape in the 1990s to secure data transactions over the web, such as those involving credit card payments.

SSL has evolved into TLS (Transport Layer Security), which is essentially a more secure version of SSL. Although SSL is still a common term, modern secure connections use TLS.

Evolution of SSL and TLS: Changes and Additions

1. SSL 1.0 (1993)

   • Developed internally at Netscape but never released due to major security issues.

   • Key Issue: Lack of proper data integrity checks, making it unsuitable for secure deployments.

2. SSL 2.0 (1994)

   • Introduced encryption for securing data transmission between client and server.

   • Issues Fixed: Provided better encryption than SSL 1.0.

   • Problems: Weak cryptographic integrity checks, vulnerability to man-in-the-middle attacks, and limited support for certificate chains (only one certificate allowed per connection).

3. SSL 3.0 (1995)

   • Key Exchange Improvements: Added support for Diffie-Hellman key exchange.

   • Encryption and Integrity: Allowed stronger ciphers and used both MD5 and SHA-1 for message integrity.

   • Certificates: Improved support for certificate chains.

   • Problems: Later found vulnerable to the POODLE attack, leading to its deprecation.

4. TLS 1.0 (1999)

   • Upgraded from SSL 3.0: Standardized by the IETF.

   • Improved Algorithms: Enhanced cryptographic algorithms and made small protocol refinements.

   • Handshake Process: Improved the process of establishing secure connections.

   • Backward Compatibility: Maintained backward compatibility with SSL 3.0.

5. TLS 1.1 (2006)

   • CBC Attack Protection: Addressed weaknesses like the padding oracle attack by introducing explicit initialization vectors.

   • Improved Message Integrity: Enhanced the security of data transmission.

   • Other Fixes: Better handling of error conditions to make the protocol more secure.

6. TLS 1.2 (2008)

   • Support for SHA-256: Allowed the use of SHA-256 for message authentication.

   • Customizable Cipher Suites: Provided flexibility for users to specify preferred cipher suites.

   • Improved Performance: Enhanced overall security and cryptographic performance.

   • Wider Adoption: Became the most widely used version until the release of TLS 1.3.

7. TLS 1.3 (2018)

   • Simplified Handshake: Reduced the number of round trips required for connection establishment, improving speed.

   • Removed Deprecated Algorithms: Removed outdated ciphers like MD5, SHA-1, and RSA key exchange.

   • Enhanced Forward Secrecy: Focused on forward secrecy with default use of ephemeral Diffie-Hellman key exchanges.

   • Better Security and Performance: Improved resistance against a wide range of attacks while being faster than previous versions.