IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [tls]

SSL (Secure Sockets Layer) and/or TLS (Transport Layer Security)

HTTPS (HTTP over SSL or HTTP Secure) is the use of Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sublayer under regular HTTP application layering. HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the Web server.

HTTPS and SSL support the use of X.509 digital certificates from the server so that, if necessary, a user can authenticate the sender. Unless a different port is specified, HTTPS uses port 443 unlike HTTP which uses port 80 in its interactions with the lower layer, TCP/IP.

The effectiveness of HTTPS can be limited by poor implementation of browser or server software or a lack of support for some algorithms. Furthermore, although HTTPS secures data as it travels between the server and the client, once the data is decrypted at its destination, it is only as secure as the host computer.

HTTPS is not to be confused with S-HTTP, a security-enhanced version of HTTP developed and proposed as a standard by EIT.

5818 questions
79
votes
8 answers

Need to access old forgotten router that only supports SSLv3

I need to access the web interface of a router standing here in the office. The problem is that it only supports SSLv3 and I cannot find a browser that allows me to connect to it. In order to update the router, I also need to be able to login to…
tomsv
  • 913
  • 1
  • 7
  • 8
62
votes
12 answers

Is there ever a good reason _not_ to use TLS/SSL?

While writing an answer to this question on Server Fault, a thought that has been bouncing around my head for quite some time resurfaced again as a question: Is there ever a good reason to not use TLS/SSL? To further elucidate the question, I'm…
Naftuli Kay
  • 6,763
  • 11
  • 49
  • 78
50
votes
11 answers

SSL's (security) benefit to the website owner

I know the many benefits of SSL for the users of a website. It creates a contract whereby the user can be certain that the entity they're transacting with is who it claims to be and that the information passed is encrypted. I also have some idea…
Luke Sawczak
  • 744
  • 6
  • 11
47
votes
5 answers

Can HTTPS server configured without a server certificate?

I have noticed that, a HTTPS connection can be set up with the server configured to use a certificate, and when additional security is required, the server can ask the client to provide a client certificate, validate it and set up connection. It…
Lucifer Orichalcum
  • 735
  • 1
  • 5
  • 11
46
votes
3 answers

Why do we still use the terms SSL and HTTPS?

Since TLS is preferred over SSL, why do we still use the terms SSL and HTTPS generally? The former could be anecdotal, but most people I speak to still say SSL in general conversation. The term HTTPS is more objective, since that means HTTP over…
Ian Newson
  • 513
  • 1
  • 4
  • 6
46
votes
6 answers

Is there a way to prove that HTTPS is encrypting the communication with my site?

I'm working for a business that deals with web application development, and I am the "Security Expert". I recently implemented HTTPS in an application with Let's Encrypt, and my boss is asking me to prove that HTTPS really encrypts the information.…
NTHINGs
  • 569
  • 4
  • 6
43
votes
6 answers

Can I use a single SSL cert on two different servers?

I have a master server installed on AWS and the slave server installed on GoDaddy. How many SSL certificates do I need to buy? Can I use a single certificate for both?
user50577
  • 431
  • 1
  • 4
  • 3
33
votes
5 answers

How Legitimate Wifi Hotspots redirect https requests

I have been looking into how https and ssl protect the user from captive portals. If a client tries to access https://www.google.com and the hotspot does not provide a valid certificate it prevents the user from connecting. How then do hotspots like…
NULL
  • 513
  • 1
  • 5
  • 13
33
votes
4 answers

If I protected myself from POODLE am I also protected against DROWN

The POODLE vulnerability exploited a weakness in SSLv3. The newer DROWN vulnerability exploits a weakness in SSLv2. Part of my protection against POODLE (for my webserver) was to disable SSLv3 and earlier. So am I already safe from DROWN?
Raedwald
  • 518
  • 4
  • 13
32
votes
3 answers

Why doesn't the TLS protocol work without the SSLv3 ciphersuites?

While disabling SSLv3 from our ssl.conf files to overcome the Poodle vulnerability, I also disabled the SSLv3 ciphers using !SSLv3. With the ciphers disabled, we were not able to access the website through Firefox and IE. The following was the error…
Sreeraj
  • 1,317
  • 1
  • 14
  • 23
31
votes
2 answers

What measure (if any) does HTTPS use to hide the request path length?

I really, really thought I remembered seeing the existence of some standardized header or TLS packet whose purpose is to (try to) hide the length of the requested URL from an eavesdropper. But I cannot find anything about this at this time. What —…
JamesTheAwesomeDude
  • 700
  • 6
  • 18
31
votes
4 answers

What is the impetus for major sites being HTTPS-exclusive now?

I've noticed that there are a good number of sites (Google, Twitter, Wikipedia) that are serving up every page over HTTPS. I can understand given that everyone is concerned over privacy now, but has there been some sort of best practice/impetus for…
casperOne
  • 415
  • 3
  • 10
29
votes
1 answer

Do Chrome and Firefox send random values rather than the actual timestamp in ClientHello of TLS?

I'm doing some analysis of TLS in different browsers (using Safari, Chrome, and Firefox) and have noticed that while Safari sends the correct unix timestamp, Chrome and Firefox send random values each time it send the ClientHello. Is this by design?…
josh
  • 580
  • 6
  • 16
29
votes
6 answers

Should I use a SSL in my test domains?

I use a SSL in my main domain, that is the one my clients access. However, I have a second domain with the same content (including login credentials) that I use only for test and development. Should I secure this test domain too?
carla
  • 411
  • 4
  • 7
28
votes
1 answer

What is 'TLS version intolerance'

I'm trying to fully understand the report of the SSL Labs server test. Can someone explain the term 'TLS version intolerance'? I cannot find any documentation of this term, even not on the forums of SSL labs or their SSL Server Rating Guide. For…
Julian
  • 536
  • 7
  • 19
1
2 3
35 36