Transport Layer Security

Internet protocol suite
Application layer
BGP DHCP DNS FTP HTTP IMAP LDAP MGCP NNTP NTP POP ONC/RPC RTP RTSP RIP SIP SMTP SNMP SSH Telnet TLS/SSL XMPP more...
Transport layer
TCP UDP DCCP SCTP RSVP more...
Internet layer
IP IPv4 IPv6 ICMP ICMPv6 ECN IGMP IPsec more...
Link layer
ARP NDP OSPF Tunnels L2TP PPP MAC Ethernet DSL ISDN FDDI more...

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both of which are frequently referred to as 'SSL', are cryptographic protocols designed to provide communications security over a computer network.^[1] Several versions of the protocols are in widespread use in applications such as web browsing, email, Internet faxing, instant messaging, and voice-over-IP (VoIP). Major web sites (including Google, YouTube, Facebook and many others) use TLS to secure all communications between their servers and web browsers.

The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating computer applications.^[1]:3 When secured by TLS, connections between a client (e.g. a web browser) and a server (e.g. wikipedia.org) will have one or more of the following properties:

• The connection is private because symmetric cryptography is used to encrypt the data transmitted. The keys for this symmetric encryption are generated uniquely for each connection and are based on a secret negotiated at the start of the session (see Handshake Protocol). The server and client negotiate the details of which encryption algorithm and cryptographic keys to use before the first byte of data is transmitted (see Algorithm). The negotiation of a shared secret is both secure (the negotiated secret is unavailable to eavesdroppers and cannot be obtained, even by an attacker who places himself in the middle of the connection) and reliable (no attacker can modify the communications during the negotiation without being detected).
• The identity of the communicating parties can be authenticated using public key cryptography. This authentication can be made optional, but is generally required for at least one of the parties (typically the server).
• The connection is reliable because each message transmitted includes a message integrity check using a message authentication code to prevent undetected loss or alteration of the data during transmission.^[1]:3

In addition to the properties above, careful configuration of TLS can provide additional privacy-related properties such as forward secrecy, ensuring that any future disclosure of encryption keys cannot be used to decrypt any TLS communications recorded in the past.^[2]

TLS supports many different methods for exchanging keys, encrypting data, and authenticating message integrity (see Algorithm). As a result, secure configuration of TLS involves many configurable parameters, and not all choices provide all of the privacy-related properties described in the list above (see authentication and key exchange table, cipher security table, and data integrity table).

Attempts have been made to subvert aspects of the communications security that TLS seeks to provide and the protocol has been revised several times to address these security threats (see Security). Web browsers have also been revised by their developers to defend against potential security weaknesses after these were discovered (see TLS/SSL support history of web browsers.)

The TLS protocol is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol.

TLS is a proposed Internet Engineering Task Force (IETF) standard, first defined in 1999 and updated in RFC 5246 (August 2008) and RFC 6176 (March 2011). It is based on the earlier SSL specifications (1994, 1995, 1996) developed by Netscape Communications^[3] for adding the HTTPS protocol to their Navigator web browser.

Description

The TLS protocol allows client-server applications to communicate across a network in a way designed to prevent eavesdropping and tampering.

Since protocols can operate either with or without TLS (or SSL), it is necessary for the client to indicate to the server the setup of a TLS connection. There are two main ways of achieving this. One option is to use a different port number for TLS connections (for example, port 443 for HTTPS). The other is for the client to use a protocol-specific mechanism (for example, STARTTLS for mail and news protocols) to request that the server switch the connection to TLS.

Once the client and server have agreed to use TLS, they negotiate a stateful connection by using a handshaking procedure.^[4] During this handshake, the client and server agree on various parameters used to establish the connection's security:

• The handshake begins when a client connects to a TLS-enabled server requesting a secure connection and presents a list of supported cipher suites (ciphers and hash functions).
• From this list, the server picks a cipher and hash function that it also supports and notifies the client of the decision.
• The server usually then sends back its identification in the form of a digital certificate. The certificate contains the server name, the trusted certificate authority (CA) and the server's public encryption key.
• The client confirms the validity of the certificate before proceeding.
• In order to generate the session keys used for the secure connection, the client either:
  • encrypts a random number with the server's public key and sends the result to the server (which only the server should be able to decrypt with its private key); both parties then use the random number to generate a unique session key for subsequent encryption and decryption of data during the session
  • uses Diffie-Hellman key exchange to securely generate a random and unique session key for encryption and decryption that has the additional property of forward secrecy: if the server's private key is disclosed in future, it cannot be used to decrypt the current session, even if the session is intercepted and recorded by a third party.

This concludes the handshake and begins the secured connection, which is encrypted and decrypted with the session key until the connection closes. If any one of the above steps fail, the TLS handshake fails, and the connection is not created.

TLS and SSL are defined as 'operating over some reliable transport layer', which places them as application layer protocols in the TCP/IP reference model and as presentation layer protocols in the OSI model. The protocols employ a handshake using an asymmetric cipher in order to establish cipher settings and a shared key for a session; the rest of the communication is encrypted using a symmetric cipher and the session key.

History and development

Defined
Protocol	Year
SSL 1.0	n/a
SSL 2.0	1995
SSL 3.0	1996
TLS 1.0	1999
TLS 1.1	2006
TLS 1.2	2008
TLS 1.3	TBD

Secure Network Programming

Early research efforts towards transport layer security included the Secure Network Programming (SNP) application programming interface (API), which in 1993 explored the approach of having a secure transport layer API closely resembling Berkeley sockets, to facilitate retrofitting preexisting network applications with security measures.^[5]

SSL 1.0, 2.0 and 3.0

Netscape developed the original SSL protocols.^[6] Version 1.0 was never publicly released because of serious security flaws in the protocol; version 2.0, released in February 1995, "contained a number of security flaws which ultimately led to the design of SSL version 3.0".^[7] SSL version 3.0, released in 1996, represented a complete redesign of the protocol, produced by Paul Kocher working with Netscape engineers Phil Karlton and Alan Freier, with a reference implementation by Christopher Allen and Tim Dierks of Consensus Development. Newer versions of SSL/TLS are based on SSL 3.0. The 1996 draft of SSL 3.0 was published by IETF as a historical document in RFC 6101.

Dr. Taher Elgamal, chief scientist at Netscape Communications from 1995 to 1998, is recognized as the "father of SSL".^[8][9]

As of 2014 the 3.0 version of SSL is considered insecure as it is vulnerable to the POODLE attack that affects all block ciphers in SSL; and RC4, the only non-block cipher supported by SSL 3.0, is also feasibly broken as used in SSL 3.0.^[10]

SSL 2.0 was deprecated in 2011 by RFC 6176.

SSL 3.0 was deprecated in June 2015 by RFC 7568.

TLS 1.0

TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0, and written by Christopher Allen and Tim Dierks of Consensus Development. As stated in the RFC, "the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to preclude interoperability between TLS 1.0 and SSL 3.0". TLS 1.0 does include a means by which a TLS implementation can downgrade the connection to SSL 3.0, thus weakening security.^[11]:1–2

TLS 1.1

TLS 1.1 was defined in RFC 4346 in April 2006.^[12] It is an update from TLS version 1.0. Significant differences in this version include:

• Added protection against cipher-block chaining (CBC) attacks.
  • The implicit initialization vector (IV) was replaced with an explicit IV.
  • Change in handling of padding errors.
• Support for IANA registration of parameters.^[11]:2

TLS 1.2

TLS 1.2 was defined in RFC 5246 in August 2008. It is based on the earlier TLS 1.1 specification. Major differences include:

• The MD5-SHA-1 combination in the pseudorandom function (PRF) was replaced with SHA-256, with an option to use cipher suite specified PRFs.
• The MD5-SHA-1 combination in the finished message hash was replaced with SHA-256, with an option to use cipher suite specific hash algorithms. However the size of the hash in the finished message must still be at least 96 bits.^[13]
• The MD5-SHA-1 combination in the digitally signed element was replaced with a single hash negotiated during handshake, which defaults to SHA-1.
• Enhancement in the client's and server's ability to specify which hash and signature algorithms they will accept.
• Expansion of support for authenticated encryption ciphers, used mainly for Galois/Counter Mode (GCM) and CCM mode of Advanced Encryption Standard encryption.
• TLS Extensions definition and Advanced Encryption Standard cipher suites were added.^[11]:2

All TLS versions were further refined in RFC 6176 in March 2011 removing their backward compatibility with SSL such that TLS sessions will never negotiate the use of Secure Sockets Layer (SSL) version 2.0.

TLS 1.3 (draft)

As of January 2016, TLS 1.3 is a working draft, and details are provisional and incomplete.^[14][15] It is based on the earlier TLS 1.2 specification. Major differences from TLS 1.2 include:

• Removing support for weak and lesser used named elliptic curves (see Elliptic curve cryptography)
• Removing support for MD5 and SHA-224 cryptographic hash functions
• Requiring digital signatures even when a previous configuration is used
• Integrating HKDF and the semi-ephemeral DH proposal
• Replacing resumption with PSK and tickets
• Supporting 1-RTT handshakes and initial support for 0-RTT (see Round-trip delay time)
• Dropping support for many insecure or obsolete features including compression, renegotiation, non-AEAD ciphers, static RSA and static DH key exchange, custom DHE groups, point format negotiation, Change Cipher Spec protocol, Hello message UNIX time, and the length field AD input to AEAD ciphers
• Prohibiting SSL or RC4 negotiation for backwards compatibility
• Integrating use of session hash
• Deprecating use of the record layer version number and freezing the number for improved backwards compatibility
• Moving some security related algorithm details from an appendix to the specification and relegating ClientKeyShare to an appendix

Digital Certificates

A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made by the private key that corresponds to the certified public key.

Certificate Authorities

In this model of trust relationships, a Certificate Authority(CA) is a trusted third party - trusted both by the subject (owner) of the certificate and by the party relying upon the certificate.

According to Netcraft, who monitors active TLS certificates, the market-leading CA has been Symantec since the beginning of their survey (or VeriSign before the authentication services business unit was purchased by Symantec). Symantec currently accounts for just under a third of all certificates and 44% of the valid certificates used by the 1 million busiest websites, as counted by Netcraft.^[16]

As a consequence of choosing X.509 certificates, certificate authorities and a public key infrastructure are necessary to verify the relation between a certificate and its owner, as well as to generate, sign, and administer the validity of certificates. While this can be more beneficial than verifying the identities via a web of trust, the 2013 mass surveillance disclosures made it more widely known that certificate authorities are a weak point from a security standpoint, allowing man-in-the-middle attacks (MITM).^[17][18]

Algorithm

Key exchange or key agreement

Before a client and server can begin to exchange information protected by TLS, they must securely exchange or agree upon an encryption key and a cipher to use when encrypting data (see Cipher). Among the methods used for key exchange/agreement are: public and private keys generated with RSA (denoted TLS_RSA in the TLS handshake protocol), Diffie-Hellman (TLS_DH), ephemeral Diffie-Hellman (TLS_DHE), Elliptic Curve Diffie-Hellman (TLS_ECDH), ephemeral Elliptic Curve Diffie-Hellman (TLS_ECDHE), anonymous Diffie-Hellman (TLS_DH_anon),^[1] pre-shared key (TLS_PSK)^[19] and Secure Remote Password (TLS_SRP).^[20]

The TLS_DH_anon and TLS_ECDH_anon key agreement methods do not authenticate the server or the user and hence are rarely used because those are vulnerable to Man-in-the-middle attack. Only TLS_DHE and TLS_ECDHE provide forward secrecy.

Public key certificates used during exchange/agreement also vary in the size of the public/private encryption keys used during the exchange and hence the robustness of the security provided. In July 2013, Google announced that it would no longer use 1024 bit public keys and would switch instead to 2048 bit keys to increase the security of the TLS encryption it provides to its users.^[21]

Authentication and key exchange/agreement

Algorithm	SSL 2.0	SSL 3.0	TLS 1.0	TLS 1.1	TLS 1.2	TLS 1.3 (Draft)	Status
RSA	Yes	Yes	Yes	Yes	Yes	No	Defined for TLS 1.2 in RFCs
DH-RSA	No	Yes	Yes	Yes	Yes	No
DHE-RSA (forward secrecy)	No	Yes	Yes	Yes	Yes	Yes
ECDH-RSA	No	No	Yes	Yes	Yes	No
ECDHE-RSA (forward secrecy)	No	No	Yes	Yes	Yes	Yes
DH-DSS	No	Yes	Yes	Yes	Yes	No
DHE-DSS (forward secrecy)	No	Yes	Yes	Yes	Yes	No[22]
ECDH-ECDSA	No	No	Yes	Yes	Yes	No
ECDHE-ECDSA (forward secrecy)	No	No	Yes	Yes	Yes	Yes
PSK	No	No	Yes	Yes	Yes
PSK-RSA	No	No	Yes	Yes	Yes
DHE-PSK (forward secrecy)	No	No	Yes	Yes	Yes
ECDHE-PSK (forward secrecy)	No	No	Yes	Yes	Yes
SRP	No	No	Yes	Yes	Yes
SRP-DSS	No	No	Yes	Yes	Yes
SRP-RSA	No	No	Yes	Yes	Yes
Kerberos	No	No	Yes	Yes	Yes
DH-ANON (insecure)	No	Yes	Yes	Yes	Yes
ECDH-ANON (insecure)	No	No	Yes	Yes	Yes
GOST R 34.10-94 / 34.10-2001[23]	No	No	Yes	Yes	Yes		Proposed in RFC drafts

Cipher

Cipher security against publicly known feasible attacks

Cipher			Protocol version						Status
Type	Algorithm	Strength (bits)	SSL 2.0	SSL 3.0 [n 1][n 2][n 3][n 4]	TLS 1.0 [n 1][n 3]	TLS 1.1 [n 1]	TLS 1.2 [n 1]	TLS 1.3 (Draft)
Block cipher with mode of operation	AES GCM[24][n 5]	256, 128	N/A	N/A	N/A	N/A	Secure	Secure	Defined for TLS 1.2 in RFCs
	AES CCM[25][n 5]		N/A	N/A	N/A	N/A	Secure	Secure
	AES CBC[n 6]		N/A	N/A	Depends on mitigations	Secure	Secure	N/A
	Camellia GCM[26][n 5]	256, 128	N/A	N/A	N/A	N/A	Secure	Secure
	Camellia CBC[27][n 6]		N/A	N/A	Depends on mitigations	Secure	Secure	N/A
	ARIA GCM[28][n 5]	256, 128	N/A	N/A	N/A	N/A	Secure	Secure
	ARIA CBC[28][n 6]		N/A	N/A	Depends on mitigations	Secure	Secure	N/A
	SEED CBC[29][n 6]	128	N/A	N/A	Depends on mitigations	Secure	Secure	N/A
	3DES EDE CBC[n 6]	112[n 7]	Insecure	Insecure	Low strength, Depends on mitigations	Low strength	Low strength	N/A
	GOST 28147-89 CNT[23]	256	N/A	N/A	Secure	Secure	Secure		Proposed in RFC drafts
	IDEA CBC[n 6][n 8]	128	Insecure	Insecure	Depends on mitigations	Secure	N/A	N/A	Removed from TLS 1.2
	DES CBC[n 6][n 8]	056	Insecure	Insecure	Insecure	Insecure	N/A	N/A
		040[n 9]	Insecure	Insecure	Insecure	N/A	N/A	N/A	Forbidden in TLS 1.1 and later
	RC2 CBC[n 6]	040[n 9]	Insecure	Insecure	Insecure	N/A	N/A	N/A
Stream cipher	ChaCha20-Poly1305[33][n 5]	256	N/A	N/A	N/A	N/A	Secure	Secure	Proposed in RFC drafts
	RC4[n 10]	128	Insecure	Insecure	Insecure	Insecure	Insecure	N/A	Prohibited in all versions of TLS
		040[n 9]	Insecure	Insecure	Insecure	N/A	N/A	N/A
None	Null[n 11]	-	N/A	Insecure	Insecure	Insecure	Insecure	Insecure	Defined for TLS 1.2 in RFCs

Notes

Data integrity

Message authentication code (MAC) is used for data integrity. HMAC is used for CBC mode of block ciphers and stream ciphers. AEAD is used for Authenticated encryption such as GCM mode and CCM mode.

Data integrity

Algorithm	SSL 2.0	SSL 3.0	TLS 1.0	TLS 1.1	TLS 1.2	TLS 1.3 (Draft)	Status
HMAC-MD5	Yes	Yes	Yes	Yes	Yes		Defined for TLS 1.2 in RFCs
HMAC-SHA1	No	Yes	Yes	Yes	Yes
HMAC-SHA256/384	No	No	No	No	Yes
AEAD	No	No	No	No	Yes
GOST 28147-89 IMIT[23]	No	No	Yes	Yes	Yes		Proposed in RFC drafts
GOST R 34.11-94[23]	No	No	Yes	Yes	Yes

Applications and adoption

In applications design, TLS is usually implemented on top of Transport Layer protocols, encrypting all of the protocol-related data of protocols such as HTTP, FTP, SMTP, NNTP and XMPP.

Historically, TLS has been used primarily with reliable transport protocols such as the Transmission Control Protocol (TCP). However, it has also been implemented with datagram-oriented transport protocols, such as the User Datagram Protocol (UDP) and the Datagram Congestion Control Protocol (DCCP), usage of which has been standardized independently using the term Datagram Transport Layer Security (DTLS).

Websites

A prominent use of TLS is for securing World Wide Web traffic between a website and a web browser encoded with the HTTP protocol. This use of TLS to secure HTTP traffic constitutes the HTTPS protocol.^[34]

Website protocol support

Protocol version	Website support[35]	Security[35][36]
SSL 2.0	9.1% (−0.2%)	Insecure
SSL 3.0	28.2% (−0.8%)	Insecure[37]
TLS 1.0	98.4% (−0.2%)	Depends on cipher[n 1] and client mitigations[n 2]
TLS 1.1	70.7% (+1.0%)	Depends on cipher[n 1] and client mitigations[n 2]
TLS 1.2	72.9% (+0.9%)	Depends on cipher[n 1] and client mitigations[n 2]
TLS 1.3 (Draft)	N/A

Notes

Web browsers

As of February 2016, the latest versions of all major web browsers support TLS 1.0, 1.1, and 1.2, and have them enabled by default. However, not all supported Microsoft operating systems support the latest version of IE. Additionally many operating systems currently support multiple versions of IE, but this will change according to Microsoft's Internet Explorer Support Lifecycle Policy FAQ, "beginning January 12, 2016, only the most current version of Internet Explorer available for a supported operating system will receive technical support and security updates." The page then goes on to list the latest supported version of IE at that date for each operating system. The next critical date would be when an operating system reaches the end of life stage, which is in Microsoft's Windows lifecycle fact sheet.

There are still problems on several browser versions:

• TLS 1.1 and 1.2 supported, but disabled by default: Internet Explorer 10 for Server 2012
• TLS 1.1 and 1.2 not supported: Internet Explorer 9 for Windows Vista and Server 2008

Mitigations against known attacks are not enough yet:

• Mitigations against POODLE attack: Some browsers already prevent fallback to SSL 3.0; however, this mitigation needs to be supported by not only clients, but also servers. Disabling SSL 3.0 itself, implementation of "anti-POODLE record splitting", or denying CBC ciphers in SSL 3.0 is required.
  • Google Chrome: Complete (TLS_FALLBACK_SCSV is implemented since version 33, fallback to SSL 3.0 is disabled since version 39, SSL 3.0 itself is disabled by default since version 40. Support of SSL 3.0 itself was dropped since version 44.)
  • Mozilla Firefox: Complete (SSL 3.0 itself is disabled by default and fallback to SSL 3.0 are disabled since version 34, TLS_FALLBACK_SCSV is implemented since version 35. In ESR, SSL 3.0 itself is disabled by default and TLS_FALLBACK_SCSV is implemented since ESR 31.3. Support of SSL 3.0 itself is dropped since version 39.)
  • Internet Explorer: Partial (Only in version 11, SSL 3.0 is disabled by default since April 2015. Version 10 and older are still vulnerable against POODLE.)
  • Opera: Complete (TLS_FALLBACK_SCSV is implemented since version 20, "anti-POODLE record splitting", which is effective only with client-side implementation, is implemented since version 25, SSL 3.0 itself is disabled by default since version 27. Support of SSL 3.0 itself will be dropped since version 31.)
  • Safari: Complete (Only on OS X 10.8 and later and iOS 8, CBC ciphers during fallback to SSL 3.0 is denied, but this means it will use RC4, which is not recommended as well. Support of SSL 3.0 itself is dropped on OS X 10.11 and later and iOS 9.)
• Mitigation against RC4 attacks:
  • Google Chrome disabled RC4 except as a fallback since version 43. RC4 is disabled since Chrome 48.
  • Firefox disabled RC4 except as a fallback since version 36. Firefox 44 disabled RC4 by default.
  • Opera disabled RC4 except as a fallback since version 30. RC4 is disabled since Opera 35.
  • Internet Explorer for Windows 7 / Server 2008 R2 and for Windows 8 / Server 2012 have set the priority of RC4 to lowest.
  • Internet Explorer 11 for Windows 8.1 / Server 2012 R2 and Mobile 11 for Windows Phone 8.1, and Edge for Windows 10 disable RC4 except as a fallback if no other enabled algorithm works (Internet Explorer for Windows 7 / Server 2008 R2 and for Windows 8 / Server 2012 can also disable RC4 except as a fallback through registry settings). Edge and IE 11 are expected to disable RC4 completely in early 2016.
• Mitigation against FREAK attack:
  • The Android Browser of Android 4 and older are still vulnerable to the FREAK attack.
  • Internet Explorer 11 Mobile is still vulnerable to the FREAK attack.
  • Google Chrome, Internet Explorer (desktop), Safari (desktop & mobile), and Opera (mobile) have FREAK mitigations in place.
  • Mozilla Firefox on all platforms and Google Chrome on Windows were not affected by FREAK.

TLS/SSL support history of web browsers

Browser	Version		Platforms	SSL protocols		TLS protocols			Certificate Support			Vulnerabilities fixed[n 1]						Protocol selection by user [n 2]
				SSL 2.0 (insecure)	SSL 3.0 (insecure)	TLS 1.0	TLS 1.1	TLS 1.2	EV [n 3][38]	SHA-2 [39]	ECDSA [40]	BEAST[n 4]	CRIME[n 5]	POODLE (SSLv3)[n 6]	RC4[n 7]	FREAK[41][42]	Logjam
Google Chrome (Chrome for Android) [n 8] [n 9]	1–9		Windows (XP SP2+) OS X (10.7+) Linux Android (4.1+) iOS (7.0+) Chrome OS	Disabled by default	Enabled by default	Yes	No	No	Yes (only desktop)	needs SHA-2 compatible OS[39]	needs ECC compatible OS[40]	Not affected [47]	Vulnerable (HTTPS)	Vulnerable	Vulnerable	Vulnerable (except Windows)	Vulnerable	Yes[n 10]
	10–20			No[48]	Enabled by default	Yes	No	No	Yes (only desktop)	needs SHA-2 compatible OS[39]	needs ECC compatible OS[40]	Not affected	Vulnerable (HTTPS/SPDY)	Vulnerable	Vulnerable	Vulnerable (except Windows)	Vulnerable	Yes[n 10]
	21			No	Enabled by default	Yes	No	No	Yes (only desktop)	needs SHA-2 compatible OS[39]	needs ECC compatible OS[40]	Not affected	Mitigated [49]	Vulnerable	Vulnerable	Vulnerable (except Windows)	Vulnerable	Yes[n 10]
	22–25			No	Enabled by default	Yes	Yes[50]	No[50][51][52][53]	Yes (only desktop)	needs SHA-2 compatible OS[39]	needs ECC compatible OS[40]	Not affected	Mitigated	Vulnerable	Vulnerable	Vulnerable (except Windows)	Vulnerable	Temporary [n 11]
	26–29			No	Enabled by default	Yes	Yes	No	Yes (only desktop)	needs SHA-2 compatible OS[39]	needs ECC compatible OS[40]	Not affected	Mitigated	Vulnerable	Vulnerable	Vulnerable (except Windows)	Vulnerable	Temporary [n 11]
	30–32			No	Enabled by default	Yes	Yes	Yes[51][52][53]	Yes (only desktop)	needs SHA-2 compatible OS[39]	needs ECC compatible OS[40]	Not affected	Mitigated	Vulnerable	Vulnerable	Vulnerable (except Windows)	Vulnerable	Temporary [n 11]
	33–37			No	Enabled by default	Yes	Yes	Yes	Yes (only desktop)	needs SHA-2 compatible OS[39]	needs ECC compatible OS[40]	Not affected	Mitigated	Partly mitigated [n 12]	Lowest priority [56][57][58]	Vulnerable (except Windows)	Vulnerable	Temporary [n 11]
	38, 39			No	Enabled by default	Yes	Yes	Yes	Yes (only desktop)	Yes	needs ECC compatible OS[40]	Not affected	Mitigated	Partly mitigated	Lowest priority	Vulnerable (except Windows)	Vulnerable	Temporary [n 11]
	40			No	Disabled by default [55][59]	Yes	Yes	Yes	Yes (only desktop)	Yes	needs ECC compatible OS[40]	Not affected	Mitigated	Mitigated [n 13]
	24, 25.0.0 ESR 24.0–24.1.0			No	Enabled by default	Yes	Disabled by default	Disabled by default [75]	Yes	Yes	Yes	Not affected	Mitigated	Vulnerable	Vulnerable	Not affected	Vulnerable	Yes[n 18]
	25.0.1, 26 ESR 24.1.1			No	Enabled by default	Yes	Disabled by default	Disabled by default	Yes	Yes	Yes	Not affected	Mitigated	Vulnerable	Lowest priority [72][73]	Not affected	Vulnerable	Yes[n 18]
	27–33 ESR 31.0–31.2			No	Enabled by default	Yes	Yes[76][77]	Yes[78][77]	Yes	Yes	Yes	Not affected	Mitigated	Vulnerable	Lowest priority	Not affected	Vulnerable	Yes[n 18]
	34, 35 ESR 31.3–31.7			No	Disabled by default [79][80]	Yes	Yes	Yes	Yes	Yes	Yes	Not affected	Mitigated	Mitigated [n 19]	Lowest priority	Not affected	Vulnerable	Yes[n 18]
ESR 31.8		No	Disabled by default	Yes	Yes	Yes	Yes	Yes	Yes	Not affected	Mitigated	Mitigated	Lowest priority	Not affected	Mitigated[83]	Yes[n 18]
36–38 ESR 38.0		No	Disabled by default	Yes	Yes	Yes	Yes	Yes	Yes	Not affected	Mitigated	Mitigated	Only as fallback [n 15][84]	Not affected	Vulnerable	Yes[n 18]
ESR 38.1– ESR 38.5	ESR 38.6	No	Disabled by default	Yes	Yes	Yes	Yes	Yes	Yes	Not affected	Mitigated	Mitigated	Only as fallback [n 15]	Not affected	Mitigated[83]	Yes[n 18]
ESR 38.7– ESR 38.8
39–43		No	No[85]	Yes	Yes	Yes	Yes	Yes	Yes	Not affected	Mitigated	Not affected	Only as fallback [n 15]	Not affected	Mitigated[83]	Yes[n 18]
44	ESR 45	No	No	Yes	Yes	Yes	Yes	Yes	Yes	Not affected	Mitigated	Not affected	Disabled by default[n 16][86][87][88]	Not affected	Mitigated	Yes[n 18]
Browser	Version		Platforms	SSL 2.0 (insecure)	SSL 3.0 (insecure)	TLS 1.0	TLS 1.1	TLS 1.2	EV certificate	SHA-2 certificate	ECDSA certificate	BEAST	CRIME	POODLE (SSLv3)	RC4	FREAK	Logjam	Protocol selection by user
Microsoft Internet Explorer [n 20]	1.x		Windows 3.1, 95, NT[n 21],[n 22] Mac OS 7, 8	No SSL/TLS support
	2			Yes	No	No	No	No	No	No	No	No SSL 3.0 or TLS support			Vulnerable	Vulnerable	Vulnerable	N/A
	3			Yes	Yes[91]	No	No	No	No	No	No	Vulnerable	Not affected	Vulnerable	Vulnerable	Vulnerable	Vulnerable	Unknown
	4, 5		Windows 3.1, 95, 98, NT[n 21],[n 22] Mac OS 7.1, 8, X, Solaris,HP-UX	Enabled by default	Enabled by default	Disabled by default [91]	No	No	No	No	No	Vulnerable	Not affected	Vulnerable	Vulnerable	Vulnerable	Vulnerable	Yes[n 10]
	6		Windows 98, ME, NT[n 21], 2000[n 22]	Enabled by default	Enabled by default	Disabled by default [91]	No	No	No	No	No	Vulnerable	Not affected	Vulnerable	Vulnerable	Vulnerable	Vulnerable	Yes[n 10]
	6		Windows XP[n 22]	Enabled by default	Enabled by default	Disabled by default	No	No	No	Yes [n 23] [92]	No	Mitigated	Not affected	Vulnerable	Vulnerable	Vulnerable	Vulnerable	Yes[n 10]
	6		Server 2003[n 22]	Enabled by default	Enabled by default	Disabled by default	No	No	No	Yes [n 23] [92]	No	Mitigated	Not affected	Vulnerable	Vulnerable	Mitigated [95]	Mitigated [96]	Yes[n 10]
	7, 8		Windows XP[n 22]	Disabled by default [97]	Enabled by default	Yes[97]	No	No	Yes	Yes [n 23] [92]	No	Mitigated	Not affected	Vulnerable	Vulnerable	Vulnerable	Vulnerable	Yes[n 10]
	7, 8		Server 2003[n 22]	Disabled by default [97]	Enabled by default	Yes[97]	No	No	Yes	Yes [n 23] [92]	No	Mitigated	Not affected	Vulnerable	Vulnerable	Mitigated [95]	Mitigated [96]	Yes[n 10]
	7, 8[n 24]	9	Windows Vista	Disabled by default	Enabled by default	Yes	No	No	Yes	Yes	Yes[40]	Mitigated	Not affected	Vulnerable	Vulnerable	Mitigated [95]	Mitigated [96]	Yes[n 10]
			Server 2008
	8, 9, 10[n 24]		Windows 7	Disabled by default	Enabled by default	Yes	Disabled by default [99]	Disabled by default [99]	Yes	Yes	Yes	Mitigated	Not affected	Vulnerable	Lowest priority [100][n 25]	Mitigated [95]	Mitigated [96]	Yes[n 10]
			Server 2008 R2
	10[n 24]		Windows 8	Disabled by default	Enabled by default	Yes	Disabled by default [99]	Disabled by default [99]	Yes	Yes	Yes	Mitigated	Not affected	Vulnerable	Lowest priority [100][n 25]	Mitigated [95]	Mitigated [96]	Yes[n 10]
	10		Server 2012
	11		Windows 7	Disabled by default	Disabled by default [n 26]	Yes	Yes[102]	Yes[102]	Yes	Yes	Yes	Mitigated	Not affected	Mitigated [n 26]	Lowest priority [100][n 25]	Mitigated [95]	Mitigated [96]	Yes[n 10]
			Server 2008 R2
	11		Windows 8.1	Disabled by default	Disabled by default [n 26]	Yes	Yes[102]	Yes[102]	Yes	Yes	Yes	Mitigated	Not affected	Mitigated [n 26]	Only as fallback [n 15][106][107]	Mitigated [95]	Mitigated [96]	Yes[n 10]
			Server 2012 R2
Microsoft Edge[n 27] and (as fallback) Internet Explorer[n 20]	IE 11	Edge[n 28]	Windows 10	Disabled by default	Disabled by default	Yes	Yes	Yes	Yes	Yes	Yes	Mitigated	Not affected	Mitigated	Only as fallback [n 15]	Mitigated	Mitigated	Yes[n 10]
			Server 2016
Microsoft Internet Explorer Mobile [n 20]	7, 9		Windows Phone 7, 7.5, 7.8	Disabled by default [97]	Enabled by default	Yes	No	No	No	Yes	Yes[66]	Unknown	Not affected	Vulnerable	Vulnerable	Vulnerable	Vulnerable	Only with 3rd party tools[n 29]
	10		Windows Phone 8	Disabled by default	Enabled by default	Yes	Disabled by default [110]	Disabled by default [110]	No	Yes	Yes[111]	Mitigated	Not affected	Vulnerable	Vulnerable	Vulnerable	Vulnerable	Only with 3rd party tools[n 29]
	11		Windows Phone 8.1	Disabled by default	Enabled by default	Yes	Yes[112]	Yes[112]	No	Yes	Yes	Mitigated	Not affected	Vulnerable	Only as fallback [n 15][106][107]	Vulnerable	Vulnerable	Only with 3rd party tools[n 29]
Microsoft Edge [n 27]	Edge		Windows 10 Mobile	Disabled by default	Disabled by default	Yes	Yes	Yes	Yes	Yes	Yes	Mitigated	Not affected	Mitigated	Only as fallback [n 15]	Mitigated	Unknown	Unknown
Browser	Version		Platforms	SSL 2.0 (insecure)	SSL 3.0 (insecure)	TLS 1.0	TLS 1.1	TLS 1.2	EV certificate	SHA-2 certificate	ECDSA certificate	BEAST	CRIME	POODLE (SSLv3)	RC4	FREAK	Logjam	Protocol selection by user
Opera Browser (Opera Mobile) (Pre-Presto and Presto) [n 30]	1-2		Windows OS X Linux Android Symbian S60 Maemo Windows Mobile	No SSL/TLS support[114]
	3			Yes[115]	No	No	No	No	No	No	No	No SSL 3.0 or TLS support			Vulnerable	Unknown	Unknown	N/A
	4			Yes	Yes[116]	No	No	No	No	No	No	Vulnerable	Not affected	Vulnerable	Vulnerable	Unknown	Unknown	Unknown
	5			Enabled by default	Enabled by default	Yes[117]	No	No	No	No	No	Vulnerable	Not affected	Vulnerable	Vulnerable	Unknown	Unknown	Yes[n 10]
	6-7			Enabled by default	Enabled by default	Yes[117]	No	No	No	Yes[39]	No	Vulnerable	Not affected	Vulnerable	Vulnerable	Unknown	Unknown	Yes[n 10]
	8			Enabled by default	Enabled by default	Yes	Disabled by default [118]	No	No	Yes	No	Vulnerable	Not affected	Vulnerable	Vulnerable	Unknown	Unknown	Yes[n 10]
	9			Disabled by default [119]	Enabled by default	Yes	Yes	No	since v9.5 (only desktop)	Yes	No	Vulnerable	Not affected	Vulnerable	Vulnerable	Unknown	Unknown	Yes[n 10]
	10–11.52			No[120]	Enabled by default	Yes	Disabled by default	Disabled by default [120]	Yes (only desktop)	Yes	No	Vulnerable	Not affected	Vulnerable	Vulnerable	Unknown	Unknown	Yes[n 10]
	11.60–11.64			No	Enabled by default	Yes	Disabled by default	Disabled by default	Yes (only desktop)	Yes	No	Mitigated [121]	Not affected	Vulnerable	Vulnerable	Unknown	Unknown	Yes[n 10]
	12–12.14			No	Disabled by default [n 31]	Yes	Disabled by default	Disabled by default	Yes (only desktop)	Yes	No	Mitigated	Not affected	Mitigated [n 31]	Vulnerable	Unknown	Mitigated[123]	Yes[n 10]
	12.15–12.17			No	Disabled by default	Yes	Disabled by default	Disabled by default	Yes (only desktop)	Yes	No	Mitigated	Not affected	Mitigated	Partly mitigated [124][125]	Unknown	Mitigated[123]	Yes[n 10]
	12.18			No	Disabled by default	Yes	Yes[126]	Yes[126]	Yes (only desktop)	Yes	Yes[126]	Mitigated	Not affected	Mitigated	Disabled by default[n 16][126]	Mitigated[126]	Mitigated[123]	Yes[n 10]
Opera Browser (Opera Mobile) (Webkit and Blink) [n 32]	14–16		Windows (XP+) OS X (10.7+) Linux Android (4.0+)	No	Enabled by default	Yes	Yes[129]	No[129]	Yes (only desktop)	needs SHA-2 compatible OS[39]	needs ECC compatible OS[40]	Not affected	Mitigated	Vulnerable	Vulnerable	Vulnerable (except Windows)	Vulnerable	Temporary [n 11]
	17–19			No	Enabled by default	Yes	Yes[130]	Yes[130]	Yes (only desktop)	needs SHA-2 compatible OS[39]	needs ECC compatible OS[40]	Not affected	Mitigated	Vulnerable	Vulnerable	Vulnerable (except Windows)	Vulnerable	Temporary [n 11]
	20–24			No	Enabled by default	Yes	Yes	Yes	Yes (only desktop)	needs SHA-2 compatible OS[39]	needs ECC compatible OS[40]	Not affected	Mitigated	Partly mitigated [n 33]	Lowest priority [131]	Vulnerable (except Windows)	Vulnerable	Temporary [n 11]
	25, 26			No	Enabled by default [n 34]	1		Mac OS X 10.2, 10.3	No[132]	Yes	Yes	No	No	No	No	No	Vulnerable	Not affected	Vulnerable	Vulnerable	Vulnerable	Vulnerable	No
	2–5			Mac OS X 10.4, 10.5, Win XP	No	Yes	Yes	No	No	since v3.2	No	No	Vulnerable	Not affected	Vulnerable	Vulnerable	Vulnerable	Vulnerable	No
	3–5			Vista,Win 7	No	Yes	Yes	No	No	since v3.2	No	Yes[66]	Vulnerable	Not affected	Vulnerable	Vulnerable	Vulnerable	Vulnerable	No
	4–6			Mac OS X 10.6, 10.7	No	Yes	Yes	No	No	Yes	Yes[39]	Yes[40]	Vulnerable	Not affected	Vulnerable	Vulnerable	Vulnerable	Vulnerable	No
	6			OS X 10.8	No	Yes	Yes	No	No	Yes	Yes	Yes[40]	Mitigated [n 39]	Not affected	Mitigated [n 40]	Vulnerable [n 40]	Mitigated [138]	Vulnerable	No
	7	9		OS X 10.9	No	Yes	Yes	Yes[139]	Yes[139]	Yes	Yes	Yes	Mitigated [134]	Not affected	Mitigated [n 40]	Vulnerable [n 40]	Mitigated [138]	Vulnerable	No
8	9	OS X 10.10	No	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Mitigated	Not affected	Mitigated [n 40]	Lowest priority [140][n 40]	Mitigated [138]	Mitigated [141]	No
9		OS X 10.11	No	No	Yes	Yes	Yes	Yes	Yes	Yes	Mitigated	Not affected	Not affected	Lowest priority	Mitigated	Mitigated	No
Apple Safari (mobile) [n 41]	3		iPhone OS 1, 2	No[145]	Yes	Yes	No	No	No	No	Unknown	Vulnerable	Not affected	Vulnerable	Vulnerable	Vulnerable	Vulnerable	No
	4, 5		iPhone OS 3, iOS 4	No	Yes	Yes	No	No	Yes[146]	Yes	since iOS 4[66]	Vulnerable	Not affected	Vulnerable	Vulnerable	Vulnerable	Vulnerable	No
	5, 6		iOS 5, 6	No	Yes	Yes	Yes[142]	Yes[142]	Yes	Yes	Yes	Vulnerable	Not affected	Vulnerable	Vulnerable	Vulnerable	Vulnerable	No
	7		iOS 7	No	Yes	Yes	Yes	Yes	Yes	Yes	Yes[147]	Mitigated [148]	Not affected	Vulnerable	Vulnerable	Vulnerable	Vulnerable	No
	8		iOS 8	No	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Mitigated	Not affected	Mitigated [n 40]	Lowest priority [149][n 40]	Mitigated [150]	Mitigated [151]	No
	9		iOS 9	No	No	Yes	Yes	Yes	Yes	Yes	Yes	Mitigated	Not affected	Not affected	Lowest priority	Mitigated	Mitigated	No
Browser	Version		Platforms	SSL 2.0 (insecure)	SSL 3.0 (insecure)	TLS 1.0	TLS 1.1	TLS 1.2	EV [n 3]	SHA-2	ECDSA	BEAST[n 4]	CRIME[n 5]	POODLE (SSLv3)[n 6]	RC4[n 7]	FREAK[41][42]	Logjam	Protocol selection by user
				SSL protocols		TLS protocols			Certificate Support			Vulnerabilities fixed

Color or Note		Significance
Browser version	Platform
Browser version	Operating system	Future release; under development
Browser version	Operating system	Current latest release
Browser version	Operating system	Former release; still supported
Browser version	Operating system	Former release; long-term support still active, but will end in less than 12 months
Browser version	Operating system	Former release; no longer supported
n/a	Operating system	Mixed / Unspecified
	Operating system (Version+)	Minimum required operating system version (for the current latest version of the browser)
	Operating system	No longer supported for this operating system

Notes

Libraries

Most SSL and TLS programming libraries are free and open source software.

• BoringSSL, a fork of OpenSSL for Chrome/Chromium and Android as well as other Google applications.
• Botan, a BSD-licensed cryptographic library written in C++.
• cryptlib: a portable open source cryptography library (includes TLS/SSL implementation)
• Delphi programmers may use a library called Indy which utilizes OpenSSL.
• GnuTLS: a free implementation (LGPL licensed)
• Java Secure Socket Extension: a Java implementation included in the Java Runtime Environment supports TLS 1.1 and 1.2 from Java 7, although is disabled by default for client, and enabled by default for server.^[152] Java 8 supports TLS 1.1 and 1.2 enabled on both the client and server by default.^[153]
• LibreSSL: a fork of OpenSSL by OpenBSD project.
• MatrixSSL: a dual licensed implementation
• mbed TLS (previously PolarSSL): A tiny SSL library implementation for embedded devices that is designed for ease of use
• Network Security Services: FIPS 140 validated open source library
• OpenSSL: a free implementation (BSD license with some extensions)
• SChannel: an implementation of SSL and TLS Microsoft Windows as part of its package.
• Secure Transport: an implementation of SSL and TLS used in OS X and iOS as part of their packages.
• wolfSSL (previously CyaSSL): Embedded SSL/TLS Library with a strong focus on speed and size.

Library support for TLS/SSL

Implementation	SSL 2.0 (insecure)	SSL 3.0 (insecure)	TLS 1.0	TLS 1.1	TLS 1.2	TLS 1.3 (Draft)
Botan	No	No[154]	Yes	Yes	Yes
cryptlib	No	Enabled by default	Yes	Yes	Yes
GnuTLS	No[a]	Disabled by default[155]	Yes	Yes	Yes
Java Secure Socket Extension	No[a]	Disabled by default[b]	Yes	Yes	Yes
LibreSSL	No[156]	No[157]	Yes	Yes	Yes
MatrixSSL	No[a]	Disabled by default at compile time[158]	Yes	Yes	Yes
mbed TLS (previously PolarSSL)	No	Disabled by default[159]	Yes	Yes	Yes
Network Security Services	Disabled by default[a]	Disabled by default[160]	Yes	Yes[161]	Yes[162]
OpenSSL	Disabled by default[163]	Enabled by default	Yes	Yes[164]	Yes[164]
RSA BSAFE[165]	No	Yes	Yes	Yes	Yes
SChannel XP / 2003[166]	Disabled by default by MSIE 7	Enabled by default	Enabled by default by MSIE 7	No	No
SChannel Vista / 2008[167]	Disabled by default	Enabled by default	Yes	No	No
SChannel 7 / 2008 R2[168]	Disabled by default	Disabled by default in MSIE 11	Yes	Enabled by default by MSIE 11	Enabled by default by MSIE 11
SChannel 8 / 2012[168]	Disabled by default	Enabled by default	Yes	Disabled by default	Disabled by default
SChannel 8.1 / 2012 R2, 10[168]	Disabled by default	Disabled by default in MSIE 11	Yes	Yes	Yes
Secure Transport OS X 10.2-10.8 / iOS 1-4	Yes	Yes	Yes	No	No
Secure Transport OS X 10.9-10.10 / iOS 5-8	No[c]	Yes	Yes	Yes[c]	Yes[c]
Secure Transport OS X 10.11 / iOS 9	No	No[c]	Yes	Yes	Yes
SharkSSL	No	Disabled by default	Yes	Yes	Yes
wolfSSL (previously CyaSSL)	No	Disabled by default[169]	Yes	Yes	Yes
Implementation	SSL 2.0 (insecure)	SSL 3.0 (insecure)	TLS 1.0	TLS 1.1	TLS 1.2	TLS 1.3 (Draft)

A paper presented at the 2012 ACM conference on computer and communications security^[173] showed that few applications used some of these SSL libraries correctly, leading to vulnerabilities. According to the authors

"the root cause of most of these vulnerabilities is the terrible design of the APIs to the underlying SSL libraries. Instead of expressing high-level security properties of network tunnels such as confidentiality and authentication, these APIs expose low-level details of the SSL protocol to application developers. As a consequence, developers often use SSL APIs incorrectly, misinterpreting and misunderstanding their manifold parameters, options, side effects, and return values."

Other uses

The Simple Mail Transfer Protocol (SMTP) can also be protected by TLS. These applications use public key certificates to verify the identity of endpoints.

TLS can also be used to tunnel an entire network stack to create a VPN, as is the case with OpenVPN and OpenConnect. Many vendors now marry TLS's encryption and authentication capabilities with authorization. There has also been substantial development since the late 1990s in creating client technology outside of the browser to enable support for client/server applications. When compared against traditional IPsec VPN technologies, TLS has some inherent advantages in firewall and NAT traversal that make it easier to administer for large remote-access populations.

TLS is also a standard method to protect Session Initiation Protocol (SIP) application signaling. TLS can be used to provide authentication and encryption of the SIP signaling associated with VoIP and other SIP-based applications.

Security

SSL 2.0

SSL 2.0 is flawed in a variety of ways:^[174]

• Identical cryptographic keys are used for message authentication and encryption. (In SSL 3.0, MAC secrets may be larger than encryption keys, so messages can remain tamper resistant even if encryption keys are broken.^[3])
• SSL 2.0 has a weak MAC construction that uses the MD5 hash function with a secret prefix, making it vulnerable to length extension attacks.
• SSL 2.0 does not have any protection for the handshake, meaning a man-in-the-middle downgrade attack can go undetected.
• SSL 2.0 uses the TCP connection close to indicate the end of data. This means that truncation attacks are possible: the attacker simply forges a TCP FIN, leaving the recipient unaware of an illegitimate end of data message (SSL 3.0 fixes this problem by having an explicit closure alert).
• SSL 2.0 assumes a single service and a fixed domain certificate, which clashes with the standard feature of virtual hosting in Web servers. This means that most websites are practically impaired from using SSL.

SSL 2.0 is disabled by default, beginning with Internet Explorer 7,^[175] Mozilla Firefox 2,^[176] Opera 9.5,^[177] and Safari. After it sends a TLS "ClientHello", if Mozilla Firefox finds that the server is unable to complete the handshake, it will attempt to fall back to using SSL 3.0 with an SSL 3.0 "ClientHello" in SSL 2.0 format to maximize the likelihood of successfully handshaking with older servers.^[178] Support for SSL 2.0 (and weak 40-bit and 56-bit ciphers) has been removed completely from Opera as of version 10.^[179][180]

SSL 3.0

SSL 3.0 improved upon SSL 2.0 by adding SHA-1–based ciphers and support for certificate authentication.

From a security standpoint, SSL 3.0 should be considered less desirable than TLS 1.0. The SSL 3.0 cipher suites have a weaker key derivation process; half of the master key that is established is fully dependent on the MD5 hash function, which is not resistant to collisions and is, therefore, not considered secure. Under TLS 1.0, the master key that is established depends on both MD5 and SHA-1 so its derivation process is not currently considered weak. It is for this reason that SSL 3.0 implementations cannot be validated under FIPS 140-2.^[181]

In October 2014, the vulnerability in the design of SSL 3.0 has been reported, which makes CBC mode of operation with SSL 3.0 vulnerable to the padding attack (see #POODLE attack).

TLS

TLS has a variety of security measures:

• Protection against a downgrade of the protocol to a previous (less secure) version or a weaker cipher suite.
• Numbering subsequent Application records with a sequence number and using this sequence number in the message authentication codes (MACs).
• Using a message digest enhanced with a key (so only a key-holder can check the MAC). The HMAC construction used by most TLS cipher suites is specified in RFC 2104 (SSL 3.0 used a different hash-based MAC).
• The message that ends the handshake ("Finished") sends a hash of all the exchanged handshake messages seen by both parties.
• The pseudorandom function splits the input data in half and processes each one with a different hashing algorithm (MD5 and SHA-1), then XORs them together to create the MAC. This provides protection even if one of these algorithms is found to be vulnerable.

Attacks against TLS/SSL

Significant attacks against TLS/SSL are listed below:

Note: In February 2015, IETF issued an informational RFC^[182] summarizing the various known attacks against TLS/SSL.

Renegotiation attack

A vulnerability of the renegotiation procedure was discovered in August 2009 that can lead to plaintext injection attacks against SSL 3.0 and all current versions of TLS.^[183] For example, it allows an attacker who can hijack an https connection to splice their own requests into the beginning of the conversation the client has with the web server. The attacker can't actually decrypt the client-server communication, so it is different from a typical man-in-the-middle attack. A short-term fix is for web servers to stop allowing renegotiation, which typically will not require other changes unless client certificate authentication is used. To fix the vulnerability, a renegotiation indication extension was proposed for TLS. It will require the client and server to include and verify information about previous handshakes in any renegotiation handshakes.^[184] This extension has become a proposed standard and has been assigned the number RFC 5746. The RFC has been implemented by several libraries.^{[185][186][187]}

Version rollback attacks

Modifications to the original protocols, like False Start^[188] (adopted and enabled by Google Chrome^[189]) or Snap Start, have reportedly introduced limited TLS protocol version rollback attacks^[190] or allowed modifications to the cipher suite list sent by the client to the server (an attacker may succeed in influencing the cipher suite selection in an attempt to downgrade the cipher suite strength, to use either a weaker symmetric encryption algorithm or a weaker key exchange^[191]). A paper presented at an Association for Computing Machinery (ACM) conference on computer and communications security in 2012 demonstrates that the False Start extension is at risk: in certain circumstances it could allow an attacker to recover the encryption keys offline and to access the encrypted data.^[192]

BEAST attack

On September 23, 2011 researchers Thai Duong and Juliano Rizzo demonstrated a proof of concept called BEAST (Browser Exploit Against SSL/TLS)^[193] using a Java applet to violate same origin policy constraints, for a long-known cipher block chaining (CBC) vulnerability in TLS 1.0:^[194][195] an attacker observing 2 consecutive ciphertext blocks C0, C1 can test if the plaintext block P1 is equal to x by choosing the next plaintext block P2 = x ^ C0 ^ C1; due to how CBC works C2 will be equal to C1 if x = P1. Practical exploits had not been previously demonstrated for this vulnerability, which was originally discovered by Phillip Rogaway^[196] in 2002. The vulnerability of the attack had been fixed with TLS 1.1 in 2006, but TLS 1.1 had not seen wide adoption prior to this attack demonstration.

RC4 as a stream cipher is immune to BEAST attack. Therefore, RC4 was widely used as a way to mitigate BEAST attack on the server side. However, in 2013, researchers found more weaknesses in RC4. Thereafter enabling RC4 on server side was no longer recommended.^[197]

Chrome and Firefox themselves are not vulnerable to BEAST attack,^[47][198] however, Mozilla updated their NSS libraries to mitigate BEAST-like attacks. NSS is used by Mozilla Firefox and Google Chrome to implement SSL. Some web servers that have a broken implementation of the SSL specification may stop working as a result.^[199]

Microsoft released Security Bulletin MS12-006 on January 10, 2012, which fixed the BEAST vulnerability by changing the way that the Windows Secure Channel (SChannel) component transmits encrypted network packets from the server end.^[200]

Users of Internet Explorer on Windows 7, Windows 8 and Windows Server 2008 R2 can enable use of TLS 1.1 and 1.2, but this workaround will fail if it is not supported by the other end of the connection and will result in a fall-back to TLS 1.0.

Apple fixed BEAST vulnerability by implementing 1/n-1 split and turning it on by default in OS X Mavericks, released on October 22, 2013.^[201]

CRIME and BREACH attacks

The authors of the BEAST attack are also the creators of the later CRIME attack, which can allow an attacker to recover the content of web cookies when data compression is used along with TLS.^[202][203] When used to recover the content of secret authentication cookies, it allows an attacker to perform session hijacking on an authenticated web session.

While the CRIME attack was presented as a general attack that could work effectively against a large number of protocols, including but not limited to TLS, and application-layer protocols such as SPDY or HTTP, only exploits against TLS and SPDY were demonstrated and largely mitigated in browsers and servers. The CRIME exploit against HTTP compression has not been mitigated at all, even though the authors of CRIME have warned that this vulnerability might be even more widespread than SPDY and TLS compression combined. In 2013 a new instance of the CRIME attack against HTTP compression, dubbed BREACH, was announced. Based on the CRIME attack a BREACH attack can extract login tokens, email addresses or other sensitive information from TLS encrypted web traffic in as little as 30 seconds (depending on the number of bytes to be extracted), provided the attacker tricks the victim into visiting a malicious web link or is able to inject content into valid pages the user is visiting (ex: a wireless network under the control of the attacker).^[204] All versions of TLS and SSL are at risk from BREACH regardless of the encryption algorithm or cipher used.^[205] Unlike previous instances of CRIME, which can be successfully defended against by turning off TLS compression or SPDY header compression, BREACH exploits HTTP compression which cannot realistically be turned off, as virtually all web servers rely upon it to improve data transmission speeds for users.^[204] This is a known limitation of TLS as it is susceptible to chosen-plaintext attack against the application-layer data it was meant to protect.

Timing attacks on padding

Earlier TLS versions were vulnerable against the padding oracle attack discovered in 2002. A novel variant, called the Lucky Thirteen attack, was published in 2013.

Some experts^[31] also recommended avoiding Triple-DES CBC. Since the last supported ciphers developed to support any program using Windows XP's SSL/TLS library like Internet Explorer on Windows XP are RC4 and Triple-DES, and since RC4 is now deprecated (see discussion of RC4 attacks), this makes it difficult to support any version of SSL for any program using this library on XP.

A fix was released as the Encrypt-then-MAC extension to the TLS specification, released as RFC 7366.^[206] The Lucky Thirteen attack can be mitigated in TLS 1.2 by using only AES_GCM ciphers; AES_CBC remains vulnerable.

POODLE attack

On October 14, 2014, Google researchers published a vulnerability in the design of SSL 3.0, which makes CBC mode of operation with SSL 3.0 vulnerable to a padding attack (CVE-2014-3566). They named this attack POODLE (Padding Oracle On Downgraded Legacy Encryption). On average, attackers only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages.^[37][207]

Although this vulnerability only exists in SSL 3.0 and most clients and servers support TLS 1.0 and above, all major browsers voluntarily downgrade to SSL 3.0 if the handshakes with newer versions of TLS fail unless they provide the option for a user or administrator to disable SSL 3.0 and the user or administrator does so. Therefore, the man-in-the-middle can first conduct a version rollback attack and then exploit this vulnerability.^[37][207]

In general, graceful security degradation for the sake of interoperability is difficult to carry out in a way that cannot be exploited. This is challenging especially in domains where fragmentation is high.^[208]

On December 8, 2014, a variant of POODLE was announced that impacts TLS implementations that do not properly enforce padding byte requirements.^[209]

RC4 attacks

Despite the existence of attacks on RC4 that broke its security, cipher suites in SSL and TLS that were based on RC4 were still considered secure prior to 2013 because the way in which they were used in SSL and TLS. In 2011, the RC4 suite was actually recommended as a work around for the BEAST attack.^[210] New forms of attack disclosed in March 2013 conclusively demonstrated the feasibility of breaking RC4 in TLS, suggesting it was not a good workaround for BEAST.^[36] An attack scenario was proposed by AlFardan, Bernstein, Paterson, Poettering and Schuldt that used newly discovered statistical biases in the RC4 key table^[211] to recover parts of the plaintext with a large number of TLS encryptions.^[212][213] An attack on RC4 in TLS and SSL that requires 13 × 2²⁰ encryptions to break RC4 was unveiled on 8 July 2013 and later described as "feasible" in the accompanying presentation at a USENIX Security Symposium in August 2013.^[214][215] In July 2015, subsequent improvements in the attack make it increasingly practical to defeat the security of RC4-encrypted TLS.^[216]

As many modern browsers have been designed to defeat BEAST attacks (except Safari for Mac OS X 10.7 or earlier, for iOS 6 or earlier, and for Windows; see #Web browsers), RC4 is no longer a good choice for TLS 1.0. The CBC ciphers which were affected by the BEAST attack in the past have become a more popular choice for protection.^[31] Mozilla and Microsoft recommend disabling RC4 where possible.^[217][218] RFC 7465 prohibits the use of RC4 cipher suites in all versions of TLS.

On September 1, 2015, Microsoft, Google and Mozilla announced that RC4 cipher suites would be disabled by default in their browsers (Microsoft Edge, Internet Explorer 11 on Windows 7/8.1/10, Firefox, and Chrome) in early 2016.^{[219][220][221]}

Truncation attack

A TLS (logout) truncation attack blocks a victim's account logout requests so that the user unknowingly remains logged into a web service. When the request to sign out is sent, the attacker injects an unencrypted TCP FIN message (no more data from sender) to close the connection. The server therefore doesn't receive the logout request and is unaware of the abnormal termination.^[222]

Published in July 2013,^[223][224] the attack causes web services such as Gmail and Hotmail to display a page that informs the user that they have successfully signed-out, while ensuring that the user's browser maintains authorization with the service, allowing an attacker with subsequent access to the browser to access and take over control of the user's logged-in account. The attack does not rely on installing malware on the victim's computer; attackers need only place themselves between the victim and the web server (e.g., by setting up a rogue wireless hotspot).^[222] This vulnerability also requires access to the victim's computer.

Downgrade attacks: FREAK attack and Logjam attack

Downgrade attacks can force servers and clients to negotiate a connection using cryptographically weak keys. In 2014, a man-in-the-middle attack called FREAK was discovered affecting the OpenSSL stack, the default Android web browser, and some Safari browsers.^[225] The attack involved tricking servers into negotiating a TLS connection using cryptographically weak 512 bit encryption keys.

Logjam is a security exploit discovered in May 2015 that exploits the option of using legacy "export-grade" 512-bit Diffie–Hellman groups dating back to the 1990s.^[226] It forces susceptible servers to downgrade to cryptographically weak 512 bit Diffie-Hellman groups. An attacker can then deduce the keys the client and server determine using the Diffie–Hellman key exchange.

Implementation errors: Heartbleed bug, BERserk attack, Komodia root certificate

The Heartbleed bug is a serious vulnerability specific to the implementation of SSL/TLS in the popular OpenSSL cryptographic software library, affecting versions 1.0.1 to 1.0.1f. This weakness, reported in April 2014, allows attackers to steal private keys from servers that should normally be protected.^[227] The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret private keys associated with the public certificates used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.^[228] The vulnerability is caused by a buffer over-read bug in the OpenSSL software, rather than a defect in the SSL or TLS protocol specification.

On September 29, 2014 a variant of Daniel Bleichenbacher’s PKCS#1 v1.5 RSA Signature Forgery vulnerability ^[229] was announced by Intel Security Advanced Threat Research. This attack, dubbed BERserk, is a result of incomplete ASN.1 length decoding of public key signatures in some SSL implementations, and allows a man-in-the-middle attack by forging a public key signature.^[230]

In February 2015, after media reported the hidden pre-installation of Superfish adware on some Lenovo notebooks,^[231] a researcher found a trusted root certificate on affected Lenovo machines to be insecure, as the keys could easily be accessed using the company name, Komodia, as a passphrase.^[232] The Komodia library was designed to intercept client-side TLS/SSL traffic for parental control and surveillance, but it was also used in numerous adware programs, including Superfish, that were often surreptitiously installed unbeknownst to the computer user. In turn, these potentially unwanted programs installed the corrupt root certificate, allowing attackers to completely control web traffic and confirm false web sites as authentic.

Survey of websites vulnerable to attacks

As of February 2016, Trustworthy Internet Movement estimate the ratio of websites that are vulnerable to TLS attacks.^[35]

Survey of the TLS vulnerabilities of the most popular websites

Attacks	Security
	Insecure		Depends	Secure	Other
Renegotiation attack	1.8% (−0.1%) support insecure renegotiation		0.6% (−0.1%) support both	95.1% (+0.1%) support secure renegotiation	2.4% (−0.1%) no support
RC4 attacks	0.1% (−0.2%) support only RC4 suites	9.3% (−0.6%) support RC4 suites used with modern browsers	36.2% (−0.9%) support some RC4 suites	54.6% (+1.6%) no support	N/A
BEAST attack (mitigated at client side with modern browsers)	N/A		91.1% (+0.3%) vulnerable if connect with old browser	N/A	N/A
CRIME attack	3.3% (−0.1%) vulnerable		N/A	N/A	N/A
Heartbleed	0.2% (±0.0%) vulnerable		N/A	N/A	N/A
ChangeCipherSpec injection attack	1.2% (±0.0%) vulnerable and exploitable		6.9% (−0.3%) vulnerable, not exploitable	90.4% (+0.2%) not vulnerable	1.5% (+0.1%) unknown
POODLE attack against TLS (Original POODLE against SSL 3.0 is not included)	3.3% (−0.1%) vulnerable and exploitable		N/A	95.4% (+0.2%) not vulnerable	1.3% (−0.1%) unknown
Protocol downgrade	29.2% (−0.7%) TLS_FALLBACK_SCSV not supported		N/A	59.3% (+1.0%) TLS_FALLBACK_SCSV supported	11.4% (−0.3%) unknown

Forward secrecy

Forward secrecy is a property of cryptographic systems which ensures that a session key derived from a set of public and private keys will not be compromised if one of the private keys is compromised in the future.^[233] Without forward secrecy, if the server's private key is compromised, not only will all future TLS-encrypted sessions using that server certificate be compromised, but also any past sessions that used it as well (provided of course that these past sessions were intercepted and stored at the time of transmission).^[234] An implementation of TLS can provide forward secrecy by requiring the use of ephemeral Diffie-Hellman key exchange to establish session keys, and some notable TLS implementations do so exclusively: e.g., Gmail and other Google HTTPS services that use OpenSSL.^[235] However, many clients and servers supporting TLS (including browsers and web servers) are not configured to implement such restrictions.^[236][237] In practice, unless a web service uses Diffie-Hellman key exchange to implement forward secrecy, all of the encrypted web traffic to and from that service can be decrypted by a third party if it obtains the server's master (private) key; e.g., by means of a court order.^[238]

Even where Diffie-Hellman key exchange is implemented, server-side session management mechanisms can impact forward secrecy. The use of TLS session tickets (a TLS extension) causes the session to be protected by AES128-CBC-SHA256 regardless of any other negotiated TLS parameters, including forward secrecy ciphersuites, and the long-lived TLS session ticket keys defeat the attempt to implement forward secrecy.^{[239][240][241]} Stanford University research in 2014 also found that of 473,802 TLS servers surveyed, 82.9% of the servers deploying ephemeral Diffie-Hellman (DHE) key exchange to support forward secrecy were using weak Diffie Hellman parameters. These weak parameter choices could potentially compromise the effectiveness of the forward secrecy that the servers sought to provide.^[242]

Since late 2011, Google has provided forward secrecy with TLS by default to users of its Gmail service, along with Google Docs and encrypted search among other services.^[243] Since November 2013, Twitter has provided forward secrecy with TLS to users of its service.^[244] As of February 2016, 47.9% of TLS-enabled websites are configured to use cipher suites that provide forward secrecy to modern web browsers.^[35]

Dealing with MITM attacks

Certificate pinning

One way to detect and block many kinds of MITM attacks is "certificate pinning", sometimes called "SSL pinning" but more accurately called "public key pinning".^[245] A client that does key pinning adds an extra step beyond the normal X.509 certificate validation: After obtaining the server's certificate in the standard way, the client checks the public key(s) in the server's certificate chain against a set of (hashes of) public keys for the server name. Typically the public key hashes are bundled with the application. For example, Google Chrome includes public key hashes for the *.google.com certificate that detected fraudulent certificates in 2011. (Chromium does not enforce the hardcoded key pins.) Since then, Mozilla has introduced Public Key Pinning to its Firefox browser.^[246]

In other systems the client hopes that the first time it obtains a server's certificate it is trustworthy and stores it; during later sessions with that server, the client checks the server's certificate against the stored certificate to guard against later MITM attacks.

Perspectives Project

The Perspectives Project^[247] operates network notaries that clients can use to detect if a site's certificate has changed. By their nature, man-in-the-middle attacks place the attacker between the destination and a single specific target. As such, Perspectives would warn the target that the certificate delivered to the web browser does not match the certificate seen from other perspectives - the perspectives of other users in different times and places. Use of network notaries from a multitude of perspectives makes it possible for a target to detect an attack even if a certificate appears to be completely valid.

DNSChain

DNSChain^[248] relies on the security that "block chains" provide to distribute public keys. It uses one pin to secure the connection to the DNSChain server itself, after which all other public keys (that are stored in a block chain) become accessible over a secure channel.

Protocol details

The TLS protocol exchanges records—which encapsulate the data to be exchanged in a specific format (see below). Each record can be compressed, padded, appended with a message authentication code (MAC), or encrypted, all depending on the state of the connection. Each record has a content type field that designates the type of data encapsulated, a length field and a TLS version field. The data encapsulated may be control or procedural messages of the TLS itself, or simply the application data needed to be transferred by TLS. The specifications (cipher suite, keys etc.) required to exchange application data by TLS, are agreed upon in the "TLS handshake" between the client requesting the data and the server responding to requests. The protocol therefore defines both the structure of payloads transferred in TLS and the procedure to establish and monitor the transfer.

TLS handshake

When the connection starts, the record encapsulates a "control" protocol—the handshake messaging protocol  (content type 22). This protocol is used to exchange all the information required by both sides for the exchange of the actual application data by TLS. It defines the messages formatting or containing this information and the order of their exchange. These may vary according to the demands of the client and server—i.e., there are several possible procedures to set up the connection. This initial exchange results in a successful TLS connection (both parties ready to transfer application data with TLS) or an alert message (as specified below).

Basic TLS handshake

A typical connection example follows, illustrating a handshake where the server (but not the client) is authenticated by its certificate:

1. Negotiation phase:
   • A client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and suggested compression methods. If the client is attempting to perform a resumed handshake, it may send a session ID.
   • The server responds with a ServerHello message, containing the chosen protocol version, a random number, CipherSuite and compression method from the choices offered by the client. To confirm or allow resumed handshakes the server may send a session ID. The chosen protocol version should be the highest that both the client and server support. For example, if the client supports TLS version 1.1 and the server supports version 1.2, version 1.1 should be selected; version 1.0 should not be selected.
   • The server sends its Certificate message (depending on the selected cipher suite, this may be omitted by the server).^[249]
   • The server sends its ServerKeyExchange message (depending on the selected cipher suite, this may be omitted by the server). This message is sent for all DHE and DH_anon ciphersuites.^[1]
   • The server sends a ServerHelloDone message, indicating it is done with handshake negotiation.
   • The client responds with a ClientKeyExchange message, which may contain a PreMasterSecret, public key, or nothing. (Again, this depends on the selected cipher.) This PreMasterSecret is encrypted using the public key of the server certificate.
   • The client and server then use the random numbers and PreMasterSecret to compute a common secret, called the "master secret". All other key data for this connection is derived from this master secret (and the client- and server-generated random values), which is passed through a carefully designed pseudorandom function.
2. The client now sends a ChangeCipherSpec record, essentially telling the server, "Everything I tell you from now on will be authenticated (and encrypted if encryption parameters were present in the server certificate)." The ChangeCipherSpec is itself a record-level protocol with content type of 20.
   • Finally, the client sends an authenticated and encrypted Finished message, containing a hash and MAC over the previous handshake messages.
   • The server will attempt to decrypt the client's Finished message and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be torn down.
3. Finally, the server sends a ChangeCipherSpec, telling the client, "Everything I tell you from now on will be authenticated (and encrypted, if encryption was negotiated)."
   • The server sends its authenticated and encrypted Finished message.
   • The client performs the same decryption and verification.
4. Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with content type of 23. Application messages exchanged between client and server will also be authenticated and optionally encrypted exactly like in their Finished message. Otherwise, the content type will return 25 and the client will not authenticate.

Client-authenticated TLS handshake

The following full example shows a client being authenticated (in addition to the server as in the example above) via TLS using certificates exchanged between both peers.

1. Negotiation Phase:
   • A client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods.
   • The server responds with a ServerHello message, containing the chosen protocol version, a random number, cipher suite and compression method from the choices offered by the client. The server may also send a session id as part of the message to perform a resumed handshake.
   • The server sends its Certificate message (depending on the selected cipher suite, this may be omitted by the server).^[249]
   • The server sends its ServerKeyExchange message (depending on the selected cipher suite, this may be omitted by the server). This message is sent for all DHE and DH_anon ciphersuites.^[1]
   • The server requests a certificate from the client, so that the connection can be mutually authenticated, using a CertificateRequest message.
   • The server sends a ServerHelloDone message, indicating it is done with handshake negotiation.
   • The client responds with a Certificate message, which contains the client's certificate.
   • The client sends a ClientKeyExchange message, which may contain a PreMasterSecret, public key, or nothing. (Again, this depends on the selected cipher.) This PreMasterSecret is encrypted using the public key of the server certificate.
   • The client sends a CertificateVerify message, which is a signature over the previous handshake messages using the client's certificate's private key. This signature can be verified by using the client's certificate's public key. This lets the server know that the client has access to the private key of the certificate and thus owns the certificate.
   • The client and server then use the random numbers and PreMasterSecret to compute a common secret, called the "master secret". All other key data for this connection is derived from this master secret (and the client- and server-generated random values), which is passed through a carefully designed pseudorandom function.
2. The client now sends a ChangeCipherSpec record, essentially telling the server, "Everything I tell you from now on will be authenticated (and encrypted if encryption was negotiated). " The ChangeCipherSpec is itself a record-level protocol and has type 20 and not 22.
   • Finally, the client sends an encrypted Finished message, containing a hash and MAC over the previous handshake messages.
   • The server will attempt to decrypt the client's Finished message and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be torn down.
3. Finally, the server sends a ChangeCipherSpec, telling the client, "Everything I tell you from now on will be authenticated (and encrypted if encryption was negotiated). "
   • The server sends its own encrypted Finished message.
   • The client performs the same decryption and verification.
4. Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with content type of 23. Application messages exchanged between client and server will also be encrypted exactly like in their Finished message.

Resumed TLS handshake

Public key operations (e.g., RSA) are relatively expensive in terms of computational power. TLS provides a secure shortcut in the handshake mechanism to avoid these operations: resumed sessions. Resumed sessions are implemented using session IDs or session tickets.

Apart from the performance benefit, resumed sessions can also be used for Single sign-on as it is guaranteed that both the original session as well as any resumed session originate from the same client. This is of particular importance for the FTP over TLS/SSL protocol which would otherwise suffer from a man-in-the-middle attack in which an attacker could intercept the contents of the secondary data connections.^[250]

Session IDs

In an ordinary full handshake, the server sends a session id as part of the ServerHello message. The client associates this session id with the server's IP address and TCP port, so that when the client connects again to that server, it can use the session id to shortcut the handshake. In the server, the session id maps to the cryptographic parameters previously negotiated, specifically the "master secret". Both sides must have the same "master secret" or the resumed handshake will fail (this prevents an eavesdropper from using a session id). The random data in the ClientHello and ServerHello messages virtually guarantee that the generated connection keys will be different from in the previous connection. In the RFCs, this type of handshake is called an abbreviated handshake. It is also described in the literature as a restart handshake.

1. Negotiation phase:
   • A client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods. Included in the message is the session id from the previous TLS connection.
   • The server responds with a ServerHello message, containing the chosen protocol version, a random number, cipher suite and compression method from the choices offered by the client. If the server recognizes the session id sent by the client, it responds with the same session id. The client uses this to recognize that a resumed handshake is being performed. If the server does not recognize the session id sent by the client, it sends a different value for its session id. This tells the client that a resumed handshake will not be performed. At this point, both the client and server have the "master secret" and random data to generate the key data to be used for this connection.
2. The server now sends a ChangeCipherSpec record, essentially telling the client, "Everything I tell you from now on will be encrypted." The ChangeCipherSpec is itself a record-level protocol and has type 20 and not 22.
   • Finally, the server sends an encrypted Finished message, containing a hash and MAC over the previous handshake messages.
   • The client will attempt to decrypt the server's Finished message and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be torn down.
3. Finally, the client sends a ChangeCipherSpec, telling the server, "Everything I tell you from now on will be encrypted. "
   • The client sends its own encrypted Finished message.
   • The server performs the same decryption and verification.
4. Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with content type of 23. Application messages exchanged between client and server will also be encrypted exactly like in their Finished message.

Session tickets

RFC 5077 extends TLS via use of session tickets, instead of session IDs. It defines a way to resume a TLS session without requiring that session-specific state is stored at the TLS server.

When using session tickets, the TLS server stores its session-specific state in a session ticket and sends the session ticket to the TLS client for storing. The client resumes a TLS session by sending the session ticket to the server, and the server resumes the TLS session according to the session-specific state in the ticket. The session ticket is encrypted and authenticated by the server, and the server verifies its validity before using its contents.

One particular weakness of this method with OpenSSL is that it always limits encryption and authentication security of the transmitted TLS session ticket to AES128-CBC-SHA256, no matter what other TLS parameters were negotiated for the actual TLS session.^[240] This means that the state information (the TLS session ticket) is not as well protected as the TLS session itself. Of particular concern is OpenSSL's storage of the keys in an application-wide context (SSL_CTX), i.e. for the life of the application, and not allowing for re-keying of the AES128-CBC-SHA256 TLS session tickets without resetting the application-wide OpenSSL context (which is uncommon, error-prone and often requires manual administrative intervention).^[241][239]

TLS record

This is the general format of all TLS records.

+	Byte +0								Byte +1								Byte +2								Byte +3
Byte 0	Content type
Bytes 1..4	Version																Length
	(Major)								(Minor)								(bits 15..8)								(bits 7..0)
Bytes 5..(m-1)	Protocol message(s)
Bytes m..(p-1)	MAC (optional)
Bytes p..(q-1)	Padding (block ciphers only)

Content type

This field identifies the Record Layer Protocol Type contained in this Record.

Content types

Hex	Dec	Type
0x14	20	ChangeCipherSpec
0x15	21	Alert
0x16	22	Handshake
0x17	23	Application
0x18	24	Heartbeat

Version

This field identifies the major and minor version of TLS for the contained message. For a ClientHello message, this need not be the highest version supported by the client.

Versions

Major version	Minor version	Version type
3	0	SSL 3.0
3	1	TLS 1.0
3	2	TLS 1.1
3	3	TLS 1.2

Length

The length of Protocol message(s), MAC and Padding, not to exceed 2¹⁴ bytes (16 KiB).

Protocol message(s)

One or more messages identified by the Protocol field. Note that this field may be encrypted depending on the state of the connection.

MAC and Padding

A message authentication code computed over the Protocol message, with additional key material included. Note that this field may be encrypted, or not included entirely, depending on the state of the connection.

No MAC or Padding can be present at end of TLS records before all cipher algorithms and parameters have been negotiated and handshaked and then confirmed by sending a CipherStateChange record (see below) for signalling that these parameters will take effect in all further records sent by the same peer.

Handshake protocol

Most messages exchanged during the setup of the TLS session are based on this record, unless an error or warning occurs and needs to be signaled by an Alert protocol record (see below), or the encryption mode of the session is modified by another record (see ChangeCipherSpec protocol below).

+	Byte +0								Byte +1								Byte +2								Byte +3
Byte 0	22
Bytes 1..4	Version																Length
	(Major)								(Minor)								(bits 15..8)								(bits 7..0)
Bytes 5..8	Message type								Handshake message data length
									(bits 23..16)								(bits 15..8)								(bits 7..0)
Bytes 9..(n-1)	Handshake message data
Bytes n..(n+3)	Message type								Handshake message data length
									(bits 23..16)								(bits 15..8)								(bits 7..0)
Bytes (n+4)..	Handshake message data

Message type

This field identifies the Handshake message type.

Message types
Code	Description
0	HelloRequest
1	ClientHello
2	ServerHello
4	NewSessionTicket
11	Certificate
12	ServerKeyExchange
13	CertificateRequest
14	ServerHelloDone
15	CertificateVerify
16	ClientKeyExchange
20	Finished

Handshake message data length

This is a 3-byte field indicating the length of the handshake data, not including the header.

Note that multiple Handshake messages may be combined within one record.

Alert protocol

This record should normally not be sent during normal handshaking or application exchanges. However, this message can be sent at any time during the handshake and up to the closure of the session. If this is used to signal a fatal error, the session will be closed immediately after sending this record, so this record is used to give a reason for this closure. If the alert level is flagged as a warning, the remote can decide to close the session if it decides that the session is not reliable enough for its needs (before doing so, the remote may also send its own signal).

+	Byte +0								Byte +1								Byte +2								Byte +3
Byte 0	21
Bytes 1..4	Version																Length
	(Major)								(Minor)								0								2
Bytes 5..6	Level								Description
Bytes 7..(p-1)	MAC (optional)
Bytes p..(q-1)	Padding (block ciphers only)

Level

This field identifies the level of alert. If the level is fatal, the sender should close the session immediately. Otherwise, the recipient may decide to terminate the session itself, by sending its own fatal alert and closing the session itself immediately after sending it. The use of Alert records is optional, however if it is missing before the session closure, the session may be resumed automatically (with its handshakes).

Normal closure of a session after termination of the transported application should preferably be alerted with at least the Close notify Alert type (with a simple warning level) to prevent such automatic resume of a new session. Signalling explicitly the normal closure of a secure session before effectively closing its transport layer is useful to prevent or detect attacks (like attempts to truncate the securely transported data, if it intrinsically does not have a predetermined length or duration that the recipient of the secured data may expect).

Alert level types

Code	Level type	Connection state
1	warning	connection or security may be unstable.
2	fatal	connection or security may be compromised, or an unrecoverable error has occurred.

Description

This field identifies which type of alert is being sent.

Alert description types

Code	Description	Level types	Note
0	Close notify	warning/fatal
10	Unexpected message	fatal
20	Bad record MAC	fatal	Possibly a bad SSL implementation, or payload has been tampered with e.g. FTP firewall rule on FTPS server.
21	Decryption failed	fatal	TLS only, reserved
22	Record overflow	fatal	TLS only
30	Decompression failure	fatal
40	Handshake failure	fatal
41	No certificate	warning/fatal	SSL 3.0 only, reserved
42	Bad certificate	warning/fatal
43	Unsupported certificate	warning/fatal	e.g. certificate has only Server authentication usage enabled and is presented as a client certificate
44	Certificate revoked	warning/fatal
45	Certificate expired	warning/fatal	Check server certificate expire also check no certificate in the chain presented has expired
46	Certificate unknown	warning/fatal
47	Illegal parameter	fatal
48	Unknown CA (Certificate authority)	fatal	TLS only
49	Access denied	fatal	TLS only – e.g. no client certificate has been presented (TLS: Blank certificate message or SSLv3: No Certificate alert), but server is configured to require one.
50	Decode error	fatal	TLS only
51	Decrypt error	warning/fatal	TLS only
60	Export restriction	fatal	TLS only, reserved
70	Protocol version	fatal	TLS only
71	Insufficient security	fatal	TLS only
80	Internal error	fatal	TLS only
90	User canceled	fatal	TLS only
100	No renegotiation	warning	TLS only
110	Unsupported extension	warning	TLS only
111	Certificate unobtainable	warning	TLS only
112	Unrecognized name	warning/fatal	TLS only; client's Server Name Indicator specified a hostname not supported by the server
113	Bad certificate status response	fatal	TLS only
114	Bad certificate hash value	fatal	TLS only
115	Unknown PSK identity (used in TLS-PSK and TLS-SRP)	fatal	TLS only
120	No Application Protocol	fatal	TLS only, client's ALPN did not contain any server-supported protocols

ChangeCipherSpec protocol

+	Byte +0								Byte +1								Byte +2								Byte +3
Byte 0	20
Bytes 1..4	Version																Length
	(Major)								(Minor)								0								1
Byte 5	CCS protocol type

CCS protocol type

Currently only 1.

Application protocol

+	Byte +0								Byte +1								Byte +2								Byte +3
Byte 0	23
Bytes 1..4	Version																Length
	(Major)								(Minor)								(bits 15..8)								(bits 7..0)
Bytes 5..(m-1)	Application data
Bytes m..(p-1)	MAC (optional)
Bytes p..(q-1)	Padding (block ciphers only)

Length

Length of application data (excluding the protocol header and including the MAC and padding trailers)

MAC

20 bytes for the SHA-1-based HMAC, 16 bytes for the MD5-based HMAC.

Padding

Variable length; last byte contains the padding length.

Support for name-based virtual servers

From the application protocol point of view, TLS belongs to a lower layer, although the TCP/IP model is too coarse to show it. This means that the TLS handshake is usually (except in the STARTTLS case) performed before the application protocol can start. In the name-based virtual server feature being provided by the application layer, all co-hosted virtual servers share the same certificate because the server has to select and send a certificate immediately after the ClientHello message. This is a big problem in hosting environments because it means either sharing the same certificate among all customers or using a different IP address for each of them.

There are two known workarounds provided by X.509:

• If all virtual servers belong to the same domain, a wildcard certificate can be used.^[251] Besides the loose host name selection that might be a problem or not, there is no common agreement about how to match wildcard certificates. Different rules are applied depending on the application protocol or software used.^[252]
• Add every virtual host name in the subjectAltName extension. The major problem being that the certificate needs to be reissued whenever a new virtual server is added.

In order to provide the server name, RFC 4366 Transport Layer Security (TLS) Extensions allow clients to include a Server Name Indication extension (SNI) in the extended ClientHello message. This extension hints the server immediately which name the client wishes to connect to, so the server can select the appropriate certificate to send to the clients.

Standards

Primary standards

The current approved version of TLS is version 1.2, which is specified in:

• RFC 5246: "The Transport Layer Security (TLS) Protocol Version 1.2".

The current standard replaces these former versions, which are now considered obsolete:

• RFC 2246: "The TLS Protocol Version 1.0".
• RFC 4346: "The Transport Layer Security (TLS) Protocol Version 1.1".

As well as the never standardized SSL 2.0 and 3.0, which are considered obsolete:

• Internet Draft (1995), SSL Version 2.0
• RFC 6101: "The Secure Sockets Layer (SSL) Protocol Version 3.0".

Extensions

Other RFCs subsequently extended TLS.

Extensions to TLS 1.0 include:

• RFC 2595: "Using TLS with IMAP, POP3 and ACAP". Specifies an extension to the IMAP, POP3 and ACAP services that allow the server and client to use transport-layer security to provide private, authenticated communication over the Internet.
• RFC 2712: "Addition of Kerberos Cipher Suites to Transport Layer Security (TLS)". The 40-bit cipher suites defined in this memo appear only for the purpose of documenting the fact that those cipher suite codes have already been assigned.
• RFC 2817: "Upgrading to TLS Within HTTP/1.1", explains how to use the Upgrade mechanism in HTTP/1.1 to initiate Transport Layer Security (TLS) over an existing TCP connection. This allows unsecured and secured HTTP traffic to share the same well known port (in this case, http: at 80 rather than https: at 443).
• RFC 2818: "HTTP Over TLS", distinguishes secured traffic from insecure traffic by the use of a different 'server port'.
• RFC 3207: "SMTP Service Extension for Secure SMTP over Transport Layer Security". Specifies an extension to the SMTP service that allows an SMTP server and client to use transport-layer security to provide private, authenticated communication over the Internet.
• RFC 3268: "AES Ciphersuites for TLS". Adds Advanced Encryption Standard (AES) cipher suites to the previously existing symmetric ciphers.
• RFC 3546: "Transport Layer Security (TLS) Extensions", adds a mechanism for negotiating protocol extensions during session initialisation and defines some extensions. Made obsolete by RFC 4366.
• RFC 3749: "Transport Layer Security Protocol Compression Methods", specifies the framework for compression methods and the DEFLATE compression method.
• RFC 3943: "Transport Layer Security (TLS) Protocol Compression Using Lempel-Ziv-Stac (LZS)".
• RFC 4132: "Addition of Camellia Cipher Suites to Transport Layer Security (TLS)".
• RFC 4162: "Addition of SEED Cipher Suites to Transport Layer Security (TLS)".
• RFC 4217: "Securing FTP with TLS".
• RFC 4279: "Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)", adds three sets of new cipher suites for the TLS protocol to support authentication based on pre-shared keys.

Extensions to TLS 1.1 include:

• RFC 4347: "Datagram Transport Layer Security" specifies a TLS variant that works over datagram protocols (such as UDP).
• RFC 4366: "Transport Layer Security (TLS) Extensions" describes both a set of specific extensions and a generic extension mechanism.
• RFC 4492: "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)".
• RFC 4680: "TLS Handshake Message for Supplemental Data".
• RFC 4681: "TLS User Mapping Extension".
• RFC 4785: "Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for Transport Layer Security (TLS)".
• RFC 5054: "Using the Secure Remote Password (SRP) Protocol for TLS Authentication". Defines the TLS-SRP ciphersuites.
• RFC 5077: "Transport Layer Security (TLS) Session Resumption without Server-Side State".
• RFC 5081: "Using OpenPGP Keys for Transport Layer Security (TLS) Authentication", obsoleted by RFC 6091.

Extensions to TLS 1.2 include:

• RFC 5288: "AES Galois Counter Mode (GCM) Cipher Suites for TLS".
• RFC 5289: "TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)".
• RFC 5746: "Transport Layer Security (TLS) Renegotiation Indication Extension".
• RFC 5878: "Transport Layer Security (TLS) Authorization Extensions".
• RFC 5932: "Camellia Cipher Suites for TLS"
• RFC 6066: "Transport Layer Security (TLS) Extensions: Extension Definitions", includes Server Name Indication and OCSP stapling.
• RFC 6091: "Using OpenPGP Keys for Transport Layer Security (TLS) Authentication".
• RFC 6176: "Prohibiting Secure Sockets Layer (SSL) Version 2.0".
• RFC 6209: "Addition of the ARIA Cipher Suites to Transport Layer Security (TLS)".
• RFC 6347: "Datagram Transport Layer Security Version 1.2".
• RFC 6367: "Addition of the Camellia Cipher Suites to Transport Layer Security (TLS)".
• RFC 6460: "Suite B Profile for Transport Layer Security (TLS)".
• RFC 6655: "AES-CCM Cipher Suites for Transport Layer Security (TLS)".
• RFC 7027: "Elliptic Curve Cryptography (ECC) Brainpool Curves for Transport Layer Security (TLS)".
• RFC 7251: "AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites for TLS".
• RFC 7301: "Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension".
• RFC 7366: "Encrypt-then-MAC for Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)".
• RFC 7465: "Prohibiting RC4 Cipher Suites".
• RFC 7507: "TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks".
• RFC 7568: "Deprecating Secure Sockets Layer Version 3.0".
• RFC 7627: "Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension".
• RFC 7685: "A Transport Layer Security (TLS) ClientHello Padding Extension".

Encapsulations of TLS include:

• RFC 5216: "The EAP-TLS Authentication Protocol"

Informational RFCs

• RFC 7457: "Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS)"
• RFC 7525: "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)"

See also

• Application-Layer Protocol Negotiation – a TLS extension used for SPDY and TLS False Start
• Bullrun (decryption program) – a secret anti-encryption program run by the U.S. National Security Agency
• Key ring file
• Multiplexed Transport Layer Security
• Obfuscated TCP
• RdRand
• Server gated cryptography
• SSL acceleration
• tcpcrypt
• Transport Layer Security Channel ID – a proposed protocol extension that improves web browser security via self-signed browser certificates
• Wireless Transport Layer Security

References

Further reading

• Wagner, David; Schneier, Bruce (November 1996). "Analysis of the SSL 3.0 Protocol" (PDF). The Second USENIX Workshop on Electronic Commerce Proceedings. USENIX Press. pp. 29–40. 
• Eric Rescorla (2001). SSL and TLS: Designing and Building Secure Systems. United States: Addison-Wesley Pub Co. ISBN 0-201-61598-3. 
• Stephen A. Thomas (2000). SSL and TLS essentials securing the Web. New York: Wiley. ISBN 0-471-38354-6. 
• Bard, Gregory (2006). "A Challenging But Feasible Blockwise-Adaptive Chosen-Plaintext Attack On Ssl". International Association for Cryptologic Research (136). Retrieved 2011-09-23. 
• Canvel, Brice. "Password Interception in a SSL/TLS Channel". Retrieved 2007-04-20. 
• IETF Multiple Authors. "RFC of change for TLS Renegotiation". Retrieved 2009-12-11. 
• Creating VPNs with IPsec and SSL/TLS Linux Journal article by Rami Rosen
• Polk, Tim; McKay, Kerry; Chokhani, Santosh (April 2014). "Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations" (PDF). National Institute of Standards and Technology. Retrieved 2014-05-07. 

External links

Wikimedia Commons has media related to SSL and TLS.

Specifications (see Standards section for older SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1 links)

• RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2
• IETF (Internet Engineering Task Force) TLS Workgroup

Other

• OWASP: Transport Layer Protection Cheat Sheet
• A talk on SSL/TLS that tries to explain things in terms that people might understand.
• SSL: Foundation for Web Security
• TLS Renegotiation Vulnerability – IETF Tools
• Trustworthy Internet Movement – SSL Pulse – Survey of TLS/SSL implementation of the most popular web sites
• How to Generate CSR for SSL
• How TLS Handshake works in browser

This article is based on material taken from the Free On-line Dictionary of Computing prior to 1 November 2008 and incorporated under the "relicensing" terms of the GFDL, version 1.3 or later.

TLS and SSL Protocols and technologies Transport Layer Security / Secure Sockets Layer (TLS/SSL) Datagram Transport Layer Security (DTLS) DNS Certification Authority Authorization (CAA) DNS-based Authentication of Named Entities (DANE) HTTPS HTTP Public Key Pinning (HPKP) HTTP Strict Transport Security (HSTS) OCSP stapling Perfect forward secrecy Server Name Indication (SNI) STARTTLS Public-key infrastructure Automated Certificate Management Environment (ACME) Certificate authority (CA) CA/Browser Forum Certificate policy Certificate revocation list (CRL) Domain-validated certificate (DV) Extended Validation Certificate (EV) Online Certificate Status Protocol (OCSP) Organization-validated certificate (OV) Public key certificate Public-key cryptography Public key infrastructure (PKI) Root certificate Self-signed certificate See also Domain Name System Security Extensions (DNSSEC) Internet Protocol Security (IPsec) Secure Shell (SSH) History Export of cryptography from the United States Server-Gated Cryptography Implementations Bouncy Castle BoringSSL Botan cryptlib GnuTLS JSSE LibreSSL MatrixSSL NSS OpenSSL mbed TLS RSA BSAFE SChannel SSLeay stunnel wolfSSL Notaries Certificate Transparency Convergence HTTPS Everywhere / SSL Observatory Perspectives Project Vulnerabilities Theory Man-in-the-middle attack Padding oracle attack Lucky Thirteen attack Cipher Bar mitzvah attack Protocol BEAST BREACH CRIME Logjam POODLE (in regards to SSL 3.0) Implementation Certificate authority compromise Random number generator attacks FREAK goto fail Heartbleed POODLE (in regards to TLS 1.0)

Virtual private networking Communications protocol SSTP IPsec L2TP L2TPv3 PPTP Split tunneling SSL/TLS (Opportunistic: tcpcrypt) Free software Cloudvpn FreeS/WAN Libreswan n2n OpenConnect OpenIKED Openswan OpenVPN Social VPN SoftEther VPN strongSwan tcpcrypt tinc VTun Vendor-driven protocols Layer 2 Forwarding Protocol DirectAccess Proprietary software Check Point VPN-1 Cisco Systems VPN Client Hamachi Microsoft Forefront Unified Access Gateway Risk Vectors Content-control software Deep content inspection Deep packet inspection IP address blocking Network enumeration Stateful firewall TCP Reset VPN blocking

Web browsers Comparison History List for Unix Timeline Usage share Features Ad filtering Augmented browsing Bookmarks Bookmarklet Live bookmark Smart Bookmarks Browser extension Browser security Browser synchronizer comparison Cookies Download manager Favicon Incremental search Plug-in Privacy mode Tabs Universal Edit Button Web standards Acid tests Cascading Style Sheets HTML HTML5 JavaScript MathML OCSP SVG WebGL XHTML Related topics BrowserChoice.eu CRL HTTP HTTPS iLoo Internet suite Man-in-the-browser Mobile Web Offline reader PAC Pwn2Own Rich Internet application Site-specific browser SPDY SSL/TLS WebSocket Widget World Wide Web WPAD XML   Desktop Blink-based Chromium Chrome Dragon Opera Slimjet SRWare Iron UC Browser Vivaldi Yandex.Browser Sputnik WebKit-based Arora Avant Dooble Epic Flock Fluid iCab Konqueror Lunascape Maxthon Midori OmniWeb Origyn Web Browser QtWeb QupZilla rekonq Safari Shiira Sleipnir SlimBoat surf Torch Uzbl Web WebPositive xombrero Trident-based AOL Explorer Avant Deepnet Explorer GreenBrowser Internet Explorer Lunascape Maxthon MediaBrowser MenuBox NeoPlanet NetCaptor SlimBrowser SpaceTime UltraBrowser WebbIE ZAC Browser Gecko-based AT&T Pogo Avant Camino Firefox Conkeror GNU IceCat IceDragon Swiftfox Swiftweasel TenFourFox Timberwolf Tor Browser Waterfox xB Browser Galeon Ghostzilla K-Meleon Kazehakase Kirix Strata Lotus Symphony Lunascape Mozilla Beonex Communicator Classilla Netscape SeaMonkey Text-based ELinks Emacs/W3 Line Mode Browser Links Lynx Net-Tamer w3m Other abaco Amaya Arachne Arena Charon Dillo Gazelle IBM Home Page Reader IBrowse KidZui Microsoft Edge Mosaic Mothra NetPositive NetSurf Pale Moon   Mobile WebKit-based Android Browser BOLT Chrome Dolphin Browser Nintendo 3DS Internet Browser Maxthon Mercury Browser Nokia Browser for Symbian Opera Mobile Rockmelt Safari Silk Steel Gecko-based Firefox for mobile MicroB Minimo Presto-based Nintendo DS & DSi Browser Opera Mini Other Blazer CM Browser Deepfish Galio ibisBrowser Internet Explorer Mobile Iris Browser Konqueror Embedded Microsoft Edge NetFront Nokia Xpress Obigo Browser Skweezer Skyfire Teashark ThunderHawk UC Browser Vision WinWAP   Television and video game console WebKit-based Google TV NetFront Steam Overlay Wii U Internet Browser Gecko-based Kylo Presto-based Internet Channel Blink-based Android TV Amazon Fire TV Other Galio MSN TV Software no longer in development shown in italics Category Commons Internet portal Software portal