The world of security is so vast. But it never failed to amaze me. I am excited about this journey of getting to know security in more details. I made a recent presentation about SSL at ERNW as part of my training. Even though I learned the protocol before, I realised there is much more to the protocol that I knew. I feel the area of SSL/TLS is beyond a mere protocol. It has become a new standard that a huge part of internet is relying on. I really liked the book “Bulletproof SSL and TLS” by Ivan Ristic from SSL labs. I got the book signed by the author during the last Blackhat EU. But I never found enough time to read through the details. It was a great experience reading the book.
SSL/TLS comes between the application layer and transport layer in the network stack. It usually comes as an encapsulation of the application layer protocol like HTTP. These days, it is almost used in every field involving the internet, like web browsing, emails, instant messaging, VoIP, internet faxing and so on. The major idea behind SSL/TLS is to prevent man in the middle(MITM) attacks. There are numerous possibilities of how and why an MITM occurs. It could be individual hackers trying to steal bank pins. It could even be Government agencies trying to spy on their people and people of other nations. MITM could be categorized as active attacks and passive attacks. Active attacks are mainly aimed to trick authentication and trying to impersonate another person. Passive attacks are based on capturing network traffic and analysing the packets. This could lead to information disclosures. Sometimes, even encrypted traffic is analysed to find weakness in encryption used. In order to avoid the different types of man in the middle attacks, SSL was designed. It provides confidentiality, integrity, authentication and non-repudiation.
The protocol in itself is very interesting to learn. There are a bunch of attacks on SSL/TLS. It is also interesting to know about the defense mechanisms and evolution of TLS from 1996 until 2016, 20 years of growth. You can check the presentation slides for more details.