Stories
Slash Boxes
Comments

SoylentNews is people

TLS Security: Past, Present and Future

posted by Fnord666 on Monday July 03 2017, @11:56PM   Printer-friendly
from the reflections dept.

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

Since the early days of the SSL/TLS protocols, the security community has been struggling with various attacks that have made many press headlines.

[...] The Transport Layer Security (TLS) protocol as it stands today has evolved from the Secure Sockets Layer (SSL) protocol from Netscape Communications and the Private Communication Technology (PCT) protocol from Microsoft that were developed in the 1990s, mainly to secure credit card transactions over the Internet.

It soon became clear that a unified standard was required, and an IETF TLS WG was tasked. As a result, TLS 1.0 was specified in 1999, TLS 1.1 in 2006, TLS 1.2 in 2008, and TLS 1.3 will hopefully be released soon. Each protocol version tried to improve its predecessor and mitigated some specific attacks.

As is usually the case in security, there is a "cops and robbers" game going between the designers and developers of the TLS protocol and the people who try to break it (be it from the hacker community or from academia). Unfortunately, this game is open-ended, meaning that it will never end and has no winner.

Not precisely news but it's good to stop, reflect, and look forward now and then.

Source: https://www.helpnetsecurity.com/2017/07/03/tls-security/

Original Submission

 
This discussion has been archived. No new comments can be posted.
TLS Security: Past, Present and Future | Log In/Create an Account | Top | 12 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1) by Roger Murdock on Wednesday July 05 2017, @12:16AM (2 children)

    by Roger Murdock (4897) on Wednesday July 05 2017, @12:16AM (#534985)

    Blue Coats (and any other corporate MITM devices) don't need a root cert from symantec or anywhere else to do SSL packet inspection on a corporate network because the IT dept can just create it's own cert and makes sure it's trusted by all the PCs on the network, which they have full control over.

  • (Score: 0) by Anonymous Coward on Wednesday July 05 2017, @09:06AM

    by Anonymous Coward on Wednesday July 05 2017, @09:06AM (#535111)

    That would be correct if they were only targeting corporate networks. Thus we can conclude that their need for a root certificate must mean that they are targeting networks where there is no one central admin to push out such certificates - such as intercepting information from all those people who want to replace the king / dictator of their respective countries.

  • (Score: 2) by Pino P on Wednesday July 05 2017, @03:50PM

    by Pino P (4721) on Wednesday July 05 2017, @03:50PM (#535229) Journal

    the IT dept can just create it's own cert and makes sure it's trusted by all the PCs on the network

    Not since Android 7 "Nougat", which distrusts user-installed root certificates [googleblog.com] outside those applications that have explicitly opted in to trusting user-installed root certificates through Network Security Configuration in the application's manifest [android.com]. Does Chrome for Android 7 opt in?

    all the PCs on the network, which they have full control over

    A company offering access to its WLAN hotspot at no extra charge to customers on its premises lacks control of these customers' devices.