Secure Sockets Layer (SSL) is one of the most used standard security protocol. This protocol establishes an encrypted online communication between a web server and a browser. The SSL technology encrypts the communication channel through which all the data are transmitted between the web server and browser. An SSL connection can be established using a valid SSL certificate. For activating SSL certification, the admin must give valid information about the application. When a certification is issued, two cryptographic keys are generated:-
- Private Key
- Public Key
SSL Certificate contains information about the application like domain name, company name and other information like company address and many more. This certificate also shows the expiry date of the SSL along with details of the issuing Certification Authority (CA). When a browser requests a connection with an SSL secured website, the browser will first get the site’s SSL Certificate to check if it’s still valid. Then the browser checks whether the site is verified under a browser trusted CA. The browser will warn if any of these checks fail.
This protocol is used by almost all of the online business to ensure secure and confidential online transactions. Any web browser can interact with secured sites so long as they have a trusted CA certification.
The following steps represent how an SSL handshake works:-
- An end-user through his/her browser makes a secure connection to a website (e.g.https://www.example.beaglesecurity.com).
- The browser will obtain the IP address of the site from a DNS server. After receiving the request, the browser requests a secure connection to the website.
- To initiate a secure connection, the browser will request the server identification by requesting SSL certification.
- The browser checks the following contents in the certification:
- signature by a trusted CA
- If the certification has not expired or been revoked
- Checks the necessary security standards like key lengths and other items.
- Checks the domain listing on the certificate to match the domain through which the user has requested.
- If all the conditions are met, it creates a symmetric session key and encrypts it with the public key in the website’s certificate.
- The session key is sent over to the web server.
- The web server uses its private key to decrypt the session key.
- The server sends back an acknowledgement that is encrypted with the session key.
- The data is transmitted between the server and the browser in an encrypted and secure format.
SSL was first introduced by Netscape.
SSL 2.0
SSL 2.0 is Secure Socket Layer 2.0. This version of SSL is known to have many weaknesses. This version was first introduced in the year 1995. There were many issues with this version. Due to these vulnerabilities, SSL version 3 was introduced.
SSL 3.0
SSL 3.0 is the next iteration of SSL 2.0 which was introduced to fix all the security flaws present in SSL 2.0. The SSL 3.0 bug works on the blocks of data are encrypted. It works under a specific type of encryption algorithm within the SSL protocol. This site has SSL 3.0 outdated version. The POODLE attack can be used in this site. An attacker can gain access to sensitive data passed within the encrypted web session. The data include passwords, cookies and other authentication tokens and can easily gain more complete access to a website such as impersonating that user, accessing database contents etc.
Impact
SSL is vulnerable to following attacks:-
POODLE attack: Any site that uses SSL is vulnerable to POODLE attack. An attacker can gain access to sensitive information from encrypted web session.
Mitigation / Precaution
Beagle recommends the following fixes:-
- Install OpenSSL instead of SSL. SSL is not fix.
