The TLS protocol is used to provide privacy and data integrity between two or more communicating computer applications. When secured by a TLS protocol, connections between a client and a server have one or more of the following properties:-
Transportation layer came from Secure Socket Layer. A careful configuration of TLS will provide additional privacy-related properties like forward secrecy, prevent discloser of encryption keys etc.
For a web application to support all its end users, the application must support all the ciphers the end user might use:-
Android Browser: Android browser is the inbuilt browser used in stock android phones. Google Chrome has now replaced the Android browser. The doesn’t support all the latest TLS ciphers; If an application doesn’t support the cipher android browser does, the end users won’t be able to access the web application.
TLS certificate is issued by a Certification Authority (CA). If the certification is old or expired, the application won’t get executed by the browser. Old certifications by Symantec were vulnerable to man-in-the-middle attacks.
Symantec is an SSL/TLS certificate provided with enterprise-class strength and industry-recognised support distributed under VeriSign. Many web applications are using an SSL/TLS certificate issued by Symantec. Symantec issued SSL/TLS is vulnerable to due to usage of weak and easily breachable ciphers. This vulnerability existed until the certificate issued before June 1, 2016. These certificates won’t function in Chrome version 66 and above. This error will lead to SSL errors to the users, and it will impact the end users of the application. The ‘DES/3DES ciphers’ in the TLS can be exploited to perform a man-in-the-middle (MITM) attack. The attacker can extract plain text from large encrypted traffic. Using the information, an attacker can further intensify the attack by using other intrusion attacks.
Some of the application’s clients might use older operating systems or old web browsers. The old cipher suite is used by all clients back to Windows XP/IE6. For example, your application is being used in the banking sector. There are banks using old server configuration. They won’t be able to access your application. Due to this configuration, the application might lose their customer base.
There are three types of TLS:-
If the application does support strong cipher suites from old, intermediate and modern TLS, the clients using any of this TLS won’t be able to access the application.
If the application doesn’t support a cipher, the application won’t run on the user end. This issue might reduce the number of users for the application. The browser might not allow the end user to access the web application. Applications with old TLS certification won’t get executed by Google Chrome version 66 and above.
Beagle recommends the following fixes:-