How Does SSL Work

How does SSL Work

What is SSL

SSL stands for Secure Sockets Layer and in this article we’ll answer the question: ‘How does SSL work’. It’s a protocol that is used to encrypt communications between two points. SSL is now considered legacy and has been superseded by TLS, or Transport Layer Security. TLS offers a number of improvements and enhancements over SSL which making it the defacto standard for protecting Internet traffic for a user accessing a website.

Due to the similarities between SSL and TLS and because of the long history of SSL, although it is now obsolete and not recommended for use, people still use the term in conversation. These days however when someone mentions SSL, more than likely the technology in question will actually be TLS.

SSL (and TLS) define cryptographic protocols used to establish a secure communications channel between a client and a server.

This is a general article on SSL and so most of the information is also relevant to TLS so keep that in mind. If you would like to find out what the difference are between the two protocols and why TLS is better then I’d recommend reading our future article on The Differences between SSL and TLS.

What are the benefits of SSL

SSL provides confidentiality and data integrity. It can also optionally provide authentication.

Confidentiality is obtained by encrypting the data so that an unauthorised party should they capture the data will not be able to read it. A Message Authentication Code (or MAC) is sent with the data across across the channel can be used to maintain data integrity. Using the MAC, the receiving party can check that the data they received has not been altered.

SSL can also provide authentication of one or both of the endpoints. It’s very common for the client to authenticate the server and this is what happens when you visit a website that uses HTTPS, that is Secure HTTP. Client authentication is seen a lot less in terms of accessing websites as that is usually handled by the website itself for example with your login credentials. However it is still widely used, for example a lot of corporate wifi installations use client authentication and by doing so allows users to join without having to enter or remember a password.

Client and server authentication uses digital certificates which is a large topic in itself. You can find out a lot more about them, how they are created and used in our up and coming article that answers the question of What is a digital certificate?.

How does SSL Work

To establish a secure connection a client initiates the communication and presents it’s cryptographic information. The server responds with a cipher suite and it’s certificate. The client authenticates the server’s certificate and checks the received cryptographic parameters. The client generates an encryption key, secures it with the servers public key (contained within the server certificate) and sends it to the server. Now that the key exchange has occurred, the client and server can proceed to exchange data messages securely.

What algorithms does SSL use

SSL supports a wide range of algorithms which are split into three categories; Key agreement, encryption ciphers and message authentication. As there are numerous combinations that could be used to secure a connection and there’s no advanced knowledge as to what the client may support a negotiation process takes place to select a supported combination.

Algorithms aren’t created equally and over time weaknesses or vulnerabilities may be discovered. It’s critical for the server terminating the SSL connection to be configured correctly. The list of algorithms to use should be ordered so that the strongest supported combination is negotiated. It’s also very important to disable known weak algorithms as they are identified.

A prime example of this and a reason why we now use TLS over SSL is a vulnerability known as POODLE that relates to SSLv3 and which was disclosed in 2014.

How do I check my connection is secure

Modern web browsers show you that a connection is secure by showing a padlock in the address bar. It’s also possible to view which algorithms have been negotiated for a particular connection. For example my connection to https://google.com with their Chrome browser show the site is encrypted and authenticated using QUIC (a strong protocol), X25519 (a strong key exchange), and AES_128_GCM (a strong cipher).

 

How does SSL Work - Secure browser connection

 

How important is the server configuration

We’ve already mentioned how important it is to limit and appropriately order the algorithms that are used to secure a connection. As they say, a chain is only as strong as it’s weakest link. So it goes that a strong cipher suite list is just one control and should be coupled by configuration and process that takes into account best practice and up-to-date standards. Man in the Middle attacks are one example of how a user may be inadvertently exposed to by an incorrectly configured server. Our previous article Man in the middle attack prevention explains what what steps a user can take to reduce the threat.

Useful Links

A range of useful links for further reading are included below:

Secure Sockets Layer (SSL) concepts

Protecting against POODLE

Man in the middle attack prevention

Man in the Middle Attack Prevention

What is a Man in the Middle Attack?

A Man in the Middle Attack is one where a malicious third party C attempts to intercept and actively disrupt a communication flow between two parties A and B.

The two communicating parties are unaware that their messages are being intercepted and potentially manipulated.

The attack can occur when there is a lack of an adequate authentication mechanism for the communicating parties or an effective method for ensuring the integrity of the messages being sent and received.

Lets take an example

Suppose Alice is in the market for a new phone. She has a search online and comes across a great offer on a reputable auction website. Bob is selling a brand spanking new phone that he received as a gift. The upgrade would be great but at the moment Bob would rather have the cash so he can put it towards a new guitar that he’s has his eye on.

Alice makes an offer through the site a little under the asking price which Bob accepts.

Both Alice and Bob have good feedback on the site, but Bob only accepts bank transfers. Bob sends Alice his bank details, she transfers the money for the phone and confirms when it’s been done. Bob sees the payment enter his bank account and proceeds to send the item. Alice receives the phone a few days later. Everyone’s happy!

Now what could have happened if Alice and Bob had fallen victim to a Man in the Middle Attack?

We’ll replay the same scenario however this time we’ll introduce Mallory, she’s an active attacker, making an asserted effort to do no good.

Now suppose that Mallory has compromised Alice’s connection to the auction website. Alice assumes, as one would that she’s connected securely to the site and all of the messages getting passed back and forth are similarly safe and secure.

She’s completely unaware that Mallory can intercept her traffic and redirect her connection to a fake version of the auction site so when Alice connects to the action site, she’s actually connecting to the fake site that Mallory has created, Mallory sees and can manipulate any of the messages from Alice and forwards them on to the real auction site. Similarly the responses from the website are also seen by Mallory and she forwards them back to Alice.

All the time Alice thinks she’s connected to the auction site, Mallory can intercept and manipulate the conversation.

Now back to the example, Alice makes an offer for the phone through the site a little under the asking price which Bob accepts.

Bob sends his bank account details to Alice. Mallory however intercepts this message and replaces Bob’s account details for another account that she has access too.

Alice receives Bob’s message (with Mallory’s bank account details) unaware that it’s been altered, transfers the money and sends a message back to Bob to let him know to expect the money. Mallory intercepts the message back to Bob also and replaces it with a different message notifying Bob that she (posing as Alice) has decided in the end not to buy the phone, but thanks him for his time.

When Mallory sees the money has been credited to the account, she nips down to a cash machine and withdraws the cash.

Alice is left wondering and upset when her phone doesn’t arrive. Bob has no knowledge that money was ever transferred and Mallory sips her Pina Colada by the pool on a nice relaxing holiday paid for by Alice.

When could an attack occur?

Nowadays when people refer to a Man in the Middle attack, they’re probably referring to a form of cyber attack similar to the one described in the scenario above where a user connects to a website in their browser and a malicious attacker manages to intercept that communication flow, often whereby the attacker has taken advantage of a weakness in the website’s configuration.

It’s important to note however that it may not be a user interacting to a website, it could also be a mobile app communicating with a Internet service.

Man in the Middle attacks are not limited to websites or web services. In fact it can be anything communicating with anything, email messages or our good ol’ postal service for example.  If you go back far enough to when messages got delivered from one kingdom to another by men on horse back then if that messenger got intercepted en route by the enemy this would also be considered a Man in the Middle attack.

How does it happen?

If the two parties trying to communicate, in our case, Alice and Bob have no way to authenticate each other, or if they do, that system has also been compromised then they don’t have an air tight way of proving their identity, that is, proving they are who they say they are.

If Alice can’t successfully prove to Bob that she is really Alice how does Bob know he’s talking with the real Alice? As in our example, indeed he thought he was talking to Alice, but in fact he was talking to Mallory.

If the integrity of the messages being exchanged can’t be guaranteed then how can either party reliably determine that a message hasn’t been altered.

If Alice sends a message to Bob, unless Bob has some way of proving that the message he’s received is the same message that Alice originally sent it could have been altered and Bob has no way of checking that is the case.

Again in our example, Mallory substituted Bob’s bank account details for her own and then sent the message on to Alice. Because Alice couldn’t check that the message hadn’t been change, she had no way to detect that the account details didn’t belong to Bob.

One thing to note is that you can’t just have one without the other. In either case, the opportunity for a Man in the Middle attack could still exist.

Man in the Middle Attack Prevention

Detecting Man in the Middle attacks can be very difficult so this is definitely a case where prevention is a better approach.

If we go back to focusing on the Internet, it’s best if you can avoid public wifi for accessing private information like your personal email, or accessing services like online banking. If you’re not sure what you think is or isn’t safe, a good rule of thumb could be to ask yourself “would I be bothered if a stranger got hold of this information”. If the answer is yes, then maybe it’s better to wait until you can connect somewhere that you trust.

Trust and being vigilant are two very important attributes to keep in mind generally. There’s a better chance that specific measures have been taken to protect you as the user from Man in the Middle attacks with reputable sites and apps. These protections are usually seen as best practice, if you’re in doubt, you can always contact the company and ask the question, most company’s will be happy to provide you with information on how you are protected.

Always check for a padlock in your browser showing that you’ve got a secure connection to the website you’re visiting. Over half of the Internet is now encrypted so on average you will be protected for the majority of sites you visit.

If you receive a certificate warning error when you visit a site the urge may be there to ignore it. There’s usually a valid and good reason for the warning, so it’s worth taking notice.

Useful Links

A range of useful links for further reading are included below:

Dummies – Man in the Middle attacks

OWASP – Man in the Middle attacks

SANS Institute Reading Room – SSL Man in the Middle attacks