The TLS protocol encrypts all kinds of Internet traffic, thereby making communication and sales on the Internet secure. We will talk about how the protocol works and what awaits us in the future.
From the article you will learn:
What is SSL
SSL or Secure Sockets Layer was the original name for a protocol developed by Netscape in the mid-90s. SSL 1.0 was never publicly available, and version 2.0 had serious flaws. The SSL 3.0 protocol, released in 1996, was completely overhauled and set the tone for the next stage of development.
What is TLS
When the next version of the protocol was released in 1999, it was standardized by a dedicated Internet Design Working Group and given a new name: Transport Layer Security, or TLS. As the TLS documentation says, "the difference between this protocol and SSL 3.0 is not critical." TLS and SSL form a constantly updated series of protocols and are often lumped together under the name SSL/TLS.
The TLS protocol encrypts Internet traffic of any kind. The most common type is web traffic. You know when your browser establishes a TLS connection - if the link in the address bar starts with "https".
TLS is also used by other applications such as mail and teleconferencing systems.
How TLS works
Encryption is necessary to communicate securely on the Internet. If your data is not encrypted, anyone can analyze it and read sensitive information.
The most secure encryption method is asymmetric encryption. This requires 2 keys, 1 public and 1 private. These are files with information, most often very large numbers. The mechanism is complex, but to put it simply, you can use the public key to encrypt the data, but you need the private key to decrypt it. The two keys are linked using a complex mathematical formula that is hard to hack.
You can think of the public key as information about the location of a closed mailbox with a hole, and the private key as the key that opens the box. Anyone who knows where the box is can put a letter in there. But to read it, a person needs a key to open the box.
Since asymmetric encryption uses complex mathematical calculations, it requires a lot of computing resources. TLS solves this problem by using asymmetric encryption only at the beginning of a session to encrypt communication between the server and the client. The server and client must agree on a single session key, which they both use to encrypt data packets.
The process by which the client and server agree on a session key is called handshake. This is the moment when 2 communicating computers introduce themselves to each other.
TLS handshake process
The TLS handshake process is quite complex. The steps below show the process in general so that you understand how it works in general.
- The client contacts the server and requests a secure connection. The server responds with a cipher list - an algorithmic set for making encrypted connections - that it knows how to use. The client compares the list with its list of supported ciphers, selects the appropriate one, and lets the server know which one they will use together.
- The server provides its digital certificate - an electronic document signed by a third party that confirms the authenticity of the server. The most important information in the certificate is the public key to the cipher. The client authenticates the certificate.
- Using the server's public key, the client and server establish a session key, which they will both use throughout the session to encrypt communication. There are several methods for this. The client can use the public key to encrypt an arbitrary number, which is then sent to the server for decryption, and both parties then use this number to establish a session key.
The session key is only valid for one continuous session. If, for some reason, communication between the client and server is interrupted, a new handshake will be needed to establish a new session key.
Vulnerabilities in TLS 1.2 and TLS 1.2 protocols
TLS 1.2 is the most widely used version of the protocol. This version installed the original session encryption options platform. However, like some previous versions of the protocol, this protocol allowed the use of older encryption techniques in order to support older computers. Unfortunately, this resulted in version 1.2 vulnerabilities as these older encryption mechanisms became more vulnerable.
For example, the TLS 1.2 protocol has become especially vulnerable to tampering attacks, in which a hacker intercepts data packets in the middle of a session and sends them after reading or modifying them. Many of these problems have surfaced over the past 2 years, so it has become urgent to create an updated version of the protocol.
TLS 1.3
Version 1.3 of the TLS protocol, which will soon be finalized, solves many vulnerabilities by removing support for legacy encryption systems.
The new version has compatibility with previous versions: for example, the connection will fall back to TLS version 1.2 if one of the parties cannot use a newer encryption system in the list of allowed protocol version 1.3 algorithms. However, in a connection tampering type attack, if a hacker forcibly tries to rollback the protocol version to 1.2 in the middle of a session, this action will be noticed and the connection will be terminated.
How to enable TLS 1.3 support in Google Chrome and Firefox browsers
Firefox and Chrome support TLS 1.3, but this version is not enabled by default. The reason is that it exists so far only in draft form.
Mozilla Firefox
Type about:config into your browser's address bar. Confirm that you understand the risks.
- The Firefox settings editor will open.
- Enter security.tls.version.max in the search
- Change the value to 4 by double-clicking on the current value.
Google Chrome
- Type chrome://flags/ into your browser's address bar to open the experiments panel.
- Find the #tls13-variant option
- Click on the menu and set Enabled (Draft).
- Restart your browser.
How to check if your browser is using version 1.2
We remind you that version 1.3 is not yet in public use. If you do not want
use the draft version, you can stay on version 1.2.
To check that your browser is using version 1.2, follow the same steps as in the instructions above and make sure that:
- For Firefox, the value of security.tls.version.max is 3. If it is lower, change it to 3 by double-clicking on the current value.
- For Google Chrome: click on the browser menu - select Settings- select Show advanced settings- go down to section System and click on Open proxy settings…:
- In the window that opens, click on the Security tab and check that the Use TLS 1.2 field is checked. If it's not worth it, set it and click OK:
The changes will take effect after you restart your computer.
A quick tool to check your browser's SSL/TLS protocol version
Go to SSL Labs Online Protocol Version Checker. The page will show in real time which version of the protocol is being used, and whether the browser is vulnerable to any vulnerabilities.
Sources: translation
TLS is the successor to SSL, a protocol that provides a reliable and secure connection between nodes on the Internet. It is used in the development of various clients, including browsers and client-server applications. What is TLS in Internet Explorer?
A bit about technology
All enterprises and organizations that are engaged in financial transactions use this protocol to exclude wiretapping of packets and unauthorized access by intruders. This technology is designed to protect important connections from malicious attacks.
Basically, in their organization they use the built-in browser. In some cases, Mozilla Firefox.
Enable or disable a protocol
Some sites sometimes cannot be accessed due to the fact that support for SSL and TLS technologies is disabled. A notification pops up in the browser. So, how do you enable protocols to continue using secure communications?
1.Open Control Panel via Start. Another way: open Explorer and click on the gear icon in the upper right corner.
2.Go to the "Internet Options" section and open the "Advanced" block.
3. Check the boxes next to "Use TLS 1.1 and TLS 1.2".
4. Click OK to save your changes. If you want to disable the protocols, which is highly discouraged, especially if you use Internet banking, uncheck the same items.
What is the difference between 1.0 and 1.1 and 1.2? 1.1 is only a slightly improved version of TLS 1.0, which partially inherited its shortcomings. 1.2 is the most secure version of the protocol. On the other hand, not all sites can open with this protocol version enabled.
As you know, the Skype messenger is directly related to Internet Explorer as a Windows component. If you do not have the TLS protocol checked in the settings, then there may be problems with Skype. The program simply will not be able to connect to the server.
If TLS support is disabled in the Internet Explorer settings, all network-related functions of the program will not work. Moreover, the safety of your data depends on this technology. Do not neglect it if you perform financial transactions in this browser (shopping in online stores, transferring money through online banking or an electronic wallet, etc.).
In October, Google engineers published information about a critical vulnerability in SSL Version 3.0 with a funny name POODLE(Padding Oracle On Downgraded Legacy Encryption or Poodle 🙂). The vulnerability allows an attacker to gain access to information encrypted with the SSLv3 protocol using a "man in the middle" attack. Vulnerabilities affect both servers and clients that can connect using the SSLv3 protocol.
In general, the situation is not surprising, because. protocol SSL 3.0, first introduced back in 1996, is already 18 years old and morally outdated. In most practical tasks, it has already been replaced by a cryptographic protocol TLS(versions 1.0, 1.1 and 1.2).
To protect against the POODLE vulnerability, it is fully recommended disable SSLv3 support on both client and server side and then use only TLS. For users of legacy software (for example, those using IIS 6 on Windows XP), this means that they will no longer be able to view HTTPS pages and use other SSL services. In the event that SSLv3 support is not completely disabled, and stronger encryption is offered by default, the POODLE vulnerability will still occur. This is due to the peculiarities of the choice and negotiation of the encryption protocol between the client and the server, because when problems are detected in the use of TLS, there is an automatic transition to SSL.
We recommend that you check all your services that can use SSL / TLS in any form and disable support for SSLv3. You can check your web server for vulnerabilities using an online test, for example, here: http://poodlebleed.com/.
Note. It must be clearly understood that disabling SSL v3 at the system level will only work for software that uses system APIs for SSL encryption (Internet Explorer, IIS, SQL NLA, RRAS, etc.). Programs that use their own crypto tools (Firefox, Opera, etc.) need to be updated and configured individually.
Disable SSLv3 in Windows at the System Level
On Windows, SSL/TLS support is managed through the registry.
In this example, we will show how to completely disable SSLv3 on a system level (both client and server level) in Windows Server 2012 R2:
Disable SSLv2 (Windows 2008 / Server and below)
In OSes prior to Windows 7 / Windows Server 2008 R2, an even less secure and outdated protocol is used by default SSLv2, which should also be disabled for security reasons (on newer versions of Windows, client-level SSLv2 is disabled by default and only SSLv3 and TLS1.0 are used). To disable SSLv2, you need to repeat the above procedure, only for the registry key SSL 2.0.
In Windows 2008/2012 SSLv2 at the client level is disabled by default.
Enable TLS 1.1 and TLS 1.2 on Windows Server 2008 R2 and later
Windows Server 2008 R2 / Windows 7 and above support TLS 1.1 and TLS 1.2 encryption algorithms, but these protocols are disabled by default. You can enable support for TLS 1.1 and TLS 1.2 in these versions of Windows using a similar scenario
Utility for managing system cryptographic protocols in Windows Server
There is a free IIS Crypto utility that allows you to conveniently manage the parameters of cryptographic protocols in Windows Server 2003, 2008 and 2012. Using this utility, you can enable or disable any of the encryption protocols in just two clicks.
The program already has several templates that allow you to quickly apply presets for various options for security settings.
Problem
When trying to enter the personal account of the GIIS "Electronic budget", an error message appears:
Can't display this page
Enable the TLS 1.0, TLS 1.1, and TLS 1.2 protocols in the Advanced Options section and try connecting to the https://ssl.budgetplan.minfin.ru web page again. If the error persists, contact the website administrator.
Solution
It is necessary to check the workplace settings according to the document.
The instructions do not mention a few things:
- You need to install CryptoPro EDS Browser plug-in and check it out on the demo page.
- It is necessary to disable SSL / TLS protocol filtering in the antivirus settings, in other words, for the site you are looking for, you should make an exception for checking a secure connection. In different antiviruses it can be called differently. For example, in Kaspersky Free you need to go "Settings>Advanced>Network>Do not scan secure connections" .
If you're experiencing a problem where access to a specific site fails and a message appears in your browser, there's a reasonable explanation for this. The causes and solutions to the problem are given in this article.
SSL TLS protocol
Users of budgetary organizations, and not only budgetary ones, whose activities are directly related to finance, in cooperation with financial organizations, for example, the Ministry of Finance, the Treasury, etc., carry out all their operations exclusively using the secure SSL protocol. Basically, in their work they use the Internet Explorer browser. In some cases, Mozilla Firefox.
SSL error
The main attention, when carrying out these operations, and the work in general, is given to the protection system: certificates, electronic signatures. For work, the CryptoPro software of the current version is used. Concerning issues with SSL and TLS protocols, if SSL error appeared, most likely there is no support for this protocol.
TLS error
TLS error in many cases it can also indicate the lack of support for the protocol. But ... let's see what can be done in this case.
Support for SSL and TLS protocols
So, when using Microsoft Internet Explorer to visit a website over SSL, the title bar shows Make sure ssl and tls are enabled. First of all, you need to enable support for the TLS 1.0 protocol in Internet Explorer.
If you are visiting a website that is running Internet Information Services 4.0 or later, configuring Internet Explorer to support TLS 1.0 helps secure your connection. Of course, provided that the remote web server you are trying to use supports this protocol.
To do this, the menu Service select a team Internet Options.
On the tab Additionally in section Security, make sure the following checkboxes are selected:
- Use SSL 2.0
- Use SSL 3.0
- Use SSL 1.0
Click the button Apply , and then OK . Restart your browser .
After enabling TLS 1.0, try visiting the website again.
System Security Policy
If there are still errors with SSL and TLS if you still can't use SSL, the remote web server probably doesn't support TLS 1.0. In this case, you must disable the system policy that requires FIPS-compliant algorithms.
To do this, in Control panels select Administration, and then double-click Local Security Policy.
In local security settings, expand node Local Policies, and then click the button Security Options.
According to the policy on the right side of the window, double click System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click the button Disabled.
Attention!
The change takes effect after the local security policy is reapplied. Turn it on, restart your browser.
CryptoPro TLS SSL
Update CryptoPro
One of the options for solving the problem is updating CryptoPro, as well as setting up a resource. In this case, it is work with electronic payments. Go to Certification Authority. For the resource, select E-Marketplaces.
After starting the automatic workplace setup, there will be only wait for the procedure to complete, then restart browser. If you need to enter or select a resource address, choose the one you need. You may also need to restart your computer after the setup is complete.