Is it enough to use only SSL/TLS for client-server application with authentication, registration and data transmission (like chat)? If it is not what I also need to use?
-
Eavesdropping by who? What resources do they have that they're willing to use against you? – cpast Feb 22 '15 at 01:26
-
Relevant questions: [How does SSL/ TLS work?](http://security.stackexchange.com/questions/20803/how-does-ssl-tls-work) and [Does an established SSL connection mean a line is really secure?](http://security.stackexchange.com/questions/5/does-an-established-ssl-connection-mean-a-line-is-really-secure) – James Mishra Feb 22 '15 at 06:12
1 Answers
TLS can protect against an eavesdropper which has only access to the communication channel between both parties. But it needs to be properly implemented, that is strong ciphers, proper validation of the peer etc.
It will not protect against attacks against the endpoints itself. That is it will not help you if there are bugs in the used TLS stacks (like were in most major stacks in 2014), buffer overflows or bugs in the application logic (like cross-site-scripting). If the attacker manages to compromise the endpoint in some way (s)he will be able to inject itself into the application to get access to the unencrypted data or to the encryption keys.
Thus attacks focus on compromising the implementation or the endpoint itself by subverting the methods and libraries used for encryption (like random generators), compromising the delivery chain to get access to the keys (like with sim cards) or to infect the computer during delivery already. But you don't need such advanced attacks because malware delivery by phishing or malvertising or evil maid attacks are usually enough to compromise a selected endpoint.
- 184,332
- 29
- 363
- 424