IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [tls]

SSL (Secure Sockets Layer) and/or TLS (Transport Layer Security)

HTTPS (HTTP over SSL or HTTP Secure) is the use of Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sublayer under regular HTTP application layering. HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the Web server.

HTTPS and SSL support the use of X.509 digital certificates from the server so that, if necessary, a user can authenticate the sender. Unless a different port is specified, HTTPS uses port 443 unlike HTTP which uses port 80 in its interactions with the lower layer, TCP/IP.

The effectiveness of HTTPS can be limited by poor implementation of browser or server software or a lack of support for some algorithms. Furthermore, although HTTPS secures data as it travels between the server and the client, once the data is decrypted at its destination, it is only as secure as the host computer.

HTTPS is not to be confused with S-HTTP, a security-enhanced version of HTTP developed and proposed as a standard by EIT.

5605 questions
1258
votes
3 answers

How does SSL/TLS work?

How does SSL work? I just realised we don't actually have a definitive answer here, and it's something worth covering. I'd like to see details in terms of: A high level description of the protocol. How the key exchange works. How authenticity,…
Polynomial
  • 132,208
  • 43
  • 298
  • 379
575
votes
3 answers

What's the difference between SSL, TLS, and HTTPS?

I get confused with the terms in this area. What is SSL, TLS, and HTTPS? What are the differences between them?
jrdioko
  • 13,011
  • 7
  • 29
  • 38
417
votes
14 answers

How is it possible that people observing an HTTPS connection being established wouldn't know how to decrypt it?

I've often heard it said that if you're logging in to a website - a bank, GMail, whatever - via HTTPS, that the information you transmit is safe from snooping by 3rd parties. I've always been a little confused as to how this could be possible.…
Joshua Carmody
  • 4,465
  • 4
  • 15
  • 11
407
votes
10 answers

Is BASIC-Auth secure if done over HTTPS?

I'm making a REST-API and it's straight forward to do BASIC auth login. Then let HTTPS secure the connection so the password is protected when the api is used. Can this be considered secure?
Morten
  • 4,223
  • 3
  • 14
  • 7
364
votes
6 answers

What is certificate pinning?

I'm superficially familiar with SSL and what certs do. Recently I saw some discussion on cert pinning but there wasn't a definition. A DDG search didn't turn up anything useful. What is certificate pinning?
Son of the Wai-Pan
  • 3,765
  • 3
  • 10
  • 5
303
votes
3 answers

CRIME - How to beat the BEAST successor?

With the advent of CRIME, BEAST's successor, what possible protection is available for an individual and/or system owner in order to protect themselves and their users against this new attack on TLS?
Kyle Rosendo
  • 3,965
  • 4
  • 18
  • 17
248
votes
4 answers

SSL3 "POODLE" Vulnerability

Canonical question regarding the recently disclosed padding oracle vulnerability in SSL v3. Other identical or significantly similar questions should be closed as a duplicate of this one. What is the POODLE vulnerability? I use…
tylerl
  • 82,225
  • 25
  • 148
  • 226
244
votes
14 answers

My college is forcing me to install their SSL certificate. How to protect my privacy?

My college administration is forcing us to install Cyberoam Firewall SSL certificate so that they can view all the encrypted traffic to "improve our security". If I don't install the certificate than I won't be able to use their network. What are…
svetaketu
  • 2,151
  • 2
  • 9
  • 5
241
votes
5 answers

What is the difference between https://google.com and https://encrypted.google.com?

Is it there any difference between the encrypted Google search (at https://encrypted.google.com) and the ordinary HTTPS Google search (at https://google.com)? In terms of security what were the benefits of browsing through encrypted Google…
BlueBerry - Vignesh4303
  • 5,107
  • 13
  • 34
  • 63
233
votes
8 answers

What is the difference between SSL vs SSH? Which is more secure?

What is the difference between SSH and SSL? Which one is more secure, if you can compare them together? Which has more potential vulnerabilities?
Am1rr3zA
  • 3,043
  • 4
  • 17
  • 14
206
votes
7 answers

Does https prevent man in the middle attacks by proxy server?

There is a desktop client A connecting to website W in a https connection A --> W Somehow between A and W, there is a proxy G. A --> G --> W In this case, will G be able to get the certificate which A previously got from W? If G can get the…
jojo
  • 2,171
  • 3
  • 13
  • 4
203
votes
7 answers

How do mobile carriers know video resolution over HTTPS connections?

Verizon is modifying their "unlimited" data plans. Customers in the USA can stream video at 480p -or- pay to unlock higher resolutions (both 720p and +1080p). They are not the only mobile carrier to implement rules like this. If I am on a site that…
raithyn
  • 1,833
  • 2
  • 7
  • 10
166
votes
11 answers

Is visiting HTTPS websites on a public hotspot secure?

It's often said that HTTPS SSL/TLS connections are encrypted and said to be secure because the communication between the server and me is encrypted (also provides server authentication) so if someone sniffs my packets, they will need zillions of…
Calmarius
  • 1,905
  • 2
  • 12
  • 6
163
votes
4 answers

Difference between .pfx and .cert certificates

What is the difference between .pfx and .cert certificate files? Do we distribute .pfx or .cert for client authentication?
Xsecure123
  • 1,753
  • 2
  • 11
  • 8
162
votes
2 answers

What is DROWN and how does it work?

There is a new recent attack "on TLS" named "DROWN". I understand that it appears to use bad SSLv2 requests to recover static (certificate) keys. My question is: How? How can you recover static encryption or signature keys using SSLv2? Bonus…
SEJPM
  • 9,500
  • 5
  • 35
  • 66
1
2 3
99 100