SSL basically makes use of encryption to ensure the data being transmitted is safe and cannot be accessed by an attacker, thus preventing attackers from reading and changing the data. 

SSL versions

Following versions of SSL have been released along with the year as mentioned below:

SSL 1.0 – This was not released because of inherent security issues.

SSL 2.0 – Released in 1995. It had many security flaws present in it. Deprecated in 2011. SSL 3.0 – Latest version of SSL. Released in 1996 to address security issues in SSL 2.0, deprecated in 2015. SSL 3.0 had the ability to roll back to SSL 2.0 when a client supporting 2.0 was encountered.

TLS

TLS stands for Transport Layer Security. First version of TLS was developed by the Internet Engineering Task Force (IETF) in 1999. In simple words, TLS is an updated and more secure version of SSL. 

TLS versions

Following versions of TLS have been released along with the year as mentioned – 

TLS 1.0 – Defined in RFC 2246 and was released in January 1999. It is an upgrade from SSL 3.0 and there isn’t much difference between SSL 3.0 & TLS 1.0,but they don`t interoperate with each other.

TLS 1.1 – TLS 1.1 has been defined in RFC 4346 and was released in April 2006. TLS 1.1 is an update to TLS 1.0

TLS 1.2 – TLS 1.2 has been defined in RFC 5246 and was released in Aug 2008. TLS 1.2 is an update to TLS 1.1 TLS 1.3 – TLS 1.3 has been defined in RFC 8446 and was released in Aug 2018. TLS 1.3 is an update to TLS 1.2

Primary use case of both SSL and TLS is encrypting the data being sent between the web applications and servers. SSL/TLS can also be used for encrypting other communications such as messaging, email and voice over IP (VoIP) Many times when you connect to a website from a browser, the browser displays a small padlock to the left of the web address. This padlock notifies that the website is using SSL/TLS to encrypt the data being sent between the website and the server. This is one of the ways to identify whether the communication is happening over HTTP or HTTPS. 

SSL and TLS differences

Below table highlights major difference between SSL and TLS

Cipher suites

SSL/TLS Cipher suites are lists of algorithms which help secure a network by encrypting the data between two systems. It is of the form: PROTOCOL_KEY EXCHANGE ALGORITHM_DIGITAL SIGNATURE ALGORITHM_BULK ENCRYPTION ALGORITHM_HASHING ALGORITHM Example – TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 SSL/TLS make use of various cipher suites. Some of the ciphers are vulnerable while some are safe to use. List of ciphers which are safe to use have been listed below – 

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

TLS certificate cipher check

Many times during penetration testing there arises a scenario where we have to check whether the TLS certificate does not run any vulnerable ciphers. It is not feasible to check this manually, thus we need some automation or tool to get this done. There are many tools to get this done. An alternative to this is to use a website called ssllabs by Qualys. The URL is https://www.ssllabs.com/ssltest/ . One just has to pass the HTTPS URL to the website and it automatically does all the job of verifying the ciphers and other details which need to be done in a certificate.

Sources

https://comodosslstore.com/resources/ssl-cipher-suites-ultimate-guide/ https://sectigostore.com/blog/ssl-vs-tls-decoding-the-difference-between-ssl-and-tls/  https://www.websecurity.digicert.com/en/in/security-topics/what-is-ssl-tls-https https://www.csoonline.com/article/3246212/what-is-ssl-tls-and-how-this-encryption-protocol-works.html https://www.geeksforgeeks.org/difference-between-secure-socket-layer-ssl-and-transport-layer-security-tls/