History of SSL/TLS
SSL v2.0 and v3.0 published in 1995 and 1996 by Netscape respectively (Depricated in 2011, 2015, RFC7568)
TLS v1.0 was an upgrade of SSL v3.0 published in 1999 by IETF RFC2246 (Depricating in 2020, RFC8996)
TLS v1.1 was published in 2006 IETF RFC4346 (Depricating in 2020, RFC8996)
TLS v1.2 was published in 2008 IETF RFC5246
TLS v1.3 was published in 2018 IETF RFC8446 after 30 drafts
WatchGuard survey dated Q3 2018, about 7% of Alexa Top 100,000 sites still support SSL2.0/3.0
All SSL/TLS protocols have their share of flaws like all other technologies, and some of the well known attacks are
BEAST (Browser Exploit Against SSL/TLS) on SSL 3.0 & TLS 1.0, published in 2011
CRIME (Compression Ratio Info-leak Made Easy) on TLS compression, published in NIST CVE-2012-4929
BREACH(Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext), published in NIST CVE-2013-3587
POODLE (Padding Oracle On Downgraded Legacy Encryption) on SSL 3.0 interoperability, published in 2014
HeartBleed on OpenSSL library extension, published in NIST CVE-2014-0160
How TLS Works?
TLS has two phases/protcols of communications, namely Handshake and Record.
During handshaking, server and client will
- Negotiate the protocol version
- Select cryptographic algorithm/cipher suites
- Authenticate each other by asymmetric cryptography
- Agreed on a shared secret key used for symmetric encryption in the record phase
In the record phase, bulk encryption takes place
- All outgoing messages are encrypted with the shared secret key established earlier
- Then the encrypted messages are transmited to the other side
- They will be verified to see if there’s any modification during transmission or not
- If not, the messages will be decrypted with the same symmetric secret key
Source: https://en.wikipedia.org