Encryption

From Postmaster Administration Wiki
Jump to: navigation, search

SSL - Secure Socket Layer

The Secure Socket Layer protocol was developed by Netscape Communications to provide HTTPS, a secure version of HTTP. It is the predecessor of Transport Layer Security and provides communication channel encryption between client and server. It is still used by a handful of protocols: HTTPS, POPS, IMAPS, and SMTPS. One of the issues with SSL is that it uses a dedicated port number, which implied that every unencrypted Internet protocol would probably require assignment of a new port number for an encrypted version of the same protocol.

TLS - Transport Layer Security

The Transport Layer Security protocol provides a means for an application protocol, like SMTP, POP, or IMAP,  to upgrade a client-server connection to encrypted communications. A command, like STARTTLS or STLS, is issued on the unencrypted channel to request that the server start TLS, typically before any clear-text authentication methods are used.

One issue with protocols like IMAP, POP, and SMTP which support STARTTLS, is they typically allow for fall-back to unencrypted communications. So a man-in-the-middle attack could simply reject the STARTTLS command and hope the connecting client will fall back to an unencrypted channel.

Certifcates

SSL and TLS encryption uses asynchronous cryptography, aka private-public key-based encryption, as a means to identify both end points and encrypt the communications differently in each direction. To achieve this, a certificate associates a public key with an identity, either an individual or organization. This association is normally signed by a mutually-trusted third party, called a Certificate Authority (CA), a form of a digital notary.

A certificate can be signed by the identity itself, a self-signed certificate, which is typically only used for private in-house communications between a company's own servers and/or employees. A commercially-signed certificate by a CA is used for network services accessed by the public, such as mail and web servers, online banking and shopping, or anywhere privacy and security is required for confidential transactions and communications. There are now also free certificate signing services such as CA Cert and Let's Encrypt.

Certificates can also be used for digital signatures and encryption of email messages (PGP, GnuPG). A CA-signed certificate guarantees that the service to which a client connects is who it claims to be and that information exchanged in encrypted sessions cannot be read by any other party.  For example, a web browser can see that the authority GANDI SAS has verified the identity of gnu.org, so encrypted communications with the service can be trusted. Certificates have drawbacks and legitimate criticisms, but they remain a very common security mechanism, as there is no widely-supported alternative.

References