TLS 1.3 is published and somewhere on the horizon. TLS 1.0 & 1.1 are on their way out and will be deprecated in 2020. What does that mean to you? Unless you are a developer, probably nothing. Here at Vanguard, it is a reminder that cyber security is not a goal achieved and ignored, but something requiring regular maintenance.
History of Cyber Security
Before we dive into it, let’s talk a little bit about where cyber security began. Diffie-Hellman, the first public key algorithm was published in 1976. Some variation of the algorithm has been used as a key exchange in partnership with another public key algorithm RSA since SSL (Secure Sockets Layer) was first introduced by Netscape in 1994. SSL is a protocol that secures the connection between the server and the client. Back then an acceptable DES, an encryption scheme also introduced in the late 70’s, was considered secure with a key as small as 56 bits. DES has long since been considered insecure. As time progressed, and encryption algorithms breaks and hashing algorithms encounter collisions were found, there was a need for an updated standard for secure communication. SS2 was followed by SS3. In 1999, the protocol was renamed TLS and it is now in its third iteration. Many people still use SSL and TLS interchangeably. In addition to bug fixes and replacing outdated algorithms with the latest, TLS 1.3 will make secure browsing faster. When a user connects to a server securely, the first step is called the SSL handshake. The handshake will be altered in a way that makes it both more secure and faster. Windows has not announced a release date for an operating system that includes TLS 1.3, and as mentioned in the first paragraph, we eagerly await that news.
Why worry about cyber security?
We can communicate anywhere in the world and our messages can be intercepted anywhere along the way. It is important to have confidence that our message and the subsequent response weren’t altered. We can’t allow eavesdropping, as we have an obligation to our users and their data.
There’s no such thing as a perfectly secure network. We can take comfort in the fact that breaking modern encryption is impractical, but every advance in processing ability, every advance in applied math or cryptography, and every day that passes brings every algorithm closer to obsolescence.
Every computer that can use SSL has a cypher suite, or a collection of algorithms, in the operating system that it can use to communicate. When you make a secure connection, your computer negotiates with the server for the most recent protocol and the best algorithm shared by both. If you dust off the giant box that’s been in your closet since the early 1990’s, you won’t be able to securely browse the web at all as none of the software at that time is still considered secure.
By holding an SSL certificate, you give the public the ability to verify your website’s identity and a method to communicate securely. Click the lock icon in the upper left corner of your browser window next to the URL. You should be able to verify the site identity, the issuer of the certificate, the expiration date of the certificate, and the details of the encryption algorithm and protocol in use.
Cyber Security as an Industry
The greater tech industry takes security so seriously, it’s allowed SSL capability to influence their products. In 2014, Google went as far to downgrade rankings for websites that doesn’t meet their security standard. Early this year Google Chrome made SSL the default on anything without “http://” in the request. Other browsers are following suit.
What’s out there?
Savvy consumers are moving beyond just SSL to secure their data. The popular mobile browser Opera introduced VPN in March. Now there is an entire market of new browsers with VPNs built in. While the content of the message being sent may be encrypted, some data must remain readable so that devices in the network can route the message. Now, from the user’s location, all readable data only shows the location remote VPN server, not the target site.
Beyond VPN is TOR. TOR uses onion routing, a technique of sending an encrypted message through a series of intermediate computers before connecting with the desired site. This gives users anonymous communication with a server. The user sends an encrypted message through a series of intermediate computers before connecting with their desired site. Because of the multiple layers of encryption, the user’s identity along with the data sent and requested is hidden from anyone listening along the way. TOR has a world-wide network and a dubious reputation. Recently BBC news attempted to use it to allow their banned content to be viewed in China. It was also the primary method for connecting to the Silk Road black market before it was shut down in 2014.
Where there is crime, there needs to be security
Criminal activity and the desire for personal privacy by users will continue to drive cyber security. It is important that you and your organization understand cyber security and take the necessary steps to ensure your site’s safety.
We at Vanguard will continue to provide the best advice we can for you and your members. As we await the release of TLS 1.3, we are continuing to ensure the highest quality security to our clients.