No results found
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are both designed to provide security to web connections. TLS is the successor protocol to SSL, though both are often referred to as ‘SSL’. The last version of SSL was SSL version 3 (SSLv3), which is no longer deemed to be secure due to a vulnerability dubbed POODLE. Similarly, TLS version 1.0 is also no longer considered to be secure, as some implementations are vulnerable to POODLE, and cryptographic vulnerabilities have been found in the underlying RC4 cipher. All versions of SSL, and TLS 1.0 have been superseded by TLS 1.1 and 1.2, the latter of which is the current recommendation.
When visiting a secure web page, the browser and web server negotiate to use the most secure version of SSL/TLS supported by both parties. In practice, this means that SSLv3 is rarely used to provide security. However, certain browser behaviour allows a man-in-the-middle to downgrade the negotiated protocol to SSLv3 or TLS 1.0, after which they can perform an attack. The Extension indicates whether the web server supports SSLv3, which could mean that a downgrade attack is possible.
Heartbleed is the name of a vulnerability in the OpenSSL cryptographic library which at the time of disclosure affected around 17% of SSL web servers using certificates issued by trusted certificate authorities. The vulnerability has the potential to allow attackers to retrieve private keys and ultimately decrypt the server’s encrypted traffic or even impersonate the server. The cause was a missing bounds check in the handling of the TLS heartbeat Extension which can allow remote attackers to view up to 64 kilobytes of memory on an affected server.
When you visit a web site which uses SSL, the Netcraft Extension will detect if the site offered the heartbeat TLS Extension prior to the Heartbleed disclosure using data from the Netcraft SSL Survey. If this is the case the Extension will also check to see if the SSL certificate has been reissued, if it has not then the site is unsafe as the certificate’s private key may have been compromised prior to the fix. Even if the certificate has been reissued it does not guarantee the site cannot be impersonated using the old certificate unless it has been revoked. The Extension will indicate when a site is unsafe by displaying a bleeding heart icon, which on mouseover displays an explanatory tooltip. Additionally, if the server is affected by Heartbleed or does not support PFS, a warning triangle will be displayed on top of the Netcraft icon.
PFS is a property of an SSL connection which ensures that previously recorded encrypted traffic cannot be easily decrypted if the SSL private key later becomes available
- for example, as a result of a court order, social engineering, an attack against
the website or cryptanalysis.
When you visit a web site which uses SSL, the Extension will detect if it is likely that your web browser has negotiated an SSL cipher suite which supports PFS. It will display a green tick if so, and a red cross if not. Additionally, if the connection does not support PFS or is affected by Heartbleed, a warning triangle will be displayed on top of the Netcraft icon.