Transport Layer Security.
Encrypts the entire TCP data.
Predecessor of TLS.
Unlike TCP / IP, not implemented on the Kernel: http://programmers.stackexchange.com/questions/60030/why-isnt-ssl-tls-built-into-modern-operating-systems One of the reasons is that some countries, mostly dictatorships, regulate cryptography.
Major implementations include:
- OpenSSL. Likely the most popular on Linux
Implementation specifics will not be documented in this section.
http://en.wikipedia.org/wiki/GnuTLS
Created after OpenSSL because of GPL licensing.
Apparently, way less popular than OpenSSL and much more buggy: http://www.zdnet.com/article/gnutls-big-internal-bugs-few-real-world-problems/
Used by some important programs that need it for the GPL include LDAP and wget on Ubuntu 14.04.
http://en.wikipedia.org/wiki/Network_Security_Services
Used by Mozilla.
Had a large breach, generated by a wrong C line that read goto fail; LOL http://www.zdnet.com/article/apples-goto-fail-needs-a-massive-culture-change-to-fix/
Attack in which an intermediate computer gives you his public key and makes you believe that he is the trusted host.
He can then either eavesdrop read transparently, or arbitrarily modify the requests.
This is useful both to carry out tests over HTTPS, and to hack someone.
Tools that allow to do that include:
- mitmproxy
- SSLsplit
Solution to the problem: certificates.
This is why when you use Firefox on an HTTPS site, or command line tools like SSH it gives a warning like: certificate not trusted. This means that the certificate verifier is not trusted by your computer, which is either the fault of:
- your software distribution which did not include a trusted authority
- or mostly likely of the website which did not register the public key properly