Although the Transport Layer Security (TLS) 1.2 protocol, designed to make network connections more secure, was defined in 2008, a security expert at Black Hat Europe this week in Amsterdam said it will be years before Web users can reap its benefits.
TLS was developed in 1999 as an improvement on Secure Socket Layer (SSL) data encryption. Though SSL 3.0 is still used, TLS version 1.0 is supported by most commonly used browsers. However, it was proven vulnerable in 2001 when security researchers demonstrated a working exploit, code named BEAST (Browser Exploit Against SSL/TLS).
TLS developers fixed the flaw in 2006 by updating the protocol to version 1.1. An even safer, 1.2 version, was defined in 2008. The problem is, almost no one uses the 1.1 and 1.2 protocols, said Tom Ritter, security consultant for Isec Partners, during his keynote speech at Black Hat Europe on Wednesday in Amsterdam.
He showed the audience TLS implementation tables to emphasize his point. Almost all important browsers support TLS 1.0, but only Opera and Internet Explorer allow users to switch to TLS 1.1 or 1.2 manually.
It would be better if all browsers implemented the technology, but that will take time, Ritter said. "We are not going to see that for a while, it needs a couple of years for browsers to implement it," he said.Many servers have the ability to support TLS 1.1 and 1.2, but recent research showed that the protocol is hardly ever used in practice. "The numbers differ but they all amount to zero," Ritter said.
The costs of implementing TLS 1.2 are high, which has hindered its implementation, Ritter said. In addition, there are implementations of TLS that don't work correctly, the security consultant explains in a white paper discussing the problems.
Problems include "TLS servers that are intolerant of versions greater than 1.0, compression algorithms, and a relatively high number of servers intolerant to any extensions (7 percent)," he noted.
If a handshake fails, nearly all HTTPS clients will fall back on SSL 3.0, enabling a so-called TLS downgrade attack in which malevolent hackers exploit vulnerabilities in the older protocol to compromise secure data exchange, Ritter said."Until HTTPS clients remove the downgrade behavior this vulnerability will always exist, and the security bene?ts of negotiating TLS 1.1 or 1.2 will not be realized when the threat model includes an active attacker," Ritter said. Until this issue is resolved, connections remain vulnerable for these attacks, which is why "we'll never actually get the security of the protocols until we remove backwards compatibility," he said.