How is a TLS connection established?

In a TLS connection, the client and the server first agree upon the version of TLS that they are going to use, which is the highest that both support. Then, they agree upon cipher suites that they are going to use. Finally, they establish a common key for encryption and the data transfer can begin. See an illustrated guide that explains how a TLS connection is established .

Does TLS use symmetric or asymmetric encryption?

TLS uses a mixture of symmetric and asymmetric encryption. First, it uses asymmetric encryption to establish a key, which is then used for symmetric encryption. TLS does not use asymmetric encryption for the entire process because symmetric encryption is much more efficient and once a secure key is established, the process is completely safe. Understand the differences between symmetric and asymmetric encryption .

What are the cipher suites?

Cipher suites are sets of encryption algorithms. TLS can use many different encryption algorithms for different purposes. When a connection is established, the client and the server must exchange information about the algorithms that they support and select the best ones. A cipher suite always includes four different algorithms for four purposes: the key exchange algorithm, the authentication algorithm, the data encryption algorithm, and the Message Authentication Code (MAC) algorithm. Learn how to configure your server to select the safest cipher suites .

How are TLS 1.3 connections different from TLS 1.2?

In TLS 1.3, the connection has been greatly simplified to make the process more efficient. It requires less time and data to establish, which can improve web server efficiency. TLS 1.3 also does not support TLS compression, which has been supported by TLS 1.2. See an illustrated guide to establishing a TLS 1.3 connection .

Web Security Blog | Page 40 of 139

What is Transport Layer Security (TLS): Establishing a TLS Connection

Web Security Zone | March 31, 2019 by Agathoklis Prodromou

The process of establishing a secure SSL/TLS connection involves several steps. SSL/TLS security protocols use a combination of asymmetric and symmetric encryption. The client and the server must negotiate the algorithms used and exchange key information. For the purpose of explaining this complex process, we…

TLS Security 4: SSL/TLS Certificates

Web Security Zone | March 31, 2019 by Agathoklis Prodromou

When you communicate securely with a third party using data encryption, you usually want to be sure that they are who they say they are. For example, when you use an online bank or an e-commerce site and you send sensitive information, you want to…

TLS Security 3: SSL/TLS Terminology and Basics

Web Security Zone | March 31, 2019 by Agathoklis Prodromou

To understand how Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols works, you must first understand certain basic concepts. The primary mechanism used by SSL/TLS is asymmetric encryption with cipher suites. These and related terms are explained below. Encryption Encryption is the process…

TLS Security 6: Examples of TLS Vulnerabilities and Attacks

Web Security Zone | March 31, 2019 by Agathoklis Prodromou

The Secure Sockets Layer (SSL) and the Transport Layer Security (TLS) cryptographic protocols have had their share of flaws like every other technology. The following are major vulnerabilities in TLS/SSL protocols. They all affect older versions of the protocol (TLSv1.2 and older). At the time…

TLS Security 2: A Brief History of SSL/TLS

WordPress Security | March 31, 2019 by Agathoklis Prodromou

The Secure Sockets Layer (SSL) protocol was first introduced by Netscape in 1994. The Internet was growing and there was a need for transport security for web browsers and for various TCP protocols. Version 1.0 of SSL was never released because it had serious security…

How to Prevent SQL Injection Vulnerabilities in PHP Applications

Web Security Zone | March 27, 2019 by Ian Muscat

What Is SQL Injection? SQL Injection (SQLi) is a type of injection attack targeting a backend relational database. An attacker can use it to make a web application process and execute injected SQL statements as part of an existing SQL query. This article assumes that…

New build highlights verified vulnerabilities, checks for Nagios XI RCE, Cisco ISE XSS, Rails File Content Disclosure

Product Releases | March 26, 2019 by Nicholas Sciberras

Acunetix version 12 (build 12.0.190325161 – Windows and Linux) has been released. This new build indicates which vulnerabilities are verified and includes vulnerability checks for RCE in Nagios XI, XSS in Cisco Identity Service Engine, Rails File Content Disclosure, Apache Solr Deserialization of untrusted data,…

Out-of-band XML External Entity (OOB-XXE)

Web Security Zone | March 25, 2019 by Ian Muscat

As with many types of attacks, you can divide XML External Entity attacks (XXE attacks) into two types: in-band and out-of-band. In-band XXE attacks are more common and let the attacker receive an immediate response to the XXE payload. In the case of out-of-band XXE…

What Are XML External Entity (XXE) Attacks

Articles | March 24, 2019 by Ian Muscat

An XML External Entity (XXE) attack (sometimes called an XXE injection attack) is a type of attack that abuses a widely available but rarely used feature of XML parsers. Using XXE, an attacker is able to cause Denial of Service (DoS) as well as access…

Acunetix Web Security Blog