1 00:00:00,000 --> 00:00:04,460 SSL and TLS provide the backbone of web security. 2 00:00:04,460 --> 00:00:06,940 We've already talked a lot about SSL and TLS 3 00:00:06,940 --> 00:00:08,793 every time we've talked about HTTPS, 4 00:00:09,670 --> 00:00:11,490 but we're going to cover a couple more details 5 00:00:11,490 --> 00:00:12,880 inside of this lesson. 6 00:00:12,880 --> 00:00:15,830 First, SSL and TLS, what are they? 7 00:00:15,830 --> 00:00:18,740 Well, SSL stands for the Secure Socket Layer 8 00:00:18,740 --> 00:00:21,480 and TLS stands for Transport Layer Security. 9 00:00:21,480 --> 00:00:23,070 These are cryptographic protocols 10 00:00:23,070 --> 00:00:25,300 that provide secure internet communications 11 00:00:25,300 --> 00:00:28,780 for web browsing, instant messaging, email, VoIP, 12 00:00:28,780 --> 00:00:30,570 and many other services. 13 00:00:30,570 --> 00:00:32,650 I know we talk a lot about it in web browsing, 14 00:00:32,650 --> 00:00:35,550 but it can be used for all of these other things too. 15 00:00:35,550 --> 00:00:37,500 Now, when we talk about SSL and TLS, 16 00:00:37,500 --> 00:00:40,470 let's start with SSL because it's the older protocol. 17 00:00:40,470 --> 00:00:42,260 SSL was what was created first. 18 00:00:42,260 --> 00:00:44,250 It was a way to start securing the web 19 00:00:44,250 --> 00:00:46,360 as we wanted to start doing e-commerce. 20 00:00:46,360 --> 00:00:49,580 The last time SSL was updated though was 1996 21 00:00:49,580 --> 00:00:51,720 with SSL version three. 22 00:00:51,720 --> 00:00:52,730 It's really old. 23 00:00:52,730 --> 00:00:54,380 You shouldn't use SSL. 24 00:00:54,380 --> 00:00:56,730 Instead, it's been replaced by TLS, 25 00:00:56,730 --> 00:00:58,430 Transport Layer Security. 26 00:00:58,430 --> 00:01:02,790 Now, everyone watching this should be using TLS version 1.3, 27 00:01:02,790 --> 00:01:04,190 which is the latest and greatest 28 00:01:04,190 --> 00:01:05,960 right now as of this filming. 29 00:01:05,960 --> 00:01:08,260 Now, often you're going to hear people call it SSL 30 00:01:08,260 --> 00:01:10,110 even if it's TLS that you're using. 31 00:01:10,110 --> 00:01:12,370 This is just something that people call incorrectly 32 00:01:12,370 --> 00:01:13,980 because it's a creature of habit. 33 00:01:13,980 --> 00:01:15,820 They've been using SSL since the '90s 34 00:01:15,820 --> 00:01:17,390 and if you're an old guy like me, 35 00:01:17,390 --> 00:01:18,630 you've been using it this whole time 36 00:01:18,630 --> 00:01:20,500 and you call it secure socket layer 37 00:01:20,500 --> 00:01:22,720 as opposed to transport layer security. 38 00:01:22,720 --> 00:01:25,020 Whether you hear somebody say SSL or TLS, 39 00:01:25,020 --> 00:01:27,970 most of the time, they're really referring to TLS. 40 00:01:27,970 --> 00:01:31,200 Now, we already covered how TLS and SSL work 41 00:01:31,200 --> 00:01:33,500 when we talked about the PKI lesson. 42 00:01:33,500 --> 00:01:36,090 We talked about, if you remember, the web browser goes out 43 00:01:36,090 --> 00:01:37,570 and gets the server's public key. 44 00:01:37,570 --> 00:01:40,330 It then takes that and encrypts a random string of numbers, 45 00:01:40,330 --> 00:01:42,200 sends that over to the web server. 46 00:01:42,200 --> 00:01:43,210 Once the web server gets it, 47 00:01:43,210 --> 00:01:45,130 they decrypt it using their private key. 48 00:01:45,130 --> 00:01:47,310 They then create a symmetric tunnel between the two. 49 00:01:47,310 --> 00:01:50,530 That symmetric tunnel, that is SSL or TLS. 50 00:01:50,530 --> 00:01:52,430 Most of the time, it's TLS. 51 00:01:52,430 --> 00:01:55,030 Now, again, that's because TLS is what's current and new 52 00:01:55,030 --> 00:01:56,480 and that's what you should be using. 53 00:01:56,480 --> 00:01:59,110 So we've already talked about how this works, 54 00:01:59,110 --> 00:02:01,400 but I want to talk about how it can be used 55 00:02:01,400 --> 00:02:02,760 with different protocols. 56 00:02:02,760 --> 00:02:06,130 The first one is HTTPS, which we were just discussing. 57 00:02:06,130 --> 00:02:09,240 Now, TLS operates below these other protocols. 58 00:02:09,240 --> 00:02:11,600 For example, if you want to run a secure website, 59 00:02:11,600 --> 00:02:14,610 you would tunnel the normal HTTP protocol 60 00:02:14,610 --> 00:02:16,530 through a TLS tunnel. 61 00:02:16,530 --> 00:02:19,810 Normally, you'd use HTTP over port 80, 62 00:02:19,810 --> 00:02:22,920 but when you tunnel it through SSL or TLS, 63 00:02:22,920 --> 00:02:25,650 you're going to end up putting it on port 443, 64 00:02:25,650 --> 00:02:29,910 which is secure HTTP or HTTPS. 65 00:02:29,910 --> 00:02:31,920 Next, let's talk about emails. 66 00:02:31,920 --> 00:02:33,860 Let's say I wanted to send an email to you. 67 00:02:33,860 --> 00:02:38,120 Normally, I'm going to use SMTP and send it over port 25. 68 00:02:38,120 --> 00:02:40,210 But if I want to do that securely, 69 00:02:40,210 --> 00:02:42,730 I want to establish a TLS tunnel first. 70 00:02:42,730 --> 00:02:46,380 I'll establish that TLS tunnel over port 465 instead 71 00:02:46,380 --> 00:02:50,030 and send my SMTP traffic through that tunnel. 72 00:02:50,030 --> 00:02:52,060 Again, it's the same thing we did with web, 73 00:02:52,060 --> 00:02:53,310 but now we're doing it with email 74 00:02:53,310 --> 00:02:55,100 and you can do that for instant messaging. 75 00:02:55,100 --> 00:02:56,540 You can do it for file transfer. 76 00:02:56,540 --> 00:02:58,550 You could do it for all sorts of stuff. 77 00:02:58,550 --> 00:03:00,740 Now, one of the things we have to be concerned with 78 00:03:00,740 --> 00:03:03,400 with TLS is how people can attack it. 79 00:03:03,400 --> 00:03:05,040 And one of the most common ways people attack it 80 00:03:05,040 --> 00:03:07,100 is by doing a downgrade attack. 81 00:03:07,100 --> 00:03:09,470 A downgrade attack is when a protocol is tricked 82 00:03:09,470 --> 00:03:11,370 into using a lower quality version 83 00:03:11,370 --> 00:03:13,410 instead of using the higher quality version 84 00:03:13,410 --> 00:03:14,610 that it was supposed to. 85 00:03:14,610 --> 00:03:15,900 So if your server was set up 86 00:03:15,900 --> 00:03:19,120 to be able to use version 1.2 of TLS, 87 00:03:19,120 --> 00:03:21,540 but somebody has their browser report 88 00:03:21,540 --> 00:03:23,810 that they only support 1.0, 89 00:03:23,810 --> 00:03:26,750 your server may downgrade itself to 1.0, 90 00:03:26,750 --> 00:03:29,630 which is a weaker protocol and can be exploited. 91 00:03:29,630 --> 00:03:31,150 Now, why does it work that way? 92 00:03:31,150 --> 00:03:33,440 Well, if somebody connects to your website originally, 93 00:03:33,440 --> 00:03:35,080 the first thing that your web server 94 00:03:35,080 --> 00:03:37,940 and that client does is negotiate how they're going to talk. 95 00:03:37,940 --> 00:03:41,630 And if I say to you, "Hey, I only talk at version 1.0, 96 00:03:41,630 --> 00:03:42,940 and you want to be able to support me, 97 00:03:42,940 --> 00:03:45,020 you're going to downgrade to 1.0." 98 00:03:45,020 --> 00:03:47,560 To stop this, you can configure your web server 99 00:03:47,560 --> 00:03:49,877 to not support downgraded versions and say, 100 00:03:49,877 --> 00:03:54,270 "We're only going to support version 1.1 or 1.2," for example. 101 00:03:54,270 --> 00:03:56,780 This is a configuration you can make inside your server 102 00:03:56,780 --> 00:03:58,800 and check your server documentation, 103 00:03:58,800 --> 00:03:59,830 whether it's Windows or Linux, 104 00:03:59,830 --> 00:04:02,620 on how to do this specifically as you get into the field. 105 00:04:02,620 --> 00:04:04,040 For the Security+ exam, 106 00:04:04,040 --> 00:04:06,090 you need to understand the concept of downgrade, 107 00:04:06,090 --> 00:04:07,750 not how to actually secure it, 108 00:04:07,750 --> 00:04:10,410 by doing the hands-on keyboard type of stuff. 109 00:04:10,410 --> 00:04:12,410 The last thing I want to mention about TLS 110 00:04:12,410 --> 00:04:15,180 is while it is great and provides us lots of security, 111 00:04:15,180 --> 00:04:18,520 as network defenders, it's actually a challenge for us. 112 00:04:18,520 --> 00:04:19,820 Let me use this example. 113 00:04:19,820 --> 00:04:21,470 You're sitting at your computer at work 114 00:04:21,470 --> 00:04:23,550 and you decide to get on Dropbox. 115 00:04:23,550 --> 00:04:24,590 Well, if you're on Dropbox 116 00:04:24,590 --> 00:04:26,640 and you're using the secure version of that website, 117 00:04:26,640 --> 00:04:29,620 you have a nice TLS connection from your device 118 00:04:29,620 --> 00:04:31,730 all the way to Dropbox's servers. 119 00:04:31,730 --> 00:04:32,650 Well, guess what? 120 00:04:32,650 --> 00:04:35,280 Whenever you're putting files into there, as a defender, 121 00:04:35,280 --> 00:04:36,690 I can't see what you're doing 122 00:04:36,690 --> 00:04:38,990 because there's this tunnel that I'm not a part of 123 00:04:38,990 --> 00:04:40,970 and so it's going to be secure from your computer, 124 00:04:40,970 --> 00:04:43,480 your laptop, all the way to the server. 125 00:04:43,480 --> 00:04:44,330 Well, if I need to see 126 00:04:44,330 --> 00:04:45,830 what's coming in and out of the network, 127 00:04:45,830 --> 00:04:47,100 I have to have a way to do that 128 00:04:47,100 --> 00:04:49,590 and the way I do that is what's called break and inspect. 129 00:04:49,590 --> 00:04:51,640 We talked about this back in web proxies. 130 00:04:51,640 --> 00:04:53,380 If I can act as the man in the middle 131 00:04:53,380 --> 00:04:54,950 by putting a proxy there, 132 00:04:54,950 --> 00:04:58,590 you connect to the proxy, the proxy connects to Dropbox. 133 00:04:58,590 --> 00:05:00,480 Now you're going to authenticate with the proxy 134 00:05:00,480 --> 00:05:01,740 with a TLS tunnel, 135 00:05:01,740 --> 00:05:03,790 then I'm going to unencrypt what you gave me, 136 00:05:03,790 --> 00:05:05,410 I'm going to look at it, inspect it, 137 00:05:05,410 --> 00:05:06,510 and then I'm going to encrypt it again 138 00:05:06,510 --> 00:05:07,970 and send it off through a secure tunnel 139 00:05:07,970 --> 00:05:09,280 all the way to Dropbox. 140 00:05:09,280 --> 00:05:11,600 And when files come back, I can do the same thing. 141 00:05:11,600 --> 00:05:12,610 This is how I can determine 142 00:05:12,610 --> 00:05:14,020 what's coming in and out of my network 143 00:05:14,020 --> 00:05:16,150 and looking at it and making sure there's no malware 144 00:05:16,150 --> 00:05:18,250 or any bad things coming in or out. 145 00:05:18,250 --> 00:05:19,730 Now, by doing this, 146 00:05:19,730 --> 00:05:22,640 I'm going to end up eating up a lot of processor resources 147 00:05:22,640 --> 00:05:24,540 because I have to decrypt and encrypt 148 00:05:24,540 --> 00:05:26,220 every single thing that's going through 149 00:05:26,220 --> 00:05:28,040 that break and inspect proxy. 150 00:05:28,040 --> 00:05:29,360 And so when you set this up, 151 00:05:29,360 --> 00:05:30,920 you have to make sure you set it up right. 152 00:05:30,920 --> 00:05:32,740 And if you have a really large organization, 153 00:05:32,740 --> 00:05:35,632 it gets really hard to do this effectively.