TLS and networking - OpenSource.net

This is the third post in a series: “The absolute minimum every Python web application developer must know about security.”

TLS (Transport Layer Security), the compatible successor to SSL (Secure Socket Layer), is the basis of “https” secure web traffic and provides authenticated encryption.

Obsolete versions of TLS permit insecure algorithms. We have to ensure we only support the correct versions of TLS. Pen testing, or automated scanning tools, can verify this.

TLS is a hybrid cryptosystem: it uses both symmetric and asymmetric algorithms in unison. For example, asymmetric algorithms such as signature algorithms can be used to authenticate peers, while public key encryption algorithms or DiffieHellman exchanges can be used to negotiate shared secrets and authenticate certificates. On the symmetric side, stream ciphers (both native ones and block ciphers in a mode of operation) are used to encrypt the actual data being transmitted, and MAC algorithms are used to authenticate that data. TLS is the worldʼs most common cryptosystem, and hence probably also the most studied.

The part of your system handling the TLS protocol is said to be doing “TLS termination”. If you terminate the TLS at the first entrypoint to your network then traffic on your internal network may be unencrypted. 

Leave a Comment