Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
Mailclients offer both settings, the STARTTLS and SSL/TLS. What is the difference between STARTTLS and SSL/TLS?
The clearest explanation that I've read is from FastMail:
SSL and TLS both provide a way to encrypt a communication channel
between two computers (e.g. your computer and our server). TLS is the
successor to SSL and the terms SSL and TLS are used interchangeably
unless you're referring to a specific version of the protocol.
STARTTLS is a way to take an existing insecure connection, and upgrade
it to a secure connection using SSL/TLS. Note that despite having TLS
in the name, STARTTLS doesn't mean you have to use TLS, you can use
SSL.
Read the rest of the info they have, including a discussion of port numbers and POP/IMAP vs SMTP, here: https://www.fastmail.fm/help/technology_ssl_vs_tls_starttls.html
The question is quite vague, but I guess I understand it. STARTTLS means "explicit TLS" where the connection is established on regular port and then STARTTLS command is sent to initiate SSL handshake and switch to protection mode. Another option probably defines implicit SSL/TLS on a dedicated port. In implicit mode first the handshake takes place and then the application-level protocol runs over the established secure channel.
If you select "TLS if available" Thunderbird will make a TCP/IP connection to the mail server and send a command to ask what capabilities the mail server has. If it says it supports STARTTLS Thunderbird will change the connection to a TLS connection. However, if the mail server doesn't support STARTTLS the connection doesn't fail. Thunderbird continues to use a normal connection. This is a security risk since Thunderbird doesn't display some icon to indicate whether the connection is secure like a browser does, and you're vulnerable to man in the middle attacks (MITM).
Source:
http://kb.mozillazine.org/Secure_connections_-_Thunderbird
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 8 years ago.
Improve this question
I understand what data encryption is and what role SSL plays in it, but I need to know what role encryption would play in an online game? I have heard many reports of SSL in games, heart-bleed being a popular one, but I just don't see the need for data encryption in games. If something as miniscule as terrain data is being transferred from server to client then what is the need of encryption?
What role does data encryption play in games?
What data should and shouldn't be encrypted?
If encryption is needed, which is better, SSL or TLS? Or are they used for different purposes?
I'm not familiar with games; however, what I know is that both SSL and TLS are used for encryption in web communications. However, SSL is almost dead (at least SSLv3) due to the several attacks it cannot handle. I don't know if you have lately visit a “https” site which uses SSLv3 using either firefox or chrome but they may say something like this:
Firefox:
Unable to Connect Securely
Firefox cannot guarantee the safety of your data on xxx.xxx.xxx.xxx because it uses SSLv3, a broken security protocol.
Advanced info: ssl_error_no_cypher_overlap
Chrome:
This webpage is not available
A secure connection cannot be established because this site uses an unsupported protocol.
Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
So, the answer for your last question should be: Use TLS (TLS 1.2 if possible) instead of SSL. TLS in fact, is basically the evolution of SSL.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I have server and client running OS Window 7 ultimate. I would like to configure so that server and client communicate under TLS.
At server, I go Local Group Policy-> Remote Desktop Host -> Security to enable Secure Layer to TLS1.0.
When I connect the server from client, I did capture the packet using Wireshark, but I never see the TLS setup .
I did google alot regarding how to set up the TLS. It said that the self-signed cert is not trusted from the trusted root CA. Is it because of this so the TLS can't set up?
Wireshark often can't guess the protocol when the protocol changes on the same connection. This is typically the case for most protocols that upgrade to SSL/TLS on the same connection (using STARTTLS-like mechanisms).
If you want to see this, you have to tell Wireshark to decode the packets as SSL/TLS: right-click and choose Decode As -> Transport -> SSL.
This should work even with a self-signed certificate (typically one is generated automatically and configured by default on a Windows 7 Pro machine, for example). In this case, if you want the connection the be secure, you'd need to verify manually that it is the certificate set up on that machine.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I have an SSL assigned to my main domain and I'm wondering if I can use the SSL to my sub-domain!! I frankly tried it out, but it shows warning page saying that this page is not safe or so on. Is there a solution to this so I can use the SSL on my sub-domain to let clients send their info on a secure connection.
The error message " This webpage is not available"
X.509 certificates (often called "SSL Certificates") are usually only bound to a single domain, usually mydomain.example, www.mydomain.example or secure.mydomain.example. They cannot be used on any other domain name, even if it's a subdomain (so a certificate for mydomain.example cannot be used for www.mydomain.example and vice-versa).
There currently exist 2 other types of certificates which can be used to simultaneously secure multiple domain names simultaneously:
A relatively new type of certificate called an "SAN Certificate" - short for "Subject Alternative Name" - also sometimes called "Unified Communications Certificates" after a feature in Microsoft Exchange Server which requires this certificate type. These certificates declare a finite list of hostnames they can be used against.
Then there's wildcard certificates. Historically these were very expensive but recently we've seen a huge drop in price. With one of these certs you can secure anysubdomain.mydomain.example including the top-level mydomain.example.
Without either of these SSL certificates you'll need to get an SSL cert for each domain name you want to secure.
Note that having a different certificate for each hostname/domain-name can cause problems because the TLS system establishes security for the channel before the HTTP Host: header is sent - this means that each secured website will need its own IP address or port number.
...unless you use SNI (Server Name Identification) certificates. The good news is that all modern browsers and servers support it SNI, so multiple secure websites can share IP addresses and port bindings with their own certificates (so without needing a single SAN certificate that lists all domains on it).
The bad news is that Internet Explorer on Windows XP cannot connect to SNI websites (but Chrome and Firefox are okay), and on the server-side you need at least Windows Server 2012 or later. So adopt SNI based on how popular IE+XP usage is.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
According to http://en.wikipedia.org/wiki/Secure_Shell#Key_management, ssh is vulnerable to "man-in-the-middle" attack when establishing the first connection with server.
SSH also supports password-based authentication that is encrypted by automatically generated keys. In this case the attacker could imitate the legitimate side, ask for the password and obtain it (man-in-the-middle attack). However this is only possible if the two sides have never authenticated before, as SSH remembers the key that the remote side once used.
Does VPN suffer from the same "weakness"?
If VPN server is authenticated using the key which is known to the client, then there's no problem - the key is already known (and supposedly trusted) and the client can be sure that it has connected to the legitimate server.
The same applies to SSH. Wording in wikipedia is not exactly correct - for the first connection to be reliable the client should know the valid server key. It's not important if "they have authenticated before". It's important that the client trusts the key.
How can the key be trusted on the client? When X.509 certificate is used in SSL/TLS, it's validated according to sophisticated rules and the certificate chain is built up to the trusted root certificate. If the chain can't be built, then the end-entity certificate is not trusted. In SSH there are no certificate chains and the only way the client can trust the server is when the client has server's key transferred using some other mechanism (voice call or paper or USB stick or separate SSL/TLS connection, whatever).
I'm pretty far out of my depth here, so bear with me. We're using JDBC via com.intersys.jdbc.cachedriver to run stored procedures in Intersystems Cache and get the results in Java. However, there are other clients that connect directly to the Cache using a terminal over telnet. We have to lock down Cache's telnet port so that only telnet over SSL is possible. However, the Cache experts here say that locking down one port in Cache locks them all down, so the Java to Cache connection will also have to use SSL. I understand vaguely that some JDBC drivers support SSL, but I don't see that the Cache one does. What I need to know is:
What's needed to configure SSL for the JDBC connections? (We're using JBoss 4.2.3)
What about certificates? I assume those have to go somewhere.
Is it actually true that locking down the telnet connections is also going lock down JDBC in the same way?
Configuring Java Clients to Use SSL/TLS with Caché
Using SSL/TLS with Caché
Telnet vs ssh is a question about what the OS allows and only relates to Cache peripherally. It doesn't mean anything regarding items 1 or 2. So in answer to the direct question you are asking, "No".
1. What's needed to configure SSL for the JDBC connections? (We're using JBoss 4.2.3)
See http://docs.intersystems.com/cache20102/csp/docbook/DocBook.UI.Page.cls?KEY=GCAS_ssltls#GCAS_ssltls_javacli for details. This section doesn't explicitly mention JDBC, but it's true for JDBC (and the reference has been added for the documentation 2011.1 [next release] .)
2. What about certificates? I assume those have to go somewhere.
To quote the documentation: "If the client has a private key and certificate, these are stored in the client’s keystore; the keystore can also hold the client’s root CA certificate and any intermediate CA certificates. To authenticate the server, the client may need to have the root CA certificate for the server and any intermediate CA certificates, these can be stored either in the client’s truststore or along with client certificate information in the keystore. For more information on keystores and truststores, see the section “Keystores and Truststores” in the Java Secure Socket Extension (JSSE) Reference Guide."
3. Is it actually true that locking down the telnet connections is also going lock down JDBC in the same way?
Yes -- if telnet connections are to require TLS, then the superserver TLS setting needs to be Required, which means that you have to use TLS for anything that goes through the superserver (including JDBC). If you just want to allow the use of TLS for telnet connections, set the TLS value to Enabled, which allows non-TLS connections by other means (such as JDBC).