28 05, 2015

How does SSL/TLS work – part four

Previous posts in this series have covered the SSL/TLS protocol in some detail. Now it’s time to examine some of the more recent vulnerabilities that have been found, and how they were (and can be) dealt with.

Heartbleed

Heartbleed is one of the most serious vulnerabilities ever found in SSL/TLS, allowing the theft of server keys, user session ids and user passwords from compromised systems. It was not, however, an SSL protocol flaw, but rather […]

16 05, 2015

CompleteFTP scheduled events

Up until 8.3.0, CompleteFTP’s process triggers were initiated by certain events occurring in the server, such as users logging in or out, or files being uploaded or downloaded. Process triggers could launch a batch, Powershell or FTP script, or an executable.

Over time it became obvious from customer feedback that users also wanted to be able to initiate scripts independently from server events – they wanted the power of cron to schedule scripts at whatever time […]

21 04, 2015

How does SSL/TLS work – part three

The previous post in this series about SSL/TLS described the handshake – the process that establishes an SSL/TLS session between client and server. The session includes agreed-upon encryption keys. Now, let’s drill down to how the data sent across the wire is packaged – the record protocol and the alert protocol.

Record protocol

The record protocol is responsible for compression, encryption and verification of the data. All data to be transmitted is split into records. Each record consists of a header […]

13 04, 2015

How does SSL/TLS work – part two

As part one explained, SSL/TLS is intended to provide secure network connections between a client (e.g. a web browser), and a server (e.g. a web server) by encrypting all data that is passed between them.

To achieve this, public key encryption is used to verify the parties in the encrypted session, and to provide a way for client and server to agree on a shared symmetric encryption key. This post explains the process in […]

31 03, 2015

How does SSL/TLS work – part one

History

The Secure Sockets Layer (SSL) is a cryptographic protocol designed to secure communications over TCP/IP networks. SSL was developed by Netscape during the early 1990’s, but various security flaws meant that it wasn’t until SSL 3.0 was released in 1996 that SSL became popular.

It was also during this time that an open source implementation of SSL called SSLeay was made available by Eric Young, which helped ensure its widespread adoption on the Internet. The Apache web […]

23 03, 2015

What are certificates?

In How does public key encryption work?, it was explained that there needs to be a way of reliably associating public keys with their owners. Using someone’s public key to encrypt a message intended for them requires knowing that it is indeed their public key.

Certificate authorities are the solution to this problem. A certificate authority (a “CA”) is an organization that issues digital certificates. A digital certification is an electronic document that certifies ownership of […]