TLS (Transport Level Security)

[ibe98765]

There is a setting in IE's Options (advanced tab) for using siomething called TLS, which is supposed to be a super SSL. In the right-click help text it says:You can use TLS when accessing your account. The TLS (Transport Layer Security) protocol is a further development of the SSL (Secure Socket Layer). The TLS protocol protects your mail transmissions over the Internet by adding a layer of encryption, ensuring your transmissions are not subject to sniffing by a third party What "account" are they talking about here? What effect, if any, does it have on email as noted in the text? I turned it on to see what happens but haven't noticed anything yet...

[Marsden11]

SSL was developed by Netscape Communications Corporation in 1994 to secure transactions over the World Wide Web. Soon after, the Internet Engineering Task Force (IETF) began work to develop a standard protocol to provide the same functionality. SSL 3.0 was used as the basis for that work, which is known as the Transport Layer Security protocol (TLS). The implementation of the SSL/TLS protocol in Windows Server 2003 closely follows the specification defined in RFC 2246, “The TLS Protocol Version 1.0.â€The primary feature of SSL/TLS is the ability to secure transmitted data using encryption. SSL/TLS also offers server authentication and, optionally, client authentication to prove the identities of parties engaged in secure communication. It also provides data integrity through an integrity check value. In addition to protecting against data disclosure through encryption, the SSL/TLS security protocol can be used to protect against masquerade attacks, man-in-the-middle or bucket brigade attacks, rollback attacks, and replay attacks.Because SSL/TLS is implemented beneath the application layer, most of its operations are completely invisible to the client. This allows the client to have little or no knowledge of secure communications and still be protected from attackers.Drawbacks:This is the most significant drawback to implementing SSL/TLS. Cryptography, specifically public key operations, are CPU intensive. As a result, there is a performance penalty when using SSL. Unfortunately, there is no single answer to the frequently asked question: how much of performance penalty? The penalty varies widely depending on how often connections are established and how long they last. The greatest overhead occurs while connections are being set up.SSL/TLS ScenariosMany people think of SSL and TLS as protocols used with Web browsers for securely browsing the Internet. However, these are also general purpose protocols that can be used whenever authentication and data protection are necessary. The following examples depict a few uses of SSL/TLS today. This is not an exhaustive list. In fact the ability to access these protocols through the SSPI interface means that anyone take advantage of them for just about any application. Many applications are being modified to take advantage of the features of SSL/TLS.Secure transaction with an e-commerce Web site. This is a typical use of SSL between a browser and a Web server. An example is an e-commerce shopping site where clients need to furnish their credit card numbers. The protocol would first confirm that the Web site’s certificate was valid and then send the client’s credit card information as cipher text. For this type of transaction, where the server’s certificate is from a trusted source, only server-side authentication occurs. SSL/TLS would need to be enabled for the Web page, such as an order form, where the data transactions occur.Authenticated client access to a secure Web site.Both the client and server need certificates from a mutually trusted CA. With Schannel, client certificates can be mapped on a one-to-one or many-to-one basis to their Windows Server 2003 user or computer accounts and can be managed by Active Directory Users and Computers. This is invisible to the users, who can be authenticated to a Website without needing to supply a password.If you want to give several users access to confidential material, you can create a group, map the users’ certificates to the group, and give the group permissions to the material. In one-to-one mapping, the server has a copy of the client’s certificate; whenever the client logs in, the server verifies that they are identical. This one-to-one mapping is typically used for private material, such as a banking site where only one individual has the right to view a personal account.Remote Access. Schannel is used to provide authentication and data protection when users remotely log in to Windows-based systems or networks. Telecommuting is a common use for this technology. Users can more securely access their e-mail or enterprise applications from home or while traveling, reducing the risk of exposure of the information to anyone on the Internet.SQL Access. Microsoft® SQL Serverâ„¢ provides the ability for administrators to require authentication of the client when connecting to the server running SQL Server. In addition, either the client or server can be configured to require encryption of the data transferred between them. Very sensitive information, such as financial or medical databases, can be protected to prevent unauthorized access and disclosure of information on the network.E-mail. Exchange servers can use Schannel to protect data as it moves from server to server on the Intranet or Internet. Full end-to-end security might require the use of Secure/Multipurpose Internet Mail Extensions (S/MIME); however, the protection of data in a server-to-server exchange allows companies to use the Internet to securely transfer e-mail among divisions within the same company, subsidiaries and partners. This can be done regardless of whether S/MIME is used.SSL and FirewallsYou must make some additional decisions if you need to conduct SSL/TLS transactions through a firewall. A firewall is a program that can exist in many different forms, but essentially functions as a barrier between your local area network (LAN) and the outside world. The SSL/TLS protocol interprets a computer on which a firewall is running as presenting a man-in-the-middle attack, which prevents the transaction from happening.You can use one of two approaches to facilitate SSL/TLS transactions through a firewall:Open the firewall to allow all traffic through a designated port. The typical port for HTTP over SSL is 443. This port can be opened to allow traffic through to the destination Web server. Unfortunately, this means that the firewall can make security decisions based only on the apparent origin of the packet and its destination. The firewall cannot examine the encrypted data in the requests.Configure the firewall or boundary system as a proxy server. In this case, the boundary system is the destination for the SSL traffic from the client. The client will authenticate to the boundary system, which will then forward, or proxy, the requests to the internal system. The connection from the boundary system to the internal system might or might not be protected by using SSL. This presents an authentication problem because the proxy needs to transmit the authenticated identity of the original user to the internal system. It is not possible to use the certificate mapping features of Windows Server 2003 at the application server, because the authentication process that relies on the user’s certificate takes place at the proxy.Clear as mud?