Insufficient Transport Layer Protection is the use of an insecure encryption layer to transmit data across a network without the benefit of cryptography. A TLS packet that is transmitted with this protection will be vulnerable to tampering by virtue of its unencrypted state. The most common example of this happening is found in the transmission of FTP packets, where plain-text passwords are sent across the wire and could be intercepted, manipulated, and sold on the dark web to cybercriminals. This will result in those who have invested time and money into their systems as opposed to making end users secure paying a hefty price for it later on down their line. In this scenario, the sender and the receiver, if not all parties in between, are at risk of having their login credentials stolen. This can prevent hackers from gaining access to files on a remote server.
Insufficient Transport Layer Protection:
The lack of sufficient transport layer protection is an extremely common situation in the internet protocol suite today. Because of this, users have become much more secure when it comes to their data being communicated over the network and therefore have been able to elevate their understanding of what information they should or shouldn’t be sending across unsecured mediums such as wireless networks or regular 3G/4G LTE carrier services. It is for this reason that this particular attack vector has been exploited by attackers in the past due to its simplicity and effectiveness. One of the most immediate results of this type of attack on a larger scale is what we see today with the massive amount of wireless surveillance cameras being deployed by local governments. In order to combat this, many companies have introduced a higher layer of transport security that detects any possible tampering regardless of the type of encryption being used on TLS packets.
Although TLS is a widely adopted security protocol in almost every industry today, attackers have managed to find ways to bypass encryption that it employs in an effort to steal data nowadays. This has led to the creation of malicious websites and other resources that attempt to exploit this vulnerability in order to steal credentials and sensitive information from unsuspecting internet users. To combat this, a number of vulnerabilities have been patched to ensure that TLS is functioning as expected in order to protect users from falling victim to these attacks. Although there are still thousands of unpatched TLS implementations on devices today, the uptake of security patches has increased tremendously as a result of these flaws being discovered and patched by various organizations around the world. It can be said that even though there are thousands of unpatched implementations of TLS on devices today, there is still a significant reduction in the number of computers and other internet-enabled devices out there that are vulnerable to this particular attack vector when compared to how many were before.
Key points:
- HTTPS connections are not the same as TLS.
- HTTPS is a layer 7 protocol, and TLS is a layer 4 protocol.
- HTTPS encrypts your data to and from a website (often with an embedded certificate), TLS encrypts the data in transit between two endpoints.
- HTTPS also confirms that you are connecting to the domain you think you are connecting to (i.e., says “this is Facebook dot com”). TLS only authenticates one side of the conversation, it does not confirm that you have connected to Facebook‘s site.
Advantages:
- TLS is built into every browser and operating system.
- TLS is built into all major Internet services.
- TLS can be configured to work with small memory footprints, which makes it ideal for embedded devices and Internet of Things (IoT) applications.
Disadvantages:
- Although most browsers have a default configuration for TLS, most of the time it is possible to get past this initial security line by changing some settings in the browser preferences.
- This may be acceptable where the application requires the use of a very weak cipher suite or otherwise has security concerns with TLS. However, some applications may not accept certain SSL fallback ciphers or certain SSL protocol versions that are allowed by default in many browsers.
Countermeasures:
- HTTPS uses TLS on top of the TCP/IP protocol layer.
- SSL + TLS both work the same way.
- Application Layer Protocol Negotiation (ALPN) extension is a new TLS handshake message, which allows different application layer protocols to be negotiated on top of the secure SSL or TLS transport layer connection.
- ALPN is supported in OpenSSL version 1.0.2 and later versions.
- ALPN is also supported in Boring SSL version 1.3.
Conclusion:
- Authentication, encryption, integrity, and authentication are all essential layers in the security architecture.
- Encryption alone does not secure data. Other measures are required for data protection.
The “traditional” approach to securing communication is to use a symmetric key in combination with a session key, ideally derived from some passphrase-like secret. The generated keys are used to encrypt and decrypt data, and sometimes they are also used as hash keys to generate a message digest of the data in question. Theoretically sound, this approach was laid out by Diffie-Hellman decades ago and has been implemented as the Internet Key Exchange method (IKE) in IPsec today in both free and commercial software products.
To know more, you can refer to the article Layers of OSI Model.