Doing anti-surveillance activism differently

Doing anti-surveillance activism differently

Recent campaigns waged in two Southern African Development Community (SADC) countries provide some interesting lessons about challenging excessive state security power. Screenshot: Right2Know marches to the South African Parliament, October 2011.YouTube. Sout…

Mass surveillance powers ruling welcomed

Government Mass surveillance powers ruling welcomed. Civil liberty campaigners have a ruling by the High Court of Justice (Queen’s Bench Division) – that a part of the 2016 Investigatory Powers Act, which would force broadband ISPs [internet service providers…

‘Surveillance’ Writer Follows His ‘Intuition’

Kent Harper (Surveillance) is set to direct supernatural horror thriller Intuition from his own script also starring “Ugly Betty” alumni Stelio Savante, Bloody Disgusting learned. In the film: “A man ( Harper) is trapped in a hallucinogenic nightmare where hi…

Trail Surveillance Waterproof Digital Camera

Amazon.com : Abask Wildlife Camera, Trail Surveillance Waterproof Digital Camera 3 Zone Infrared Sensor Trail Camera 12MP 1080P HD With Time Lapse 65ft 120° Wide Angle Night Vision For Game & Hunting : Sports & Outdoors

With ‘Sharp Eyes’, Smart Phones and TV Sets Are Watching Chinese Citizens

By 2020, China could have a comprehensive nationwide surveillance network, wherein law enforcement will have easy access to data collected by any individual surveillance camera in the network.

Global Video Surveillance Market 2018-2025: Rise in Incorporation of Artificial Intelligence in Video Surveillance Systems

DUBLIN, May 29, 2018 /PRNewswire/ — read more

Erratum: Vol. 67, No. SS-1

In the Surveillance Summary “Disparities in Preconception Health Indicators — Behavioral Risk Factor Surveillance System, 2013–2015, and Pregnancy Risk Assessment Monitoring System, 2013–2014,”

Smile, you’re on camera: Surveillance footage shows thief stealing surveillance device

A man accused of stealing surveillance cameras from a Brandon business is facing charges after police were able to use footage from the stolen cameras to identify their suspect.

Registered Security

Registered Security

A registered security is either a security whose owner is kept on file with the issuer or a security whose transfer is restricted.

Carmax Security

I worked with Carmax to develop some fun illustrations to be used throughout their app.

App security

Hyper connectivity, regulatory pressures, and heightened customer expectations are all having a significant impact on how companies operate. From financial services to retail stores, applications are now central to a rapidly evolving digital landscape.

Pittbull security

View on Dribbble

Security System

I think it designed good

Seasoned Security

A seasoned security has been publicly traded in the secondary market long enough to eliminate any short-term effects from its IPO.

Security Passcode

View on Dribbble

Network Security

Network Security MP4 | Video: AVC 1280×720 | Audio: AAC 44KHz 2ch | Duration: 2 Hours 15M | 389 MB Genre: eLearning | Language: English Network Security MP4 | Video: AVC 1280×720 | Audio

Surprise Surveillance Theater

The goal was to take unintended revelers and toss them into a narrative concerning a black market, needing the target to pass secret notes, have rendezvous, put on a wire, and make an enigma distribution. All of this was viewed by a real-time target market on more compared to a lots TVs showing video footage recorded by tactically put video clip electronic cameras, however the scope of the experience was just exposed to the target at the very end when he or she supplied a secret package to the waiting audience.

Terrelle Pryor Says He Was Racially Taunted; N.F.L. to Investigate

Terrelle Pryor Says He Was Racially Taunted; N.F.L. to Investigate

The Redskins receiver made an obscene gesture to fans after Monday night’s game, which he said was motivated by racial slurs from the crowd.

Brooklyn Prosecutors Investigating Rape Charge Against Detectives

Two New York City police detectives were accused of raping an 18-year-old girl while she was in their custody, city officials said.

Olympics Bribery Inquiry Includes Société Générale Transactions

French prosecutors have concerns that the bank might have breached money-laundering regulations, according to documents reviewed by The New York Times.

N.S.A. Warrantless Surveillance Aided Turks After Attack, Officials Say

N.S.A. Warrantless Surveillance Aided Turks After Attack, Officials Say

Security officials testified about the value of the surveillance program with the expiration of its legal authorization looming at the end of 2017.

Company Lost Secret 2014 Fight Over ‘Expansion’ of N.S.A. Surveillance

The 2014 fight is the first time that a communications company that works with the N.S.A. is known to have challenged a law on warrantless surveillance.

CCTV Surveillance Pack

https://vimeo.com/120243636!.?.!Download this After Effects layout from http://videohive.net/item/cctv-surveillance-pack/10517146

United Nations Security Council

“Security Council” and “UNSC” redirect here. For other uses, see Security Council (disambiguation) and UNSC (disambiguation).

The United Nations Security Council (UNSC) is one of the six principal organs of the United Nations,[1] charged with the maintenance of international peace and security[2] as well as accepting new members to the United Nations[3] and approving any changes to its United Nations Charter.[4] Its powers include the establishment of peacekeeping operations, the establishment of international sanctions, and the authorization of military action through Security Council resolutions; it is the only UN body with the authority to issue binding resolutions to member states. The Security Council held its first session on 17 January 1946.

Like the UN as a whole, the Security Council was created following World War II to address the failings of a previous international organization, the League of Nations, in maintaining world peace. In its early decades, the Security Council was largely paralyzed by the Cold War division between the US and USSR and their respective allies, though it authorized interventions in the Korean War and the Congo Crisis and peacekeeping missions in the Suez Crisis, Cyprus, and West New Guinea. With the collapse of the Soviet Union, UN peacekeeping efforts increased dramatically in scale, and the Security Council authorized major military and peacekeeping missions in Kuwait, Namibia, Cambodia, Bosnia, Rwanda, Somalia, Sudan, and the Democratic Republic of Congo.

The Security Council consists of fifteen members.[5] The great powers that were the victors of World War II—the Soviet Union (now represented by the Russian Federation), the United Kingdom, France, the Republic of China (now represented by the People’s Republic of China), and the United States—serve as the body’s five permanent members. These permanent members can veto any substantive Security Council resolution, including those on the admission of new member states or candidates for Secretary-General. The Security Council also has 10 non-permanent members, elected on a regional basis to serve two-year terms. The body’s presidency rotates monthly among its members.

Security Council resolutions are typically enforced by UN peacekeepers, military forces voluntarily provided by member states and funded independently of the main UN budget. As of 2016[update], 103,510 peacekeepers and 16,471 civilians were deployed on sixteen peacekeeping operations and one special political mission.[6]

Contents

  • 1 History
    • 1.1 Background and creation
    • 1.2 Cold War
    • 1.3 Post-Cold War
  • 2 Role
  • 3 Members
    • 3.1 Permanent members
      • 3.1.1 Veto power
    • 3.2 Non-permanent members
    • 3.3 President
  • 4 Meeting locations
    • 4.1 Consultation room
  • 5 Subsidiary organs/bodies
  • 6 United Nations peacekeepers
  • 7 Criticism and evaluations
  • 8 Membership reform
  • 9 See also
  • 10 Notes
  • 11 References
    • 11.1 Citations
    • 11.2 Sources
  • 12 Further reading
  • 13 External links

History[edit]

Background and creation[edit]

In the century prior to the UN’s creation, several international treaty organizations and conferences had been formed to regulate conflicts between nations, such as the International Committee of the Red Cross and the Hague Conventions of 1899 and 1907.[7] Following the catastrophic loss of life in World War I, the Paris Peace Conference established the League of Nations to maintain harmony between the nations.[8] This organization successfully resolved some territorial disputes and created international structures for areas such as postal mail, aviation, and opium control, some of which would later be absorbed into the UN.[9] However, the League lacked representation for colonial peoples (then half the world’s population) and significant participation from several major powers, including the US, USSR, Germany, and Japan; it failed to act against the 1931 Japanese invasion of Manchuria, the Second Italo-Ethiopian War in 1935, the 1937 Japanese occupation of China, and Nazi expansions under Adolf Hitler that escalated into World War II.[10]

British Prime Minister Winston Churchill, US President Franklin D. Roosevelt, and Soviet General Secretary Joseph Stalin at the Yalta Conference, February 1945

The earliest concrete plan for a new world organization began under the aegis of the US State Department in 1939.[11] Roosevelt first coined the term United Nations to describe the Allied countries.”On New Year’s Day 1942, President Roosevelt, Prime Minister Churchill, Maxim Litvinov, of the USSR, and T. V. Soong, of China, signed a short document which later came to be known as the United Nations Declaration and the next day the representatives of twenty-two other nations added their signatures.”[12] The term United Nations was first officially used when 26 governments signed this Declaration. By 1 March 1945, 21 additional states had signed.[13] “Four Policemen” was coined to refer to the four major Allied countries: the United States, the United Kingdom, the Soviet Union, and China.[14] and became the foundation of an executive branch of the United Nations, the Security Council.[15]

In mid-1944, the delegations from the Allied “Big Four”, the Soviet Union, the UK, the US and China, met for the Dumbarton Oaks Conference in Washington, D.C. to negotiate the UN’s structure,[16] and the composition of the UN Security Council quickly became the dominant issue. France, the Republic of China, the Soviet Union, the UK, and US were selected as permanent members of the Security Council; the US attempted to add Brazil as a sixth member, but was opposed by the heads of the Soviet and British delegations.[17] The most contentious issue at Dumbarton and in successive talks proved to be the veto rights of permanent members. The Soviet delegation argued that each nation should have an absolute veto that could block matters from even being discussed, while the British argued that nations should not be able to veto resolutions on disputes to which they were a party. At the Yalta Conference of February 1945, the American, British, and Russian delegations agreed that each of the “Big Five” could veto any action by the council, but not procedural resolutions, meaning that the permanent members could not prevent debate on a resolution.[18]

On 25 April 1945, the UN Conference on International Organization began in San Francisco, attended by 50 governments and a number of non-governmental organizations involved in drafting the United Nations Charter.[19] At the conference, H. V. Evatt of the Australian delegation pushed to further restrict the veto power of Security Council permanent members.[20] Due to the fear that rejecting the strong veto would cause the conference’s failure, his proposal was defeated twenty votes to ten.[21]

The UN officially came into existence on 24 October 1945 upon ratification of the Charter by the five then-permanent members of the Security Council and by a majority of the other 46 signatories.[19] On 17 January 1946, the Security Council met for the first time at Church House, Westminster, in London, United Kingdom.[22]

Church House in London where the first Security Council Meeting took place on 17 January 1946

Cold War[edit]

The Security Council was largely paralysed in its early decades by the Cold War between the US and USSR and their allies, and the Council generally was only able to intervene in unrelated conflicts.[23] (A notable exception was the 1950 Security Council resolution authorizing a US-led coalition to repel the North Korean invasion of South Korea, passed in the absence of the USSR.)[19][24] In 1956, the first UN peacekeeping force was established to end the Suez Crisis;[19] however, the UN was unable to intervene against the USSR’s simultaneous invasion of Hungary following that country’s revolution.[25] Cold War divisions also paralysed the Security Council’s Military Staff Committee, which had been formed by Articles 45–47 of the UN Charter to oversee UN forces and create UN military bases. The committee continued to exist on paper but largely abandoned its work in the mid-1950s.[26][27]

In 1960, the UN deployed the United Nations Operation in the Congo (UNOC), the largest military force of its early decades, to restore order to the breakaway State of Katanga, restoring it to the control of the Democratic Republic of the Congo by 1964.[28] However, the Security Council found itself bypassed in favour of direct negotiations between the superpowers in some of the decade’s larger conflicts, such as the Cuban missile crisis or the Vietnam War.[29] Focusing instead on smaller conflicts without an immediate Cold War connection, the Security Council deployed the United Nations Temporary Executive Authority in West New Guinea in 1962 and the United Nations Peacekeeping Force in Cyprus in 1964, the latter of which would become one of the UN’s longest-running peacekeeping missions.[30][31]

On 25 October 1971, over US opposition but with the support of many Third World nations, the mainland, communist People’s Republic of China was given the Chinese seat on the Security Council in place of Taiwan; the vote was widely seen as a sign of waning US influence in the organization.[32] With an increasing Third World presence and the failure of UN mediation in conflicts in the Middle East, Vietnam, and Kashmir, the UN increasingly shifted its attention to its ostensibly secondary goals of economic development and cultural exchange. By the 1970s, the UN budget for social and economic development was far greater than its budget for peacekeeping.[33]

Post-Cold War[edit]

US Secretary of State Colin Powell holds a model vial of anthrax while giving a presentation to the Security Council in February 2003.

After the Cold War, the UN saw a radical expansion in its peacekeeping duties, taking on more missions in ten years’ time than it had in its previous four decades.[34] Between 1988 and 2000, the number of adopted Security Council resolutions more than doubled, and the peacekeeping budget increased more than tenfold.[35] The UN negotiated an end to the Salvadoran Civil War, launched a successful peacekeeping mission in Namibia, and oversaw democratic elections in post-apartheid South Africa and post-Khmer Rouge Cambodia.[36] In 1991, the Security Council demonstrated its renewed vigor by condemning the Iraqi invasion of Kuwait on the same day of the attack, and later authorizing a US-led coalition that successfully repulsed the Iraqis.[37] Undersecretary-General Brian Urquhart later described the hopes raised by these successes as a “false renaissance” for the organization, given the more troubled missions that followed.[38]

Though the UN Charter had been written primarily to prevent aggression by one nation against another, in the early 1990s, the UN faced a number of simultaneous, serious crises within nations such as Haiti, Mozambique and the former Yugoslavia.[39] , the UN mission to Bosnia faced “worldwide ridicule” for its indecisive and confused mission in the face of ethnic cleansing.[40] In 1994, the United Nations Assistance Mission for Rwanda failed to intervene in the Rwandan Genocide in the face of Security Council indecision.[41]

In the late 1990s, UN-authorised international interventions took a wider variety of forms. The UN mission in the 1991–2002 Sierra Leone Civil War was supplemented by British Royal Marines, and the UN-authorised 2001 invasion of Afghanistan was overseen by NATO.[42] In 2003, the US invaded Iraq despite failing to pass a UN Security Council resolution for authorization, prompting a new round of questioning of the organization’s effectiveness.[43] In the same decade, the Security Council intervened with peacekeepers in crises including the War in Darfur in Sudan and the Kivu conflict in the Democratic Republic of Congo. In 2013, an internal review of UN actions in the final battles of the Sri Lankan Civil War in 2009 concluded that the organization had suffered “systemic failure”.[44] In November/December 2014, Egypt presented a motion proposing an expansion of the NPT (non-Proliferation Treaty), to include Israel and Iran; this proposal was due to increasing hostilities and destruction in the Middle-East connected to the Syrian Conflict as well as others. All members of the Security Council are signatory to the NPT.[45]

Role[edit]

The UN’s role in international collective security is defined by the UN Charter, which authorizes the Security Council to investigate any situation threatening international peace; recommend procedures for peaceful resolution of a dispute; call upon other member nations to completely or partially interrupt economic relations as well as sea, air, postal, and radio communications, or to sever diplomatic relations; and enforce its decisions militarily, or by any means necessary. The Security Council also recommends the new Secretary-General to the General Assembly and recommends new states for admission as member states of the United Nations.[46][47] The Security Council has traditionally interpreted its mandate as covering only military security, though US Ambassador Richard Holbrooke controversially persuaded the body to pass a resolution on HIV/AIDS in Africa in 2000.[48]

Under Chapter VI of the Charter, “Pacific Settlement of Disputes”, the Security Council “may investigate any dispute, or any situation which might lead to international friction or give rise to a dispute”. The Council may “recommend appropriate procedures or methods of adjustment” if it determines that the situation might endanger international peace and security.[49] These recommendations are generally considered to not be binding, as they lack an enforcement mechanism.[50] A minority of scholars, such as Stephen Zunes, have argued that resolutions made under Chapter VI are “still directives by the Security Council and differ only in that they do not have the same stringent enforcement options, such as the use of military force”.[51]

Under Chapter VII, the Council has broader power to decide what measures are to be taken in situations involving “threats to the peace, breaches of the peace, or acts of aggression”.[27] In such situations, the Council is not limited to recommendations but may take action, including the use of armed force “to maintain or restore international peace and security”.[27] This was the legal basis for UN armed action in Korea in 1950 during the Korean War and the use of coalition forces in Iraq and Kuwait in 1991 and Libya in 2011.[52][53] Decisions taken under Chapter VII, such as economic sanctions, are binding on UN members; the Security Council is the only UN body with the authority to issue binding resolutions.[54][55]

The Rome Statute of the International Criminal Court recognizes that the Security Council has authority to refer cases to the Court in which the Court could not otherwise exercise jurisdiction.[56] The Council exercised this power for the first time in March 2005, when it referred to the Court “the situation prevailing in Darfur since 1 July 2002”; since Sudan is not a party to the Rome Statute, the Court could not otherwise have exercised jurisdiction.[57][58] The Security Council made its second such referral in February 2011 when it asked the ICC to investigate the Libyan government’s violent response to the Libyan Civil War.[59]

Security Council Resolution 1674, adopted on 28 April 2006, “reaffirms the provisions of paragraphs 138 and 139 of the 2005 World Summit Outcome Document regarding the responsibility to protect populations from genocide, war crimes, ethnic cleansing and crimes against humanity”.[60] The Security Council reaffirmed this responsibility to protect in Resolution 1706 on 31 August of that year.[61] These resolutions commit the Security Council to take action to protect civilians in an armed conflict, including taking action against genocide, war crimes, ethnic cleansing, and crimes against humanity.[62]

Members[edit]

Permanent members[edit]

Main article: Permanent members of the United Nations Security Council
See also: China and the United Nations, France and the United Nations, Russia and the United Nations, Soviet Union and the United Nations, United Kingdom and the United Nations, and United States and the United Nations

The Security Council’s five permanent members, below, have the power to veto any substantive resolution; this allows a permanent member to block adoption of a resolution, but not to prevent or end debate.[63]

At the UN’s founding in 1945, the five permanent members of the Security Council were the Republic of China, the French Republic, the Soviet Union, the United Kingdom, and the United States. There have been two major seat changes since then. China’s seat was originally held by Chiang Kai-shek’s Nationalist Government, the Republic of China. However, the Nationalists were forced to retreat to the island of Taiwan in 1949, during the Chinese Civil War. The Communist government assumed control of mainland China, thenceforth known as the People’s Republic of China. In 1971, General Assembly Resolution 2758 recognized the People’s Republic as the rightful representative of China in the UN and gave it the seat on the Security Council that had been held by the Republic of China, which was expelled from the UN altogether with no opportunity of membership as a separate nation.[32] After the dissolution of the Soviet Union in 1991, the Russian Federation was recognized as the legal successor state of the Soviet Union and maintained the latter’s position on the Security Council.[64] Additionally, France reformed its government into the French Fifth Republic in 1958, under the leadership of Charles de Gaulle. France maintained its seat as there was no change in its international status or recognition, although many of its overseas possessions eventually became independent.[65]

The five permanent members of the Security Council were the victorious powers in World War II[66] and have maintained the world’s most powerful military forces ever since. They annually topped the list of countries with the highest military expenditures.[67] In 2013, they spent over US$1 trillion combined on defence, accounting for over 55% of global military expenditures (the US alone accounting for over 35%).[67] They are also among the world’s largest arms exporters[68] and are the only nations officially recognized as “nuclear-weapon states” under the Nuclear Non-Proliferation Treaty (NPT), though there are other states known or believed to be in possession of nuclear weapons.[69]

Veto power[edit]

Number of resolutions vetoed by each of the five permanent members of the Security Council between 1946 and 2017[70]

Main article: United Nations Security Council veto power

Under Article 27 of the UN Charter, Security Council decisions on all substantive matters require the affirmative votes of nine members. A negative vote or “veto” by a permanent member prevents adoption of a proposal, even if it has received the required votes.[63] Abstention is not regarded as a veto in most cases, though all five permanent members must actively concur to amend the UN Charter or to recommend the admission of a new UN member state.[54] Procedural matters are not subject to a veto, so the veto cannot be used to avoid discussion of an issue. The same holds for certain decisions that directly regard permanent members.[63] A majority of vetoes are used not in critical international security situations, but for purposes such as blocking a candidate for Secretary-General or the admission of a member state.[71]

Current permanent and other members of UNSC

In the negotiations building up to the creation of the UN, the veto power was resented by many small countries, and in fact was forced on them by the veto nations – US, UK, China, France and the Soviet Union – through a threat that without the veto there will be no UN. Here is a description by Francis O. Wilcox, an adviser to US delegation to the 1945 conference: “At San Francisco, the issue was made crystal clear by the leaders of the Big Five: it was either the Charter with the veto or no Charter at all. Senator Connally [from the US delegation] dramatically tore up a copy of the Charter during one of his speeches and reminded the small states that they would be guilty of that same act if they opposed the unanimity principle. ‘You may, if you wish,’ he said, ‘go home from this Conference and say that you have defeated the veto. But what will be your answer when you are asked: “Where is the Charter”?'”[72]

As of 2012, 269 vetoes had been cast since the Security Council’s inception.[a] In this period, China (ROC/PRC) used the veto 9 times, France 18, USSR/Russia 128, the UK 32, and the US 89. Roughly two-thirds of Soviet/Russian vetoes were in the first ten years of the Security Council’s existence. Between 1996 and 2012, China vetoed 5 resolutions, Russia 7, and the US 13, while France and the UK did not use the veto.[71]

An early veto by Soviet Commissar Andrei Vishinsky blocked a resolution on the withdrawal of French forces from the then-colonies of Syria and Lebanon in February 1946; this veto established the precedent that permanent members could use the veto on matters outside of immediate concerns of war and peace. The USSR went on to veto matters including the admission of Austria, Cambodia, Ceylon, Finland, Ireland, Italy, Japan, Laos, Libya, Portugal, South Vietnam, and Transjordan as UN member states, delaying their joining by several years. Britain and France used the veto to avoid Security Council condemnation of their actions in the 1956 Suez Crisis. The first veto by the US came in 1970, blocking General Assembly action in Southern Rhodesia. From 1985–90, the US vetoed 27 resolutions, primarily to block resolutions it perceived as anti-Israel but also to protect its interests in Panama and Korea. The USSR, US, and China have all vetoed candidates for Secretary-General, with the US using the veto to block the re-election of Boutros Boutros-Ghali in 1996.[73]

A chart representing the Security Council seats held by each of the United Nations Regional Groups. The United States, a WEOG observer, is treated as if it were a full member. This is not how the seats are arranged in actual meetings of the Council.
  African Group
  Asia-Pacific Group
  Eastern European Group
  Group of Latin American and Caribbean States (GRULAC)
  Western European and Others Group (WEOG)

Non-permanent members[edit]

See also: List of members of the United Nations Security Council; United Nations Security Council election, 2017; and United Nations Security Council election, 2018

Along with the five permanent members, the Security Council has temporary members that hold their seats on a rotating basis by geographic region. Non-permanent members may be involved in global security briefings.[74] In its first two decades, the Security Council had six non-permanent members, the first of which were Australia, Brazil, Egypt, Mexico, the Netherlands, and Poland. In 1965, the number of non-permanent members was expanded to ten.[75]

These ten non-permanent members are elected by the General Assembly for two-year terms starting on 1 January, with five replaced each year.[76] To be approved, a candidate must receive at least two-thirds of all votes cast for that seat, which can result in deadlock if there are two roughly evenly matched candidates. In 1979, a standoff between Cuba and Colombia only ended after three months and a record 154 rounds of voting; both eventually withdrew in favour of Mexico as a compromise candidate.[77] A retiring member is not eligible for immediate re-election.[78]

The African Group is represented by three members; the Latin America and the Caribbean, Asia-Pacific, and Western European and Others groups by two apiece; and the Eastern European Group by one. Traditionally, one of the seats assigned to either the Asia-Pacific Group or the African Group is filled by a nation from the Arab world.[79] Currently, elections for terms beginning in even-numbered years select two African members, and one each within Eastern Europe, Asia-Pacific, and Latin America and the Caribbean. Terms beginning in odd-numbered years consist of two Western European and Other members, and one each from Asia-Pacific, Africa, and Latin America and the Caribbean.[77]

The current elected members, with the regions they were elected to represent, are as follows:[76]

The 2017–18 term will be the first time in over five decades that two members have agreed to split a term, with Italy and the Netherlands agreeing that each would occupy the WEOG seat for a one-year term;[82] otherwise intractable deadlocks have instead usually been resolved by the candidate countries withdrawing in favour of a third member state.

President[edit]

Main article: President of the United Nations Security Council

United Nations Security Council by political international per country’s head of government. Blue: International Democrat Union; red: Progressive Alliance; yellow: Liberal International; dark red: International Communist Seminar; gray: none or independent.

The role of president of the Security Council involves setting the agenda, presiding at its meetings and overseeing any crisis. The president is authorized to issue both presidential statements (subject to consensus among Council members) and notes,[83][84] which are used to make declarations of intent that the full Security Council can then pursue.[84] The presidency of the Council is held by each of the members in turn for one month, following the English alphabetical order of the Member States names.[85]

The list of nations that will hold the Presidency in 2018 is as follows:[86]

Meeting locations[edit]

US President Barack Obama chairs a United Nations Security Council meeting

Unlike the General Assembly, the Security Council meets year-round. Each Security Council member must have a representative available at UN Headquarters at all times in case an emergency meeting becomes necessary.[87]

The Security Council generally meets in a designated chamber in the United Nations Conference Building in New York City, U.S. The chamber was designed by the Norwegian architect Arnstein Arneberg and was a gift from Norway. The mural painted by the Norwegian artist Per Krohg depicts a phoenix rising from its ashes, symbolic of the world’s rebirth after World War II.[88]

The Security Council has also held meetings in cities including Nairobi, Kenya; Addis Ababa, Ethiopia; Panama City, Panama; and Geneva, Switzerland.[87] In March 2010, the Security Council moved into a temporary facility in the General Assembly Building as its chamber underwent renovations as part of the UN Capital Master Plan.[89] The renovations were funded by Norway, the chamber’s original donor, for a total cost of US$5 million.[90] The chamber reopened on 16 April 2013.[91]

Consultation room[edit]

Because meetings in the Security Council Chamber are covered by the international press, proceedings are highly theatrical in nature. Delegates deliver speeches to justify their positions and attack their opponents, playing to the cameras and the audience at home. Delegations also stage walkouts to express their disagreement with actions of the Security Council.[92] Due to the public scrutiny of the Security Council Chamber,[93] all of the real work of the Security Council is conducted behind closed doors in “informal consultations”.[94][95]

In 1978, West Germany funded the construction of a conference room next to the Security Council Chamber. The room was used for “informal consultations”, which soon became the primary meeting format for the Security Council. In 1994, the French ambassador complained to the Secretary-General that “informal consultations have become the Council’s characteristic working method, while public meetings, originally the norm, are increasingly rare and increasingly devoid of content: everyone knows that when the Council goes into public meeting everything has been decided in advance”.[96] When Russia funded the renovation of the consultation room in 2013, the Russian ambassador called it “quite simply, the most fascinating place in the entire diplomatic universe”.[97]

Only members of the Security Council are permitted in the conference room for consultations. The press is not admitted, and other members of the United Nations cannot be invited into the consultations.[98] No formal record is kept of the informal consultations.[99][100] As a result, the delegations can negotiate with each other in secret, striking deals and compromises without having their every word transcribed into the permanent record. The privacy of the conference room also makes it possible for the delegates to deal with each other in a friendly manner. In one early consultation, a new delegate from a Communist nation began a propaganda attack on the United States, only to be told by the Soviet delegate, “We don’t talk that way in here.”[95]

A permanent member can cast a “pocket veto” during the informal consultation by declaring its opposition to a measure. Since a veto would prevent the resolution from being passed, the sponsor will usually refrain from putting the resolution to a vote. Resolutions are only vetoed if the sponsor feels so strongly about a measure that it wishes to force the permanent member to cast a formal veto.[94][101] By the time a resolution reaches the Security Council Chamber, it has already been discussed, debated, and amended in the consultations. The open meeting of the Security Council is merely a public ratification of a decision that has already been reached in private.[102][94] For example, Resolution 1373 was adopted without public debate in a meeting that lasted just five minutes.[94][103]

The Security Council holds far more consultations than public meetings. In 2012, the Security Council held 160 consultations, 16 private meetings, and 9 public meetings. In times of crisis, the Security Council still meets primarily in consultations, but it also holds more public meetings. After the outbreak of the Ukraine crisis in 2013, the Security Council returned to the patterns of the Cold War, as Russia and the Western countries engaged in verbal duels in front of the television cameras. In 2016, the Security Council held 150 consultations, 19 private meetings, and 68 public meetings.[104]

Subsidiary organs/bodies[edit]

Article 29 of the Charter provides that the Security Council can establish subsidiary bodies in order to perform its functions. This authority is also reflected in Rule 28 of the Provisional Rules of Procedure. The subsidiary bodies established by the Security Council are extremely heterogenous. On the one hand, they include bodies such as the Security Council Committee on Admission of New Members. On the other hand, both the International Criminal Tribunal for the former Yugoslavia and the International Criminal Tribunal for Rwanda were also created as subsidiary bodies of the Security Council. The by now numerous Sanctions Committees (see Category:United Nations Security Council sanctions regimes) established in order to oversee implementation of the various sanctions regimes are also subsidiary bodies of the Council.

United Nations peacekeepers[edit]

Main articles: United Nations peacekeeping and List of United Nations peacekeeping missions

After approval by the Security Council, the UN may send peacekeepers to regions where armed conflict has recently ceased or paused to enforce the terms of peace agreements and to discourage combatants from resuming hostilities. Since the UN does not maintain its own military, peacekeeping forces are voluntarily provided by member states. These soldiers are sometimes nicknamed “Blue Helmets” for their distinctive gear.[105][106] The peacekeeping force as a whole received the Nobel Peace Prize in 1988.[107]

Bolivian “Blue Helmet” at an exercise in Chile

In September 2013, the UN had 116,837 peacekeeping soldiers and other personnel deployed on 15 missions. The largest was the United Nations Organization Stabilization Mission in the Democratic Republic of the Congo (MONUSCO), which included 20,688 uniformed personnel. The smallest, United Nations Military Observer Group in India and Pakistan (UNMOGIP), included 42 uniformed personnel responsible for monitoring the ceasefire in Jammu and Kashmir. Peacekeepers with the United Nations Truce Supervision Organization (UNTSO) have been stationed in the Middle East since 1948, the longest-running active peacekeeping mission.[108]

UN peacekeepers have also drawn criticism in several postings. Peacekeepers have been accused of child rape, soliciting prostitutes, or sexual abuse during various peacekeeping missions in the Democratic Republic of the Congo,[109] Haiti,[110] Liberia,[111] Sudan and what is now South Sudan,[112] Burundi and Ivory Coast.[113] Scientists cited UN peacekeepers from Nepal as the likely source of the 2010–2013 Haiti cholera outbreak, which killed more than 8,000 Haitians following the 2010 Haiti earthquake.[114]

The budget for peacekeeping is assessed separately from the main UN organisational budget; in the 2013–2014 fiscal year, peacekeeping expenditures totalled $7.54 billion.[108][115] UN peace operations are funded by assessments, using a formula derived from the regular funding scale, but including a weighted surcharge for the five permanent Security Council members. This surcharge serves to offset discounted peacekeeping assessment rates for less developed countries. In 2013, the top 10 providers of assessed financial contributions to United Nations peacekeeping operations were the US (28.38%), Japan (10.83%), France (7.22%), Germany (7.14%), the United Kingdom (6.68%), China (6.64%), Italy (4.45%), Russian Federation (3.15%), Canada (2.98%), and Spain (2.97%).[116]

Criticism and evaluations[edit]

Main article: Criticism of the United Nations

In examining the first sixty years of the Security Council’s existence, British historian Paul Kennedy concludes that “glaring failures had not only accompanied the UN’s many achievements, they overshadowed them”, identifying the lack of will to prevent ethnic massacres in Bosnia and Rwanda as particular failures.[117] Kennedy attributes the failures to the UN’s lack of reliable military resources, writing that “above all, one can conclude that the practice of announcing (through a Security Council resolution) a new peacekeeping mission without ensuring that sufficient armed forces will be available has usually proven to be a recipe for humiliation and disaster”.[118]

A 2005 RAND Corporation study found the UN to be successful in two out of three peacekeeping efforts. It compared UN nation-building efforts to those of the United States, and found that seven out of eight UN cases are at peace.[119] Also in 2005, the Human Security Report documented a decline in the number of wars, genocides and human rights abuses since the end of the Cold War, and presented evidence, albeit circumstantial, that international activism—mostly spearheaded by the UN—has been the main cause of the decline in armed conflict since the end of the Cold War.[120]

Scholar Sudhir Chella Rajan argued in 2006 that the five permanent members of the United Nations Security Council, who are all nuclear powers, have created an exclusive nuclear club that predominately addresses the strategic interests and political motives of the permanent members—for example, protecting the oil-rich Kuwaitis in 1991 but poorly protecting resource-poor Rwandans in 1994.[121] Since three of the five permanent members are also European, and three or four are predominantly white Western nations, the Security Council has been described as a pillar of global apartheid by Titus Alexander, former Chair of Westminster United Nations Association.[122]

The Security Council’s effectiveness and relevance is questioned by some because, in most high-profile cases, there are essentially no consequences for violating a Security Council resolution. During the Darfur crisis, Janjaweed militias, allowed by elements of the Sudanese government, committed violence against an indigenous population, killing thousands of civilians. In the Srebrenica massacre, Serbian troops committed genocide against Bosniaks, although Srebrenica had been declared a UN safe area, protected by 400 armed Dutch peacekeepers.[123]

The UN Charter gives all three powers of the legislative, executive, and judiciary branches to the Security Council.[124]

In his inaugural speech at the 16th Summit of the Non-Aligned Movement in August 2012, Ayatollah Ali Khamenei criticized the United Nations Security Council as having an “illogical, unjust and completely undemocratic structure and mechanism” and called for a complete reform of the body.[125]

The Security Council has been criticized for failure in resolving many conflicts, including Cyprus, Sri Lanka, Syria, Kosovo and the Israeli–Palestinian conflict, reflecting the wider short-comings of the UN. For example; At the 68th Session of the UN General Assembly, New Zealand Prime Minister John Key heavily criticized the UN’s inaction on Syria, more than two years after the Syrian civil war began.[126]

Membership reform[edit]

Main article: Reform of the United Nations Security Council

The G4 nations: Brazil, Germany, India, Japan.

Uniting for Consensus core members

Proposals to reform the Security Council began with the conference that wrote the UN Charter and have continued to the present day. As British historian Paul Kennedy writes, “Everyone agrees that the present structure is flawed. But consensus on how to fix it remains out of reach.”[127]

There has been discussion of increasing the number of permanent members. The countries who have made the strongest demands for permanent seats are Brazil, Germany, India, and Japan. Japan and Germany, the main defeated powers in WWII, are now the UN’s second- and third-largest funders respectively, while Brazil and India are two of the largest contributors of troops to UN-mandated peace-keeping missions.

Italy, the third main defeated power in WWII and now the UN’s sixth-largest funder, leads a movement known as the Uniting for Consensus in opposition to the possible expansion of permanent seats. Core members of the group include Canada, South Korea, Spain, Indonesia, Mexico, Pakistan, Turkey, Argentina and Colombia. Their proposal is to create a new category of seats, still non-permanent, but elected for an extended duration (semi-permanent seats). As far as traditional categories of seats are concerned, the UfC proposal does not imply any change, but only the introduction of small and medium size states among groups eligible for regular seats. This proposal includes even the question of veto, giving a range of options that goes from abolition to limitation of the application of the veto only to Chapter VII matters.

Former UN Secretary-General Kofi Annan asked a team of advisers to come up with recommendations for reforming the United Nations by the end of 2004. One proposed measure is to increase the number of permanent members by five, which, in most proposals, would include Brazil, Germany, India, and Japan (known as the G4 nations), one seat from Africa (most likely between Egypt, Nigeria or South Africa), and/or one seat from the Arab League.[128] On 21 September 2004, the G4 nations issued a joint statement mutually backing each other’s claim to permanent status, together with two African countries. Currently the proposal has to be accepted by two-thirds of the General Assembly (128 votes).

The permanent members, each holding the right of veto, announced their positions on Security Council reform reluctantly. The United States has unequivocally supported the permanent membership of Japan and lent its support to India and a small number of additional non-permanent members. The United Kingdom and France essentially supported the G4 position, with the expansion of permanent and non-permanent members and the accession of Germany, Brazil, India and Japan to permanent member status, as well as an increase in the presence by African countries on the Council. China has supported the stronger representation of developing countries and firmly opposed Japan’s membership.[129]

In 2017, it was reported that the G4 nations were willing to temporarily forgo veto power if granted permanent UNSC seats.[130] In September 2017, U.S. Representatives Ami Bera and Frank Pallone introduced a resolution (H.Res.535) in the US House of Representatives (115th United States Congress), seeking support for India for a permanent membership of the United Nations Security Council.[131]

See also[edit]

  • United Nations portal
  • Reform of the United Nations
  • United Nations Department of Political Affairs, provides secretarial support to the Security Council
  • United Nations Security Council Counter-Terrorism Committee, a standing committee of the Security Council

Notes[edit]

  • ^ This figure and the figures that follow exclude vetoes cast to block candidates for Secretary-General, as these occur in closed session; 43 such vetoes have occurred.[71]
  • References[edit]

    Citations[edit]

  • ^ “Article 7 (1) of Charter of the United Nations”. 
  • ^ “Article 24 (1) of Charter of the United Nations”. 
  • ^ “Article 4 (2) of Charter of the United Nations”. 
  • ^ “Article 108 of Charter of the United Nations”. 
  • ^ “Article 23 (1) of Charter of the United Nations”. 
  • ^ “Peacekeeping Fact Sheet”. United Nations. 30 April 2016. Retrieved 20 June 2016. 
  • ^ Kennedy 2006, p. 5.
  • ^ Kennedy 2006, p. 8.
  • ^ Kennedy 2006, p. 10.
  • ^ Kennedy 2006, p. 13–24.
  • ^ Hoopes & Brinkley 2000, pp. 1–55.
  • ^ “Declaration by United Nations”. United Nations. Retrieved 1 July 2015. 
  • ^ Osmańczyk 2004, p. 2445.
  • ^ Urquhart, Brian. Looking for the Sheriff. New York Review of Books, July 16, 1998.  |access-date= requires |url= (help)
  • ^ Gaddis 2000.
  • ^ Video: Allies Study Post-War Security Etc. (1944). Universal Newsreel. 1944. Retrieved November 28, 2014. 
  • ^ Meisler 1995, p. 9.
  • ^ Meisler 1995, pp. 10–13.
  • ^ a b c d “Milestones in United Nations History”. Department of Public Information, United Nations. Retrieved 22 November 2013. 
  • ^ Schlesinger 2003, p. 196.
  • ^ Meisler 1995, pp. 18–19.
  • ^ “What is the Security Council?”. United Nations. Retrieved 24 November 2013. 
  • ^ Meisler 1995, p. 35.
  • ^ Meisler 1995, pp. 58–59.
  • ^ Meisler 1995, p. 114.
  • ^ Kennedy 2006, pp. 38, 55–56.
  • ^ a b c “Charter of the United Nations: Chapter VII: Action with Respect to Threats to the Peace, Breaches of the Peace, and Acts of Aggression”. United Nations. Retrieved 26 November 2013. 
  • ^ Meisler 1995, pp. 115–134.
  • ^ Kennedy 2006, pp. 61–62.
  • ^ Meisler 1995, pp. 156–157.
  • ^ Kennedy 2006, p. 59.
  • ^ a b Meisler 1995, pp. 195–197.
  • ^ Meisler 1995, pp. 167–168, 224–225.
  • ^ Meisler 1995, p. 286.
  • ^ Fasulo 2004, p. 43; Meisler 1995, p. 334.
  • ^ Meisler 1995, pp. 252–256.
  • ^ Meisler 1995, pp. 264–277.
  • ^ Meisler 1995, p. 334.
  • ^ Kennedy 2006, pp. 66–67.
  • ^ For quotation “worldwide ridicule”, see Meisler 1995, p. 293; for description of UN missions in Bosnia, see Meisler 1995, pp. 312–329.
  • ^ Kennedy 2006, p. 104.
  • ^ Kennedy 2006, pp. 110–111.
  • ^ Kennedy 2006, p. 111.
  • ^ “UN failed during final days of Lankan ethnic war: Ban Ki-moon”. FirstPost. Press Trust of India. 25 September 2013. Retrieved 5 November 2013. 
  • ^ “UNODA – Non-Proliferation of Nuclear Weapons (NPT)”. un.org. 
  • ^ “Charter of the United Nations: Chapter II: Membership”. United Nations. Retrieved 26 November 2013. 
  • ^ “Charter of the United Nations: Chapter V: The Security Council”. United Nations. Retrieved 9 June 2012. 
  • ^ Fasulo 2004, p. 46.
  • ^ “Charter of the United Nations: Chapter VI: Pacific Settlement of Disputes”. United Nations. Retrieved 26 November 2013. 
  • ^ See Fomerand 2009, p. 287; Hillier 1998, p. 568; Köchler 2001, p. 21; Matthews 1993, p. 130; Neuhold 2001, p. 66. For lack of enforcement mechanism, see Magliveras 1999, p. 113.
  • ^ Zunes 2004, p. 291.
  • ^ Kennedy 2006, pp. 56–57.
  • ^ “Security Council Approves ‘No-Fly Zone’ Over Libya, Authorizing ‘All Necessary Measures’ to Protect Civilians, by Vote of 10 in Favour with 5 Abasentions”. United Nations. 17 March 2011. Retrieved 26 November 2013. 
  • ^ a b Fomerand 2009, p. 287.
  • ^ Fasulo 2004, p. 39.
  • ^ Article 13 of the Rome Statute. United Nations. Retrieved 26 November 2013.
  • ^ “Security Council Refers Situation in Darfur, Sudan, To Prosecutor of International Criminal Court” (Press release). United Nations Security Council. 31 March 2006. Retrieved 14 March 2007. 
  • ^ Wadhams, Nick (2 April 2005). “Bush relents to allow UN vote on Sudan war crimes”. Sydney Morning Herald. Retrieved 27 November 2013. 
  • ^ Gray-Block, Aaron and Greg Roumeliotis (27 February 2011). “Q+A: How will the world’s war crimes court act on Libya?”. Reuters. Retrieved 26 November 2013. 
  • ^ “Resolution 1674 (2006)”. UN Security Council via Refworld. Retrieved 26 November 2013. 
  • ^ Mikulaschek 2010, p. 20.
  • ^ Mikulaschek 2010, p. 49.
  • ^ a b c Fasulo 2004, pp. 40–41.
  • ^ Blum 1992.
  • ^ Permanent members of the United Nations Security Council
  • ^ Kennedy 2006, p. 70.
  • ^ a b “SIPRI Military Expenditure Database”. Stockholm International Peace Research Institute. Retrieved 26 November 2013. 
  • ^ Nichols, Michelle (27 July 2012). “United Nations fails to agree landmark arms-trade treaty”. Reuters. Retrieved 26 November 2013. 
  • ^ Medalia, Jonathan (14 November 1996). “92099: Nuclear Weapons Testing and Negotiation of a Comprehensive Test Ban Treaty”. Global Security. Retrieved 26 November 2013. 
  • ^ Global Policy Forum (2008): “Changing Patterns in the Use of the Veto in the Security Council”. Retrieved 25 August 2008.
  • ^ a b c “Changing Patterns in the Use of the Veto in The Security Council” (PDF). Global Policy Forum. Retrieved 26 November 2013. 
  • ^ Wilcox 1945.
  • ^ Kennedy 2006, pp. 52–54.
  • ^ U.N. Security Council Briefing On The U.S. Air Strike In Syria on YouTube Time (magazine)
  • ^ “The UN Security Council”. United Nations Foundation. Retrieved 15 May 2012. 
  • ^ a b “Current Members”. United Nations. Retrieved 4 January 2016. 
  • ^ a b “Special Research Report No. 4Security Council Elections 201121 September 2011”. Security Council Report. Retrieved 8 June 2012. 
  • ^ “Charter of the United Nations: Chapter V: The Security Council”. United Nations. Retrieved 26 November 2013. 
  • ^ Malone, David (25 October 2003). “Reforming the Security Council: Where Are the Arabs?”. The Daily Star. Beirut. Retrieved 3 January 2011. 
  • ^ “General Assembly Elects 4 New Non-permanent Members to Security Council, as Western and Others Group Fails to Fill Final Vacancy”. United Nations. Retrieved 9 August 2016. 
  • ^ “Elected to Security Council in Single Round of General Assembly Voting, Italy Says It Will Cede Non-Permanent Seat to Netherlands after 1 Year”. United Nations. Retrieved 9 August 2016. 
  • ^ “General Assembly Elects 4 New Non-permanent Members to Security Council, as Western and Others Group Fails to Fill Final Vacancy”. United Nations. Retrieved 9 August 2016. 
  • ^ “Notes by the president of the Security Council”. United Nations. Retrieved 9 June 2012. 
  • ^ a b “UN Security Council: Presidential Statements 2008”. United Nations. Retrieved 9 June 2012. 
  • ^ “Security Council Presidency in 2011 – United Nations Security Council”. United Nations. Retrieved 9 June 2012. 
  • ^ “Security Council Presidency in 2017”. United Nations Security Council. United Nations. Retrieved 1 January 2017. 
  • ^ a b “What is the Security Council?”. United Nations. Retrieved 26 November 2013. 
  • ^ “The Security Council”. United Nations Cyberschoolbus. United Nations. Retrieved 14 September 2012.
  • ^ “UN Capital Master Plan Timeline”. United Nations. Retrieved 29 September 2013. 
  • ^ “An unrecognizable Security Council Chamber”. Norway Mission to the UN. 28 August 2012. Retrieved 29 September 2013. 
  • ^ “Secretary-General, at inauguaration of renovated Security Council Chamber, says room speaks ‘language of dignity and seriousness'”. United Nations. 16 April 2013. Retrieved 26 November 2013. 
  • ^ Haidar, Suhasini (1 September 2015). “India’s walkout from UNSC was a turning point: Natwar”. The Hindu. According to Mr. Singh, posted at India’s permanent mission at the U.N. then, 1965 was a “turning point” for the U.N. on Kashmir, and a well-planned “walkout” from the U.N. Security Council by the Indian delegation as a protest against Pakistani Foreign Minister (and later PM) Zulfikar Ali Bhutto’s speech ensured Kashmir was dropped from the UNSC agenda for all practical purposes. 
  • ^ Hovell, Devika (2016). The Power of Process: The Value of Due Process in Security Council Sanctions Decision-making. Oxford University Press. p. 145. ISBN 9780198717676. 
  • ^ a b c d De Wet, Erika; Nollkaemper, André; Dijkstra, Petra, eds. (2003). Review of the Security Council by member states. Antwerp: Intersentia. pp. 31–32. ISBN 9789050953078. 
  • ^ a b Bosco, David L. (2009). Five to Rule Them All: the UN Security Council and the Making of the Modern World. Oxford: Oxford University Press. pp. 138–139. ISBN 9780195328769. 
  • ^ Elgebeily, Sherif (2017). The Rule of Law in the United Nations Security Council Decision-Making Process: Turning the Focus Inwards. p. 54–55. ISBN 9781315413440. 
  • ^ Sievers, Loraine; Daws, Sam (2014). The Procedure of the UN Security Council (4 ed.). Oxford: Oxford University Press. ISBN 9780191508431. 
  • ^ “Security Council Handbook Glossary”. United Nations Security Council. “Consultations of the whole” are consultations held in private with all 15 Council members present. Such consultations are held in the Consultations Room, are announced in the UN Journal, have an agreed agenda and interpretation, and may involve one or more briefers. The consultations are closed to non-Council Member States. “Informal consultations” mostly refer to “consultations of the whole”, but in different contexts may also refer to consultations among the 15 Council members or only some of them held without a Journal announcement and interpretation. 
  • ^ “United Nations Security Council Meeting records”. Retrieved 10 February 2017. The preparatory work for formal meetings is conducted in informal consultations for which no public record exists. 
  • ^ “Frequently Asked Questions”. United Nations Security Council. Both open and closed meetings are formal meetings of the Security Council. Closed meetings are not open to the public and no verbatim record of statements is kept, instead the Security Council issues a Communiqué in line with Rule 55 of its Provisional Rules of Procedure. Consultations are informal meetings of the Security Council members and are not covered in the Repertoire. 
  • ^ “The Veto” (PDF). Security Council Report. 2015 (3). 19 October 2015. 
  • ^ Reid, Natalie (January 1999). “Informal Consultations”. Global Policy Forum. 
  • ^ “Meeting record, Security Council, 4385th meeting”. United Nations Repository. United Nations. 28 September 2001. S/PV.4385. 
  • ^ “Highlights of Security Council Practice 2016”. Unite. United Nations. Retrieved 10 February 2017. 
  • ^ Fasulo 2004, p. 52.
  • ^ Coulon 1998, p. ix.
  • ^ Nobel Prize. “The Nobel Peace Prize 1988”. Retrieved 3 April 2011. 
  • ^ a b “United Nations Peacekeeping Operations”. United Nations. 30 September 2013. Retrieved 9 November 2013. 
  • ^ Lynch, Colum (16 December 2004). “U.N. Sexual Abuse Alleged in Congo”. The Washington Post. Retrieved 21 November 2013. 
  • ^ “UN troops face child abuse claims”. BBC News. 30 November 2006. Retrieved 21 November 2013. 
  • ^ “Aid workers in Liberia accused of sex abuse”. The New York Times. 8 May 2006. Retrieved 22 November 2013. 
  • ^ Holt, Kate (4 January 2007). “UN staff accused of raping children in Sudan”. The Telegraph. Retrieved 21 November 2013. 
  • ^ “Peacekeepers ‘abusing children'”. BBC. 28 May 2007. Retrieved 21 November 2013. 
  • ^ Watson, Ivan and Joe Vaccarello (10 October 2013). “U.N. sued for ‘bringing cholera to Haiti’, causing outbreak that killed thousands”. CNN. Retrieved 18 November 2013. 
  • ^ Fasulo 2004, p. 115.
  • ^ “Financing of UN Peacekeeping Operations”. United Nations. Retrieved 9 November 2013. 
  • ^ Kennedy 2006, pp. 101–103, 110.
  • ^ Kennedy 2006, p. 110.
  • ^ RAND Corporation. “The UN’s Role in Nation Building: From the Congo to Iraq” (PDF). Retrieved 30 December 2008. 
  • ^ Human Security Centre. “The Human Security Report 2005”. Archived from the original on 28 July 2009. Retrieved 8 February 2007. 
  • ^ Rajan, Sudhir Chella (2006). “Global Politics and Institutions” (PDF). GTI Paper Series: Frontiers of a Great Transition. Tellus Institute. 3. Retrieved 11 December 2011. 
  • ^ Alexander 1996, pp. 158–160.
  • ^ Deni 2007, p. 71: “As Serbian forces attacked Srebrenica in July 1995, the [400] Dutch soldiers escorted women and children out of the city, leaving behind roughly 7,500 Muslim men who were subsequently massacred by the attacking Serbs.”
  • ^ Creery, Janet (2004). “Read the fine print first”. Peace Magazine (Jan–Feb 1994): 20. Retrieved 11 December 2011. 
  • ^ “Supreme Leader’s Inaugural Speech at 16th NAM Summit”. Non-Aligned Movement News Agency. Retrieved 31 August 2012.
  • ^ Key compromises on UN Syria deal. 3 News NZ. 28 September 2013.
  • ^ Kennedy 2006, p. 76.
  • ^ “UN Security Council Reform May Shadow Annan’s Legacy”. Voice of America. 1 November 2006. Retrieved 11 December 2011. 
  • ^ “US embassy cables: China reiterates ‘red lines'”. The Guardian. 29 November 2010. Retrieved 11 December 2011. [I]t would be difficult for the Chinese public to accept Japan as a permanent member of the UNSC. 
  • ^ “India Offers To Temporarily Forgo Veto Power If Granted Permanent UNSC Seat”. The Huffington Post. Retrieved 9 March 2017. 
  • ^ “US congressmen move resolution in support of India’s UN security council claim”. Hindustan Times. Retrieved 30 September 2017. 
  • Sources[edit]

    • Alexander, Titus (1996). Unravelling Global Apartheid: An Overview of World Politics. Cambridge, Massachusetts: Polity Press. ISBN 978-0-7456-1353-6. 
    • Blum, Yehuda Z. (1992). “Russia Takes Over the Soviet Union’s Seat at the United Nations” (PDF). European Journal of International Law. 3 (2): 354–362. Retrieved 8 February 2016. 
    • Coulon, Jocelyn (1998). Soldiers of Diplomacy: The United Nations, Peacekeeping, and the New World Order. University of Toronto Press. ISBN 978-0-8020-0899-2. 
    • Deni, John R. (2007). Alliance Management and Maintenance: Restructuring NATO for the 21st Century. Aldershot, England: Ashgate Publishing. ISBN 978-0-7546-7039-1. 
    • Fasulo, Linda (2004). An Insider’s Guide to the UN. New Haven, Connecticut: Yale University Press. ISBN 978-0-300-10155-3. 
    • Fomerand, Jacques (2009). The A to Z of the United Nations. Lanham, Maryland: Scarecrow Press. ISBN 978-0-8108-5547-2. 
    • Gaddis, John Lewis (2000) [1972]. The United States and the Origins of the Cold War, 1941–1947. New York: Columbia University Press. ISBN 978-0-231-12239-9. 
    • Hillier, Timothy (1998). Sourcebook on Public International Law. Sourcebook Series. London: Cavendish Publishing. ISBN 978-1-85941-050-9. 
    • Hoopes, Townsend; Brinkley, Douglas (2000) [1997]. FDR and the Creation of the U.N. New Haven, Connecticut: Yale University Press. ISBN 978-0-300-08553-2. 
    • Kennedy, Paul (2006). The Parliament of Man: The Past, Present, and Future of the United Nations. New York: Random House. ISBN 978-0-375-50165-4. 
    • Köchler, Hans (2001). The Concept of Humanitarian Intervention in the Context of Modern Power: Is the Revival of the Doctrine of “Just War” Compatible with the International Rule of Law?. Studies in International Relations. 26. Vienna: International Progress Organization. ISBN 978-3-90070420-9. 
    • Magliveras, Konstantinos D. (1999). Exclusion from Participation in International Organisations: The Law and Practice behind Member States’ Expulsion and Suspension of Membership. Studies and Materials on the Settlement of International Disputes. 5. The Hague: Kluwer Law International. ISBN 978-904111239-2. 
    • Manchester, William; Reid, Paul (2012). The Last Lion: Winston Spencer Churchill. Volume 3: Defender of the Realm. New York: Little Brown and Company. ISBN 978-0-316-54770-3. 
    • Matthews, Ken (1993). The Gulf Conflict and International Relations. London: Routledge. ISBN 978-0-415-07519-0. 
    • Meisler, Stanley (1995). United Nations: The First Fifty Years. New York: Atlantic Monthly Press. 
    • Mikulaschek, Christoph (2010). “Report from the 39th International Peace Institute Vienna Seminar on Peacemaking and Peacekeeping”. In Winkler, Hans; Rød-Larsen, Terje; Mikulaschek, Christoph. The UN Security Council and the Responsibility to Protect: Policy, Process, and Practice (PDF). Favorita Papers. Diplomatic Academy of Vienna. pp. 20–49. ISBN 978-3-902021-67-0. Retrieved 8 February 2016. 
    • Mires, Charlene (2013). Capital of the World: The Race to Host the United Nations. New York University Press. ISBN 978-0-8147-0794-4. 
    • Neuhold, Hanspeter (2001). “The United Nations System for the Peaceful Settlement of International Disputes”. In Cede, Frank; Sucharipa-Behrmann, Lilly. The United Nations: Law and Practice. The Hague: Kluwer Law International. ISBN 978-904111563-8. 
    • Osmańczyk, Edmund Jan (2004). Mango, Anthony, ed. Encyclopedia of the United Nations and International Agreements. 4. Taylor & Francis. ISBN 978-0-415-93924-9. 
    • Schlesinger, Stephen C. (2003). Act of Creation: The Founding of the United Nations: A Story of Super Powers, Secret Agents, Wartime Allies and Enemies, and Their Quest for a Peaceful World. Boulder, Colorado: Westview Press. ISBN 978-0-8133-3324-3. 
    • Wilcox, Francis O. (1945). “The Yalta Voting Formula”. American Political Science Review. 39 (5): 943–956. doi:10.2307/1950035. ISSN 0003-0554. JSTOR 1950035. (Subscription required (help)). 
    • Zunes, Stephen (2004). “International Law, the UN and Middle Eastern Conflicts”. Peace Review: A Journal of Social Justice. 16 (3): 285–292. doi:10.1080/1040265042000278513. ISSN 1040-2659. (Subscription required (help)). 

    Further reading[edit]

    • Bailey, Sydney D.; Daws, Sam (1998). The Procedure of the UN Security Council (3rd ed.). Oxford University Press. ISBN 978-0-19-828073-6. 
    • Bosco, David L. (2009). Five to Rule Them All: The UN Security Council and the Making of the Modern World. New York: Oxford University Press. ISBN 978-0-19-532876-9. 
    • Cockayne, James; Mikulaschek, Christoph; Perry, Chris (2010). The United Nations Security Council and Civil War: First Insights from a New Dataset. New York: International Peace Institute. Retrieved 8 February 2016. 
    • Grieger, Gisela (2013). Reform of the UN Security Council (PDF). Library of the European Parliament. Retrieved 8 February 2016. 
    • Hannay, David (2008). New World Disorder: The UN after the Cold War – An Insider’s View. London: I.B. Tauris. ISBN 978-1-84511-719-1. 
    • Hurd, Ian (2007). After Anarchy: Legitimacy and Power in the United Nations Security Council. Princeton, New Jersey: Princeton University Press. ISBN 978-0-691-12866-5. 
    • Köchler, Hans (1991). The Voting Procedure in the United Nations Security Council: Examining a Normative Contradiction in the UN Charter and its Consequences on International Relations (PDF). Studies in International Relations. 17. Vienna: International Progress Organization. ISBN 978-3-90070410-0. 
    • Lowe, Vaughan; Roberts, Adam; Welsh, Jennifer; Zaum, Dominik, eds. (2008). The United Nations Security Council and War: The Evolution of Thought and Practice since 1945. Oxford University Press. ISBN 978-0-19-953343-5. 
    • Malone, David (1998). Decision-Making in the UN Security Council: The Case of Haiti, 1990–1997. Oxford: Clarendon Press. ISBN 978-0-19-829483-2. 
    • Matheson, Michael J. (2006). Council Unbound: The Growth of UN Decision Making on Conflict and Postconflict Issues after the Cold War. Washington: US Institute of Peace Press. ISBN 978-1-929223-78-7. 
    • Roberts, Adam; Zaum, Dominik (2008). Selective Security: War and the United Nations Security Council since 1945. Adelphi Paper. 395. Abingdon, England: Routledge. ISBN 978-0-415-47472-6. ISSN 0567-932X. 
    • Vreeland, James; Dreher, Axel (2014). The Political Economy of the United Nations Security Council: Money and Influence. Cambridge, England: Cambridge University Press. ISBN 978-0-521-51841-3. 

    External links[edit]

    • Official website
    • UN Security Council Research Guide
    • Global Policy Forum – UN Security Council
    • Security Council Report — information and analysis on the Council’s activities
    • Center for UN Reform Education – information on current reform issues at the United Nations
    • UN Democracy: hyperlinked transcripts of the United Nations General Assembly and the Security Council

    Members / observers

    • Full members
    • Founding members
      • UNSC Permanent members
    • Observers
      • European Union

    History

    • League of Nations
    • Four Policemen
    • Declaration by United Nations
    • Peacekeeping missions
      • history
      • timeline
    • Enlargement

    Resolutions

    • Security Council vetoes
    • General Assembly
      • 66th
      • 67th
    • Security Council
      • Cyprus
      • Iran
      • Iraq
      • Israel
      • Lebanon
      • Nagorno-Karabakh
      • North Korea
      • Palestine
      • Syria
      • Western Sahara

    Elections

    • Secretary-General (2006
    • 2016)
    • International Court of Justice 2011
    • General Assembly President (2012
    • 2016)
    • Security Council (2015
    • 2016)

    Related

    • Bretton Woods system
    • Comprehensive Nuclear-Test-Ban Treaty
    • Criticism
    • Delivering as One
    • Flag
      • Honour Flag
    • Four Nations Initiative
    • Genocide Convention
    • UN Global Compact
    • ICC
    • International Decade for a Culture of Peace and Non-Violence for the Children of the World
    • International Years
    • UN laissez-passer
    • Military Staff Committee
    • Official languages
    • Organisation for the Prohibition of Chemical Weapons
    • Peacekeeping
    • Treaty Series
    • UN Day
    • Universal Declaration of Human Rights
    • Millennium Declaration
      • Summit
      • Development Goals
    • Security Council veto power
    • UN reform
      • Security Council reform
    • UN Art Collection
    • UN Memorial Cemetery Korea

    Other

    • Outline
    • UN television film series (1964–1966)
    • In popular culture
    • Category


    Nothing to Hide – The documentary about surveillance and you (2017)

    ” Eye-opening” (Forbes), “Passionating” (Les Inrocks), “Very intriguing … terrifying flick” (France 24).
    Likewise offered with shubtitles in French, German, Spanish, Italian and Portuguese here: https://vimeo.com/nothingtohide.
    ABSOLUTELY NOTHING TO HIDE (2017) is an independent documentary taking care of monitoring and also its approval by the basic public with the “I have nothing to hide” argument.
    Creative Commons launch (Oct. 2017).
    Foreword: The movie is released online free of cost. Its production though has a cost, do not hesitate to make a donation if you intend to support the film: https://www.leetchi.com/c/project-nothing-to-hide.
    Concerning the Creative Commons license:.
    The certificate Creative Commons– Attribution– Non Commercial– No Derivatives (CC-BY-NC-ND) enables you:.
    – to share the movie and see for free in four languages (English, French, German, Spanish) if you offer credit score to the authors as well as share the link of the site (https://nothingtohidedoc.wordpress.com/).
    – to arrange a public screening without paying any kind of nobilities as long as the entry to the screening is complimentary and also open to everyone.
    – For business screenings (with entryway charge, yearly cost or restricted to certain target markets, i.e. conferences) and for broadcasting, speak to the authors on the internet site (https://nothingtohidedoc.wordpress.com/).
    – You are welcomed to earn a donation to add paying the manufacturing of the movie and also its upcoming follow-up.

    Transportation Layer Security

    Transport Layer Security (TLS) – and its predecessor, Secure Sockets Layer (SSL), which is now deprecated by the Internet Engineering Task Force [1] (IETF) – are cryptographic protocols that provide communications security over a computer network.[2] Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites are able to use TLS to secure all communications between their servers and web browsers.

    The TLS protocol aims primarily to provide privacy and data integrity between two or more communicating computer applications.[2]:3 When secured by TLS, connections between a client (e.g., a web browser) and a server (e.g., wikipedia.org) have one or more of the following properties:

    • The connection is private (or secure) because symmetric cryptography is used to encrypt the data transmitted. The keys for this symmetric encryption are generated uniquely for each connection and are based on a shared secret negotiated at the start of the session (see § TLS handshake). The server and client negotiate the details of which encryption algorithm and cryptographic keys to use before the first byte of data is transmitted (see § Algorithm below). The negotiation of a shared secret is both secure (the negotiated secret is unavailable to eavesdroppers and cannot be obtained, even by an attacker who places themselves in the middle of the connection) and reliable (no attacker can modify the communications during the negotiation without being detected).
    • The identity of the communicating parties can be authenticated using public-key cryptography. This authentication can be made optional, but is generally required for at least one of the parties (typically the server).
    • The connection is reliable because each message transmitted includes a message integrity check using a message authentication code to prevent undetected loss or alteration of the data during transmission.[2]:3

    In addition to the properties above, careful configuration of TLS can provide additional privacy-related properties such as forward secrecy, ensuring that any future disclosure of encryption keys cannot be used to decrypt any TLS communications recorded in the past.[3]

    TLS supports many different methods for exchanging keys, encrypting data, and authenticating message integrity (see § Algorithm below). As a result, secure configuration of TLS involves many configurable parameters, and not all choices provide all of the privacy-related properties described in the list above (see the § Key exchange (authentication), § Cipher security, and § Data integrity tables).

    Attempts have been made to subvert aspects of the communications security that TLS seeks to provide, and the protocol has been revised several times to address these security threats (see § Security). Developers of web browsers have also revised their products to defend against potential security weaknesses after these were discovered (see TLS/SSL support history of web browsers).[4]

    The TLS protocol comprises two layers: the TLS record and the TLS handshake protocols.

    TLS is a proposed Internet Engineering Task Force (IETF) standard, first defined in 1999 and updated in RFC 5246 (August 2008) and RFC 6176 (March 2011). It builds on the earlier SSL specifications (1994, 1995, 1996) developed by Netscape Communications[5] for adding the HTTPS protocol to their Navigator web browser.

    Contents

    • 1 Description
    • 2 History and development
      • 2.1 Secure Network Programming
      • 2.2 SSL 1.0, 2.0, and 3.0
      • 2.3 TLS 1.0
      • 2.4 TLS 1.1
      • 2.5 TLS 1.2
      • 2.6 TLS 1.3
    • 3 Digital certificates
      • 3.1 Certificate authorities
    • 4 Algorithm
      • 4.1 Key exchange or key agreement
      • 4.2 Cipher
      • 4.3 Data integrity
    • 5 Applications and adoption
      • 5.1 Websites
      • 5.2 Web browsers
      • 5.3 Libraries
      • 5.4 Other uses
    • 6 Security
      • 6.1 SSL 2.0
      • 6.2 SSL 3.0
      • 6.3 TLS
      • 6.4 Attacks against TLS/SSL
        • 6.4.1 Renegotiation attack
        • 6.4.2 Downgrade attacks: FREAK attack and Logjam attack
        • 6.4.3 Cross-protocol attacks: DROWN
        • 6.4.4 BEAST attack
        • 6.4.5 CRIME and BREACH attacks
        • 6.4.6 Timing attacks on padding
        • 6.4.7 POODLE attack
        • 6.4.8 RC4 attacks
        • 6.4.9 Truncation attack
        • 6.4.10 Unholy PAC attack
        • 6.4.11 Sweet32 attack
        • 6.4.12 Implementation errors: Heartbleed bug, BERserk attack, Cloudflare bug
        • 6.4.13 Survey of websites vulnerable to attacks
      • 6.5 Forward secrecy
      • 6.6 Dealing with man-in-the-middle attacks
        • 6.6.1 Certificate pinning
        • 6.6.2 Perspectives Project
        • 6.6.3 DNSChain
      • 6.7 Online tools to test SSL/TLS security
    • 7 Protocol details
      • 7.1 TLS handshake
        • 7.1.1 Basic TLS handshake
        • 7.1.2 Client-authenticated TLS handshake
        • 7.1.3 Resumed TLS handshake
          • 7.1.3.1 Session IDs
          • 7.1.3.2 Session tickets
      • 7.2 TLS record
        • 7.2.1 Handshake protocol
        • 7.2.2 Alert protocol
        • 7.2.3 ChangeCipherSpec protocol
        • 7.2.4 Application protocol
    • 8 Support for name-based virtual servers
    • 9 Standards
      • 9.1 Primary standards
      • 9.2 Extensions
      • 9.3 Informational RFCs
    • 10 See also
    • 11 References
    • 12 Further reading
    • 13 External links

    Description[edit]

    Client-server applications use the TLS protocol to communicate across a network in a way designed to prevent eavesdropping and tampering.

    Since applications can communicate either with or without TLS (or SSL), it is necessary for the client to indicate to the server the setup of a TLS connection.[6] One of the main ways of achieving this is to use a different port number for TLS connections, for example port 443 for HTTPS. Another mechanism is for the client to make a protocol-specific request to the server to switch the connection to TLS; for example, by making a STARTTLS request when using the mail and news protocols.

    Once the client and server have agreed to use TLS, they negotiate a stateful connection by using a handshaking procedure.[7] The protocols use a handshake with an asymmetric cipher to establish not only cipher settings but also a session-specific shared key with which further communication is encrypted using a symmetric cipher. During this handshake, the client and server agree on various parameters used to establish the connection’s security:

    • The handshake begins when a client connects to a TLS-enabled server requesting a secure connection and the client presents a list of supported cipher suites (ciphers and hash functions).
    • From this list, the server picks a cipher and hash function that it also supports and notifies the client of the decision.
    • The server usually then provides identification in the form of a digital certificate. The certificate contains the server name, the trusted certificate authority (CA) that vouches for the authenticity of the certificate, and the server’s public encryption key.
    • The client confirms the validity of the certificate before proceeding.
    • To generate the session keys used for the secure connection, the client either:
      • encrypts a random number with the server’s public key and sends the result to the server (which only the server should be able to decrypt with its private key); both parties then use the random number to generate a unique session key for subsequent encryption and decryption of data during the session
      • uses Diffie–Hellman key exchange to securely generate a random and unique session key for encryption and decryption that has the additional property of forward secrecy: if the server’s private key is disclosed in future, it cannot be used to decrypt the current session, even if the session is intercepted and recorded by a third party.

    This concludes the handshake and begins the secured connection, which is encrypted and decrypted with the session key until the connection closes. If any one of the above steps fails, then the TLS handshake fails and the connection is not created.

    TLS and SSL do not fit neatly into any single layer of the OSI model or the TCP/IP model.[8][9] TLS runs “on top of some reliable transport protocol (e.g., TCP),”[10] which would imply that it is above the transport layer. It serves encryption to higher layers, which is normally the function of the presentation layer. However, applications generally use TLS as if it were a transport layer,[8][9] even though applications using TLS must actively control initiating TLS handshakes and handling of exchanged authentication certificates.[10]

    History and development[edit]

    Secure Network Programming[edit]

    Early research efforts towards transport layer security included the Secure Network Programming (SNP) application programming interface (API), which in 1993 explored the approach of having a secure transport layer API closely resembling Berkeley sockets, to facilitate retrofitting pre-existing network applications with security measures.[11]

    SSL 1.0, 2.0, and 3.0[edit]

    Netscape developed the original SSL protocols.[12][13] Version 1.0 was never publicly released because of serious security flaws in the protocol; version 2.0, released in February 1995, contained a number of security flaws which necessitated the design of version 3.0.[14][12] Released in 1996, SSL version 3.0 represented a complete redesign of the protocol produced by Paul Kocher working with Netscape engineers Phil Karlton and Alan Freier, with a reference implementation by Christopher Allen and Tim Dierks of Consensus Development. Newer versions of SSL/TLS are based on SSL 3.0. The 1996 draft of SSL 3.0 was published by IETF as a historical document in RFC 6101.

    Taher Elgamal, chief scientist at Netscape Communications from 1995 to 1998, has been described as the “father of SSL”.[15][16]

    In 2014, SSL 3.0 was found to be vulnerable to the POODLE attack that affects all block ciphers in SSL; RC4, the only non-block cipher supported by SSL 3.0, is also feasibly broken as used in SSL 3.0.[17]

    SSL 2.0 was prohibited in 2011 by RFC 6176, and SSL 3.0 was also later prohibited in June 2015 by RFC 7568.

    TLS 1.0[edit]

    TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0, and written by Christopher Allen and Tim Dierks of Consensus Development. As stated in the RFC, “the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to preclude interoperability between TLS 1.0 and SSL 3.0”. TLS 1.0 does include a means by which a TLS implementation can downgrade the connection to SSL 3.0, thus weakening security.[18]:1–2

    The PCI Council suggests that organizations migrate from TLS 1.0 to TLS 1.1 or higher before June 30, 2018.[19]

    TLS 1.1[edit]

    TLS 1.1 was defined in RFC 4346 in April 2006.[20] It is an update from TLS version 1.0. Significant differences in this version include:

    • Added protection against cipher-block chaining (CBC) attacks.
      • The implicit initialization vector (IV) was replaced with an explicit IV.
      • Change in handling of padding errors.
    • Support for IANA registration of parameters.[18]:2

    TLS 1.2[edit]

    TLS 1.2 was defined in RFC 5246 in August 2008. It is based on the earlier TLS 1.1 specification. Major differences include:

    • The MD5-SHA-1 combination in the pseudorandom function (PRF) was replaced with SHA-256, with an option to use cipher suite specified PRFs.
    • The MD5-SHA-1 combination in the finished message hash was replaced with SHA-256, with an option to use cipher suite specific hash algorithms. However, the size of the hash in the finished message must still be at least 96 bits.[21]
    • The MD5-SHA-1 combination in the digitally signed element was replaced with a single hash negotiated during handshake, which defaults to SHA-1.
    • Enhancement in the client’s and server’s ability to specify which hashes and signature algorithms they accept.
    • Expansion of support for authenticated encryption ciphers, used mainly for Galois/Counter Mode (GCM) and CCM mode of Advanced Encryption Standard (AES) encryption.
    • TLS Extensions definition and AES cipher suites were added.[18]:2

    All TLS versions were further refined in RFC 6176 in March 2011, removing their backward compatibility with SSL such that TLS sessions never negotiate the use of Secure Sockets Layer (SSL) version 2.0.

    TLS 1.3[edit]

    As of 21 March 2018[update], TLS 1.3 is an Internet Draft[22][23] proposed to Internet Standard.[24] It is based on the earlier TLS 1.2 specification. Major differences from TLS 1.2 include:

    • Separating key agreement and authentication algorithms from the cipher suites.
    • Removing support for weak and lesser-used named elliptic curves
    • Removing support for MD5 and SHA-224 cryptographic hash functions
    • Requiring digital signatures even when a previous configuration is used
    • Integrating HKDF and the semi-ephemeral DH proposal
    • Replacing resumption with PSK and tickets
    • Supporting 1-RTT handshakes and initial support for 0-RTT
    • Mandating Perfect Forward Secrecy, by means of using ephemeral keys during the (EC)DH key agreement.
    • Dropping support for many insecure or obsolete features including compression, renegotiation, non-AEAD ciphers, non-PFS key exchange (among which static RSA and static DH key exchanges), custom DHE groups, EC point format negotiation, Change Cipher Spec protocol, Hello message UNIX time, and the length field AD input to AEAD ciphers
    • Prohibiting SSL or RC4 negotiation for backwards compatibility
    • Integrating use of session hash
    • Deprecating use of the record layer version number and freezing the number for improved backwards compatibility
    • Moving some security-related algorithm details from an appendix to the specification and relegating ClientKeyShare to an appendix
    • Addition of the ChaCha20 stream cipher with the Poly1305 message authentication code
    • Addition of the Ed25519 and Ed448 digital signature algorithms
    • Addition of the x25519 and x448 key exchange protocols

    Network Security Services (NSS), the cryptography library developed by Mozilla and used by its web browser Firefox, enabled TLS 1.3 by default in February 2017.[25] TLS 1.3 was added to Firefox 52.0, which was released in March 2017, but it was disabled by default due to compatibility issues for some users.[26] It has been enabled by default since Firefox 60.0.[27]

    Google Chrome set TLS 1.3 as the default version for a short time in 2017. It then removed it as the default, due to incompatible middleboxes such as Blue Coat web proxies.[28]

    Pale Moon enabled the use of TLS 1.3 as of version 27.4, released in July 2017.[29] During the IETF 100 Hackathon which took place in Singapore, The TLS Group worked on adapting open-source applications to use TLS 1.3.[30][31] The TLS group was made up of individuals from Japan, United Kingdom, and Mauritius via the hackers.mu team.[31] During the IETF 101 Hackathon which took place in London, more work was done on application support of TLS 1.3.[32]

    Digital certificates[edit]

    Main article: Public key certificate

    A digital certificate certifies the ownership of a public key by the named subject of the certificate, and indicates certain expected usages of that key. This allows others (relying parties) to rely upon signatures or on assertions made by the private key that corresponds to the certified public key.

    Certificate authorities[edit]

    Main article: Certificate authority

    TLS typically relies on a set of trusted third-party certificate authorities to establish the authenticity of certificates. Trust is usually anchored in a list of certificates distributed with user agent software,[33] and can be modified by the relying party.

    According to Netcraft, who monitors active TLS certificates, the market-leading CA has been Symantec since the beginning of their survey (or VeriSign before the authentication services business unit was purchased by Symantec). Symantec currently accounts for just under a third of all certificates and 44% of the valid certificates used by the 1 million busiest websites, as counted by Netcraft.[34]

    As a consequence of choosing X.509 certificates, certificate authorities and a public key infrastructure are necessary to verify the relation between a certificate and its owner, as well as to generate, sign, and administer the validity of certificates. While this can be more convenient than verifying the identities via a web of trust, the 2013 mass surveillance disclosures made it more widely known that certificate authorities are a weak point from a security standpoint, allowing man-in-the-middle attacks (MITM).[35][36]

    Algorithm[edit]

    See also: Cipher suite

    Key exchange or key agreement[edit]

    Before a client and server can begin to exchange information protected by TLS, they must securely exchange or agree upon an encryption key and a cipher to use when encrypting data (see § Cipher). Among the methods used for key exchange/agreement are: public and private keys generated with RSA (denoted TLS_RSA in the TLS handshake protocol), Diffie–Hellman (TLS_DH), ephemeral Diffie–Hellman (TLS_DHE), Elliptic Curve Diffie–Hellman (TLS_ECDH), ephemeral Elliptic Curve Diffie–Hellman (TLS_ECDHE), anonymous Diffie–Hellman (TLS_DH_anon),[2] pre-shared key (TLS_PSK)[37] and Secure Remote Password (TLS_SRP).[38]

    The TLS_DH_anon and TLS_ECDH_anon key agreement methods do not authenticate the server or the user and hence are rarely used because those are vulnerable to man-in-the-middle attack. Only TLS_DHE and TLS_ECDHE provide forward secrecy.

    Public key certificates used during exchange/agreement also vary in the size of the public/private encryption keys used during the exchange and hence the robustness of the security provided. In July 2013, Google announced that it would no longer use 1024 bit public keys and would switch instead to 2048 bit keys to increase the security of the TLS encryption it provides to its users because the encryption strength is directly related to the key size.[4][39]

    Cipher[edit]

    See also: Cipher suite, Block cipher, and Cipher security summary

    Notes

  • ^ a b c d RFC 5746 must be implemented to fix a renegotiation flaw that would otherwise break this protocol.
  • ^ If libraries implement fixes listed in RFC 5746, this violates the SSL 3.0 specification, which the IETF cannot change unlike TLS. Fortunately, most current libraries implement the fix and disregard the violation that this causes.
  • ^ a b The BEAST attack breaks all block ciphers (CBC ciphers) used in SSL 3.0 and TLS 1.0 unless mitigated by the client and/or the server. See § Web browsers.
  • ^ The POODLE attack breaks all block ciphers (CBC ciphers) used in SSL 3.0 unless mitigated by the client and/or the server. See § Web browsers.
  • ^ a b c d e AEAD ciphers (such as GCM and CCM) can be used in only TLS 1.2.
  • ^ a b c d e f g h CBC ciphers can be attacked with the Lucky Thirteen attack if the library is not written carefully to eliminate timing side channels.
  • ^ a b c d e The Sweet32 attack breaks block ciphers with a block size of 64 bits.[48]
  • ^ Although the key length of 3DES is 168 bits, effective security strength of 3DES is only 112 bits,[49] which is below the recommended minimum of 128 bits.[50]
  • ^ a b IDEA and DES have been removed from TLS 1.2.[51]
  • ^ a b c 40 bits strength of cipher suites were designed to operate at reduced key lengths to comply with US regulations about the export of cryptographic software containing certain strong encryption algorithms (see Export of cryptography from the United States). These weak suites are forbidden in TLS 1.1 and later.
  • ^ Use of RC4 in all versions of TLS is prohibited by RFC 7465 (because RC4 attacks weaken or break RC4 used in SSL/TLS).
  • ^ Authentication only, no encryption.
  • Data integrity[edit]

    Message authentication code (MAC) is used for data integrity. HMAC is used for CBC mode of block ciphers and stream ciphers. AEAD is used for authenticated encryption such as GCM mode and CCM mode.

    Applications and adoption[edit]

    In applications design, TLS is usually implemented on top of Transport Layer protocols, encrypting all of the protocol-related data of protocols such as HTTP, FTP, SMTP, NNTP and XMPP.

    Historically, TLS has been used primarily with reliable transport protocols such as the Transmission Control Protocol (TCP). However, it has also been implemented with datagram-oriented transport protocols, such as the User Datagram Protocol (UDP) and the Datagram Congestion Control Protocol (DCCP), usage of which has been standardized independently using the term Datagram Transport Layer Security (DTLS).

    Websites[edit]

    A prominent use of TLS is for securing World Wide Web traffic between a website and a web browser encoded with the HTTP protocol. This use of TLS to secure HTTP traffic constitutes the HTTPS protocol.[53]

    Notes

  • ^ a b c see § Cipher table above
  • ^ a b c see § Web browsers and § Attacks against TLS/SSL sections
  • Web browsers[edit]

    Further information: Comparison of web browsers

    As of April 2016[update], the latest versions of all major web browsers support TLS 1.0, 1.1, and 1.2, and have them enabled by default. However, not all supported Microsoft operating systems support the latest version of IE. Additionally, many operating systems currently support multiple versions of IE, but this has changed according to Microsoft’s Internet Explorer Support Lifecycle Policy FAQ, “beginning January 12, 2016, only the most current version of Internet Explorer available for a supported operating system will receive technical support and security updates.” The page then goes on to list the latest supported version of IE at that date for each operating system. The next critical date would be when an operating system reaches the end of life stage, which is in Microsoft’s Windows lifecycle fact sheet.

    There are still problems on several browser versions:

    • TLS 1.1 and 1.2 supported, but disabled by default: Internet Explorer 10 for Server 2012 and Internet Explorer 9 for Server 2008[57]

    Mitigations against known attacks are not enough yet:

    • Mitigations against POODLE attack: Some browsers already prevent fallback to SSL 3.0; however, this mitigation needs to be supported by not only clients, but also servers. Disabling SSL 3.0 itself, implementation of “anti-POODLE record splitting”, or denying CBC ciphers in SSL 3.0 is required.
      • Google Chrome: Complete (TLS_FALLBACK_SCSV is implemented since version 33, fallback to SSL 3.0 is disabled since version 39, SSL 3.0 itself is disabled by default since version 40. Support of SSL 3.0 itself was dropped since version 44.)
      • Mozilla Firefox: Complete (Support of SSL 3.0 itself is dropped since version 39. SSL 3.0 itself is disabled by default and fallback to SSL 3.0 are disabled since version 34, TLS_FALLBACK_SCSV is implemented since version 35. In ESR, SSL 3.0 itself is disabled by default and TLS_FALLBACK_SCSV is implemented since ESR 31.3.)
      • Internet Explorer: Partial (Only in version 11, SSL 3.0 is disabled by default since April 2015. Version 10 and older are still vulnerable against POODLE.)
      • Opera: Complete (TLS_FALLBACK_SCSV is implemented since version 20, “anti-POODLE record splitting”, which is effective only with client-side implementation, is implemented since version 25, SSL 3.0 itself is disabled by default since version 27. Support of SSL 3.0 itself will be dropped since version 31.)
      • Safari: Complete (Only on OS X 10.8 and later and iOS 8, CBC ciphers during fallback to SSL 3.0 is denied, but this means it will use RC4, which is not recommended as well. Support of SSL 3.0 itself is dropped on OS X 10.11 and later and iOS 9.)
    • Mitigation against RC4 attacks:
      • Google Chrome disabled RC4 except as a fallback since version 43. RC4 is disabled since Chrome 48.
      • Firefox disabled RC4 except as a fallback since version 36. Firefox 44 disabled RC4 by default.
      • Opera disabled RC4 except as a fallback since version 30. RC4 is disabled since Opera 35.
      • Internet Explorer for Windows 7 / Server 2008 R2 and for Windows 8 / Server 2012 have set the priority of RC4 to lowest and can also disable RC4 except as a fallback through registry settings. Internet Explorer 11 Mobile 11 for Windows Phone 8.1 disable RC4 except as a fallback if no other enabled algorithm works. Edge and IE 11 disable RC4 completely in August 2016.
    • Mitigation against FREAK attack:
      • The Android Browser of Android 4 and older is still vulnerable to the FREAK attack.
      • Internet Explorer 11 Mobile is still vulnerable to the FREAK attack.
      • Google Chrome, Internet Explorer (desktop), Safari (desktop & mobile), and Opera (mobile) have FREAK mitigations in place.
      • Mozilla Firefox on all platforms and Google Chrome on Windows were not affected by FREAK.

    Notes

  • ^ Does the browser have mitigations or is not vulnerable for the known attacks. Note actual security depends on other factors such as negotiated cipher, encryption strength etc (see § Cipher table).
  • ^ Whether a user or administrator can choose the protocols to be used or not. If yes, several attacks such as BEAST (vulnerable in SSL 3.0 and TLS 1.0) or POODLE (vulnerable in SSL 3.0) can be avoided.
  • ^ a b Whether EV SSL and DV SSL (normal SSL) can be distinguished by indicators (green lock icon, green address bar, etc.) or not.
  • ^ a b e.g. 1/n-1 record splitting.
  • ^ a b e.g. Disabling header compression in HTTPS/SPDY.
  • ^ a b
    • Complete mitigations; disabling SSL 3.0 itself, “anti-POODLE record splitting”. “Anti-POODLE record splitting” is effective only with client-side implementation and valid according to the SSL 3.0 specification, however, it may also cause compatibility issues due to problems in server-side implementations.
    • Partial mitigations; disabling fallback to SSL 3.0, TLS_FALLBACK_SCSV, disabling cipher suites with CBC mode of operation. If the server also supports TLS_FALLBACK_SCSV, the POODLE attack will fail against this combination of server and browser, but connections where the server does not support TLS_FALLBACK_SCSV and does support SSL 3.0 will still be vulnerable. If disabling cipher suites with CBC mode of operation in SSL 3.0, only cipher suites with RC4 are available, RC4 attacks become easier.
    • When disabling SSL 3.0 manually, POODLE attack will fail.
  • ^ a b
    • Complete mitigation; disabling cipher suites with RC4.
    • Partial mitigations to keeping compatibility with old systems; setting the priority of RC4 to lower.
  • ^ Google Chrome (and Chromium) supports TLS 1.0, and TLS 1.1 from version 22 (it was added, then dropped from version 21). TLS 1.2 support has been added, then dropped from Chrome 29.[63][64][65]
  • ^ Uses the TLS implementation provided by BoringSSL for Android, OS X, and Windows[66] or by NSS for Linux. Google is switching the TLS library used in Chrome to BoringSSL from NSS completely.
  • ^ a b c d e f g h i j k l m n o p q r s t u v w x y z aa ab ac ad ae af ag ah ai aj ak al am an ao ap aq configure enabling/disabling of each protocols via setting/option (menu name is dependent on browsers)
  • ^ a b c d e f g h i j k l m n o p configure the maximum and the minimum version of enabling protocols with command-line option
  • ^ TLS_FALLBACK_SCSV is implemented.[74] Fallback to SSL 3.0 is disabled since version 39.[75]
  • ^ In addition to TLS_FALLBACK_SCSV and disabling a fallback to SSL 3.0, SSL 3.0 itself is disabled by default.[75]
  • ^ a b c configure the minimum version of enabling protocols via chrome://flags[79] (the maximum version can be configured with command-line option)
  • ^ a b c d e f g h i Only when no cipher suites with other than RC4 is available, cipher suites with RC4 will be used as a fallback.
  • ^ a b c d e f g h i j k l m n o p q r s t u v w x y z aa ab ac ad ae af ag All RC4 cipher-suites is disabled by default.
  • ^ Uses the TLS implementation provided by NSS. As of Firefox 22, Firefox supports only TLS 1.0 despite the bundled NSS supporting TLS 1.1. Since Firefox 23, TLS 1.1 can be enabled, but was not enabled by default due to issues. Firefox 24 has TLS 1.2 support disabled by default. TLS 1.1 and TLS 1.2 have been enabled by default in Firefox 27 release.
  • ^ a b c d e f g h i j k l configure the maximum and the minimum version of enabling protocols via about:config
  • ^ SSL 3.0 itself is disabled by default.[100] In addition, fallback to SSL 3.0 is disabled since version 34,[102] and TLS_FALLBACK_SCSV is implemented since 35.0 and ESR 31.3.[100][103]
  • ^ a b c d IE uses the TLS implementation of the Microsoft Windows operating system provided by the SChannel security support provider. TLS 1.1 and 1.2 are disabled by default until IE11.[113][114]
  • ^ a b Windows NT 3.1 supports IE 1–2, Windows NT 3.5 supports IE 1–3, Windows NT 3.51 and Windows NT 4.0 supports IE 1–6
  • ^ a b c d e f Windows XP as well as Server 2003 and older support only weak ciphers like 3DES and RC4 out of the box.[117] The weak ciphers of these SChannel version are not only used for IE, but also for other Microsoft products running on this OS, like Office or Windows Update. Only Windows Server 2003 can get a manually update to support AES ciphers by KB948963[118]
  • ^ a b c d MS13-095 or MS14-049 for 2003 and XP-64 or SP3 for XP (32-bit)
  • ^ a b c Internet Explorer Support Announcement[122]
  • ^ a b c RC4 can be disabled except as a fallback (Only when no cipher suites with other than RC4 is available, cipher suites with RC4 will be used as a fallback.)[125]
  • ^ a b c d Fallback to SSL 3.0 is sites blocked by default in Internet Explorer 11 for Protected Mode.[127][128] SSL 3.0 is disabled by default in Internet Explorer 11 since April 2015.[129]
  • ^ a b Edge (formerly known as Project Spartan) is based on a fork of the Internet Explorer 11 rendering engine.
  • ^ Except Windows 10 LTSB 2015 (LongTermSupportBranch)[132]
  • ^ a b c Could be disabled via registry editing but need 3rd Party tools to do this.[133]
  • ^ Opera 10 added support for TLS 1.2 as of Presto 2.2. Previous support was for TLS 1.0 and 1.1. TLS 1.1 and 1.2 are disabled by default (except for version 9[139] that enabled TLS 1.1 by default).
  • ^ a b SSL 3.0 is disabled by default remotely since October 15, 2014[148]
  • ^ TLS support of Opera 14 and above is same as that of Chrome, because Opera has migrated to Chromium backend (Opera 14 for Android is based on Chromium 26 with WebKit,[153] and Opera 15 and above are based on Chromium 28 and above with Blink[154]).
  • ^ TLS_FALLBACK_SCSV is implemented.[157]
  • ^ SSL 3.0 is enabled by default, with some mitigations against known vulnerabilities such as BEAST and POODLE implemented.[148]
  • ^ In addition to TLS_FALLBACK_SCSV, “anti-POODLE record splitting” is implemented.[148]
  • ^ In addition to TLS_FALLBACK_SCSV and “anti-POODLE record splitting”, SSL 3.0 itself is disabled by default.[79]
  • ^ a b c configure the minimum version of enabling protocols via opera://flags[79] (the maximum version can be configured with command-line option)
  • ^ Safari uses the operating system implementation on Mac OS X, Windows (XP, Vista, 7)[158] with unknown version,[159] Safari 5 is the last version available for Windows. OS X 10.8 on have SecureTransport support for TLS 1.1 and 1.2[160] Qualys SSL report simulates Safari 5.1.9 connecting with TLS 1.0 not 1.1 or 1.2[161]
  • ^ In September 2013, Apple implemented BEAST mitigation in OS X 10.8 (Mountain Lion), but it was not turned on by default resulting in Safari still being theoretically vulnerable to the BEAST attack on that platform.[163][164] BEAST mitigation has been enabled by default from OS X 10.8.5 updated in February 2014.[165]
  • ^ a b c d e f g h Because Apple removed support for all CBC protocols in SSL 3.0 to mitigate POODLE,[166][167] this leaves only RC4 which is also completely broken by the RC4 attacks in SSL 3.0.
  • ^ Mobile Safari and third-party software utilizing the system UIWebView library use the iOS operating system implementation, which supports TLS 1.2 as of iOS 5.0.[172][173][174]
  • Libraries[edit]

    Main article: Comparison of TLS implementations

    Most SSL and TLS programming libraries are free and open source software.

    • BoringSSL, a fork of OpenSSL for Chrome/Chromium and Android as well as other Google applications.
    • Botan, a BSD-licensed cryptographic library written in C++.
    • CryptoComply: a family of FIPS 140-2 validated encryption modules designed to simplify FIPS 140-2 certification requirements.
    • cryptlib: a portable open source cryptography library (includes TLS/SSL implementation)
    • Delphi programmers may use a library called Indy which utilizes OpenSSL.
    • GnuTLS: a free implementation (LGPL licensed)
    • Java Secure Socket Extension: a Java implementation included in the Java Runtime Environment supports TLS 1.1 and 1.2 from Java 7, although is disabled by default for client, and enabled by default for server.[182] Java 8 supports TLS 1.1 and 1.2 enabled on both the client and server by default.[183]
    • LibreSSL: a fork of OpenSSL by OpenBSD project.
    • MatrixSSL: a dual licensed implementation
    • mbed TLS (previously PolarSSL): A tiny SSL library implementation for embedded devices that is designed for ease of use
    • Network Security Services: FIPS 140 validated open source library
    • OpenSSL: a free implementation (BSD license with some extensions)
    • SChannel: an implementation of SSL and TLS Microsoft Windows as part of its package.
    • Secure Transport: an implementation of SSL and TLS used in OS X and iOS as part of their packages.
    • wolfSSL (previously CyaSSL): Embedded SSL/TLS Library with a strong focus on speed and size.
  • ^ SSL 2.0 client hello is supported even though SSL 2.0 is not supported or is disabled because of the backward compatibilities.
  • ^ Server-side implementation of the SSL/TLS protocol still supports processing of received v2-compatible client hello messages.[202]
  • ^ Secure Transport: SSL 2.0 was discontinued in OS X 10.8. SSL 3.0 was discontinued in OS X 10.11 and iOS 9. TLS 1.1 and 1.2 are available on iOS 5.0 and later, and OS X 10.9 and later.[203][204]
  • A paper presented at the 2012 ACM conference on computer and communications security[205] showed that few applications used some of these SSL libraries correctly, leading to vulnerabilities. According to the authors

    “the root cause of most of these vulnerabilities is the terrible design of the APIs to the underlying SSL libraries. Instead of expressing high-level security properties of network tunnels such as confidentiality and authentication, these APIs expose low-level details of the SSL protocol to application developers. As a consequence, developers often use SSL APIs incorrectly, misinterpreting and misunderstanding their manifold parameters, options, side effects, and return values.”

    Other uses[edit]

    The Simple Mail Transfer Protocol (SMTP) can also be protected by TLS. These applications use public key certificates to verify the identity of endpoints.

    TLS can also be used to tunnel an entire network stack to create a VPN, as is the case with OpenVPN and OpenConnect. Many vendors now marry TLS’s encryption and authentication capabilities with authorization. There has also been substantial development since the late 1990s in creating client technology outside of the browser to enable support for client/server applications. When compared against traditional IPsec VPN technologies, TLS has some inherent advantages in firewall and NAT traversal that make it easier to administer for large remote-access populations.

    TLS is also a standard method to protect Session Initiation Protocol (SIP) application signaling. TLS can be used to provide authentication and encryption of the SIP signaling associated with VoIP and other SIP-based applications.[citation needed]

    Security[edit]

    SSL 2.0[edit]

    SSL 2.0 is flawed in a variety of ways:[206]

    • Identical cryptographic keys are used for message authentication and encryption. (In SSL 3.0, MAC secrets may be larger than encryption keys, so messages can remain tamper resistant even if encryption keys are broken.[5])
    • SSL 2.0 has a weak MAC construction that uses the MD5 hash function with a secret prefix, making it vulnerable to length extension attacks.
    • SSL 2.0 does not have any protection for the handshake, meaning a man-in-the-middle downgrade attack can go undetected.
    • SSL 2.0 uses the TCP connection close to indicate the end of data. This means that truncation attacks are possible: the attacker simply forges a TCP FIN, leaving the recipient unaware of an illegitimate end of data message (SSL 3.0 fixes this problem by having an explicit closure alert).
    • SSL 2.0 assumes a single service and a fixed domain certificate, which clashes with the standard feature of virtual hosting in Web servers. This means that most websites are practically impaired from using SSL.

    SSL 2.0 is disabled by default, beginning with Internet Explorer 7,[207] Mozilla Firefox 2,[208] Opera 9.5,[209] and Safari. After it sends a TLS “ClientHello”, if Mozilla Firefox finds that the server is unable to complete the handshake, it will attempt to fall back to using SSL 3.0 with an SSL 3.0 “ClientHello” in SSL 2.0 format to maximize the likelihood of successfully handshaking with older servers.[210] Support for SSL 2.0 (and weak 40-bit and 56-bit ciphers) has been removed completely from Opera as of version 10.[211][212]

    SSL 3.0[edit]

    SSL 3.0 improved upon SSL 2.0 by adding SHA-1–based ciphers and support for certificate authentication.

    From a security standpoint, SSL 3.0 should be considered less desirable than TLS 1.0. The SSL 3.0 cipher suites have a weaker key derivation process; half of the master key that is established is fully dependent on the MD5 hash function, which is not resistant to collisions and is, therefore, not considered secure. Under TLS 1.0, the master key that is established depends on both MD5 and SHA-1 so its derivation process is not currently considered weak. It is for this reason that SSL 3.0 implementations cannot be validated under FIPS 140-2.[213]

    In October 2014, the vulnerability in the design of SSL 3.0 was reported, which makes CBC mode of operation with SSL 3.0 vulnerable to the padding attack (see #POODLE attack).

    TLS[edit]

    TLS has a variety of security measures:

    • Protection against a downgrade of the protocol to a previous (less secure) version or a weaker cipher suite.
    • Numbering subsequent Application records with a sequence number and using this sequence number in the message authentication codes (MACs).
    • Using a message digest enhanced with a key (so only a key-holder can check the MAC). The HMAC construction used by most TLS cipher suites is specified in RFC 2104 (SSL 3.0 used a different hash-based MAC).
    • The message that ends the handshake (“Finished”) sends a hash of all the exchanged handshake messages seen by both parties.
    • The pseudorandom function splits the input data in half and processes each one with a different hashing algorithm (MD5 and SHA-1), then XORs them together to create the MAC. This provides protection even if one of these algorithms is found to be vulnerable.

    Attacks against TLS/SSL[edit]

    Significant attacks against TLS/SSL are listed below:

    Note: In February 2015, IETF issued an informational RFC[214] summarizing the various known attacks against TLS/SSL.

    Renegotiation attack[edit]

    A vulnerability of the renegotiation procedure was discovered in August 2009 that can lead to plaintext injection attacks against SSL 3.0 and all current versions of TLS.[215] For example, it allows an attacker who can hijack an https connection to splice their own requests into the beginning of the conversation the client has with the web server. The attacker can’t actually decrypt the client–server communication, so it is different from a typical man-in-the-middle attack. A short-term fix is for web servers to stop allowing renegotiation, which typically will not require other changes unless client certificate authentication is used. To fix the vulnerability, a renegotiation indication extension was proposed for TLS. It will require the client and server to include and verify information about previous handshakes in any renegotiation handshakes.[216] This extension has become a proposed standard and has been assigned the number RFC 5746. The RFC has been implemented by several libraries.[217][218][219]

    Downgrade attacks: FREAK attack and Logjam attack[edit]
    Main articles: FREAK and Logjam (computer security)

    A protocol downgrade attack (also called a version rollback attack) tricks a web server into negotiating connections with previous versions of TLS (such as SSLv2) that have long since been abandoned as insecure.

    Previous modifications to the original protocols, like False Start[220] (adopted and enabled by Google Chrome[221]) or Snap Start, reportedly introduced limited TLS protocol downgrade attacks[222] or allowed modifications to the cipher suite list sent by the client to the server. In doing so, an attacker might succeed in influencing the cipher suite selection in an attempt to downgrade the cipher suite negotiated to use either a weaker symmetric encryption algorithm or a weaker key exchange.[223] A paper presented at an ACM conference on computer and communications security in 2012 demonstrated that the False Start extension was at risk: in certain circumstances it could allow an attacker to recover the encryption keys offline and to access the encrypted data.[224]

    Encryption downgrade attacks can force servers and clients to negotiate a connection using cryptographically weak keys. In 2014, a man-in-the-middle attack called FREAK was discovered affecting the OpenSSL stack, the default Android web browser, and some Safari browsers.[225] The attack involved tricking servers into negotiating a TLS connection using cryptographically weak 512 bit encryption keys.

    Logjam is a security exploit discovered in May 2015 that exploits the option of using legacy “export-grade” 512-bit Diffie–Hellman groups dating back to the 1990s.[226] It forces susceptible servers to downgrade to cryptographically weak 512-bit Diffie–Hellman groups. An attacker can then deduce the keys the client and server determine using the Diffie–Hellman key exchange.

    Cross-protocol attacks: DROWN[edit]
    Main article: DROWN attack

    The DROWN attack is an exploit that attacks servers supporting contemporary SSL/TLS protocol suites by exploiting their support for the obsolete, insecure, SSLv2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure.[227][228] DROWN exploits a vulnerability in the protocols used and the configuration of the server, rather than any specific implementation error. Full details of DROWN were announced in March 2016, together with a patch for the exploit. At that time, more than 81,000 of the top 1 million most popular websites were among the TLS protected websites that were vulnerable to the DROWN attack.[228]

    BEAST attack[edit]

    On September 23, 2011 researchers Thai Duong and Juliano Rizzo demonstrated a proof of concept called BEAST (Browser Exploit Against SSL/TLS)[229] using a Java applet to violate same origin policy constraints, for a long-known cipher block chaining (CBC) vulnerability in TLS 1.0:[230][231] an attacker observing 2 consecutive ciphertext blocks C0, C1 can test if the plaintext block P1 is equal to x by choosing the next plaintext block P2 = x ^ C0 ^ C1; due to how CBC works C2 will be equal to C1 if x = P1. Practical exploits had not been previously demonstrated for this vulnerability, which was originally discovered by Phillip Rogaway[232] in 2002. The vulnerability of the attack had been fixed with TLS 1.1 in 2006, but TLS 1.1 had not seen wide adoption prior to this attack demonstration.

    RC4 as a stream cipher is immune to BEAST attack. Therefore, RC4 was widely used as a way to mitigate BEAST attack on the server side. However, in 2013, researchers found more weaknesses in RC4. Thereafter enabling RC4 on server side was no longer recommended.[233]

    Chrome and Firefox themselves are not vulnerable to BEAST attack,[67][234] however, Mozilla updated their NSS libraries to mitigate BEAST-like attacks. NSS is used by Mozilla Firefox and Google Chrome to implement SSL. Some web servers that have a broken implementation of the SSL specification may stop working as a result.[235]

    Microsoft released Security Bulletin MS12-006 on January 10, 2012, which fixed the BEAST vulnerability by changing the way that the Windows Secure Channel (SChannel) component transmits encrypted network packets from the server end.[236] Users of Internet Explorer (prior to version 11) that run on older versions of Windows (Windows 7, Windows 8 and Windows Server 2008 R2) can restrict use of TLS to 1.1 or higher.

    Apple fixed BEAST vulnerability by implementing 1/n-1 split and turning it on by default in OS X Mavericks, released on October 22, 2013.[237]

    CRIME and BREACH attacks[edit]
    Main articles: CRIME and BREACH

    The authors of the BEAST attack are also the creators of the later CRIME attack, which can allow an attacker to recover the content of web cookies when data compression is used along with TLS.[238][239] When used to recover the content of secret authentication cookies, it allows an attacker to perform session hijacking on an authenticated web session.

    While the CRIME attack was presented as a general attack that could work effectively against a large number of protocols, including but not limited to TLS, and application-layer protocols such as SPDY or HTTP, only exploits against TLS and SPDY were demonstrated and largely mitigated in browsers and servers. The CRIME exploit against HTTP compression has not been mitigated at all, even though the authors of CRIME have warned that this vulnerability might be even more widespread than SPDY and TLS compression combined. In 2013 a new instance of the CRIME attack against HTTP compression, dubbed BREACH, was announced. Based on the CRIME attack a BREACH attack can extract login tokens, email addresses or other sensitive information from TLS encrypted web traffic in as little as 30 seconds (depending on the number of bytes to be extracted), provided the attacker tricks the victim into visiting a malicious web link or is able to inject content into valid pages the user is visiting (ex: a wireless network under the control of the attacker).[240] All versions of TLS and SSL are at risk from BREACH regardless of the encryption algorithm or cipher used.[241] Unlike previous instances of CRIME, which can be successfully defended against by turning off TLS compression or SPDY header compression, BREACH exploits HTTP compression which cannot realistically be turned off, as virtually all web servers rely upon it to improve data transmission speeds for users.[240] This is a known limitation of TLS as it is susceptible to chosen-plaintext attack against the application-layer data it was meant to protect.

    Timing attacks on padding[edit]

    Earlier TLS versions were vulnerable against the padding oracle attack discovered in 2002. A novel variant, called the Lucky Thirteen attack, was published in 2013.

    Some experts[50] also recommended avoiding Triple-DES CBC. Since the last supported ciphers developed to support any program using Windows XP’s SSL/TLS library like Internet Explorer on Windows XP are RC4 and Triple-DES, and since RC4 is now deprecated (see discussion of RC4 attacks), this makes it difficult to support any version of SSL for any program using this library on XP.

    A fix was released as the Encrypt-then-MAC extension to the TLS specification, released as RFC 7366.[242] The Lucky Thirteen attack can be mitigated in TLS 1.2 by using only AES_GCM ciphers; AES_CBC remains vulnerable.[citation needed]

    POODLE attack[edit]
    Main article: POODLE

    On October 14, 2014, Google researchers published a vulnerability in the design of SSL 3.0, which makes CBC mode of operation with SSL 3.0 vulnerable to a padding attack (CVE-2014-3566). They named this attack POODLE (Padding Oracle On Downgraded Legacy Encryption). On average, attackers only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages.[56]

    Although this vulnerability only exists in SSL 3.0 and most clients and servers support TLS 1.0 and above, all major browsers voluntarily downgrade to SSL 3.0 if the handshakes with newer versions of TLS fail unless they provide the option for a user or administrator to disable SSL 3.0 and the user or administrator does so[citation needed]. Therefore, the man-in-the-middle can first conduct a version rollback attack and then exploit this vulnerability.[56]

    In general, graceful security degradation for the sake of interoperability is difficult to carry out in a way that cannot be exploited. This is challenging especially in domains where fragmentation is high.[243]

    On December 8, 2014, a variant of POODLE was announced that impacts TLS implementations that do not properly enforce padding byte requirements.[244]

    RC4 attacks[edit]
    Main article: RC4 § Security

    Despite the existence of attacks on RC4 that broke its security, cipher suites in SSL and TLS that were based on RC4 were still considered secure prior to 2013 based on the way in which they were used in SSL and TLS. In 2011, the RC4 suite was actually recommended as a work around for the BEAST attack.[245] New forms of attack disclosed in March 2013 conclusively demonstrated the feasibility of breaking RC4 in TLS, suggesting it was not a good workaround for BEAST.[55] An attack scenario was proposed by AlFardan, Bernstein, Paterson, Poettering and Schuldt that used newly discovered statistical biases in the RC4 key table[246] to recover parts of the plaintext with a large number of TLS encryptions.[247][248] An attack on RC4 in TLS and SSL that requires 13 × 220 encryptions to break RC4 was unveiled on 8 July 2013 and later described as “feasible” in the accompanying presentation at a USENIX Security Symposium in August 2013.[249][250] In July 2015, subsequent improvements in the attack make it increasingly practical to defeat the security of RC4-encrypted TLS.[251]

    As many modern browsers have been designed to defeat BEAST attacks (except Safari for Mac OS X 10.7 or earlier, for iOS 6 or earlier, and for Windows; see #Web browsers), RC4 is no longer a good choice for TLS 1.0. The CBC ciphers which were affected by the BEAST attack in the past have become a more popular choice for protection.[50] Mozilla and Microsoft recommend disabling RC4 where possible.[252][253] RFC 7465 prohibits the use of RC4 cipher suites in all versions of TLS.

    On September 1, 2015, Microsoft, Google and Mozilla announced that RC4 cipher suites would be disabled by default in their browsers (Microsoft Edge, Internet Explorer 11 on Windows 7/8.1/10, Firefox, and Chrome) in early 2016.[254][255][256]

    Truncation attack[edit]

    A TLS (logout) truncation attack blocks a victim’s account logout requests so that the user unknowingly remains logged into a web service. When the request to sign out is sent, the attacker injects an unencrypted TCP FIN message (no more data from sender) to close the connection. The server therefore doesn’t receive the logout request and is unaware of the abnormal termination.[257]

    Published in July 2013,[258][259] the attack causes web services such as Gmail and Hotmail to display a page that informs the user that they have successfully signed-out, while ensuring that the user’s browser maintains authorization with the service, allowing an attacker with subsequent access to the browser to access and take over control of the user’s logged-in account. The attack does not rely on installing malware on the victim’s computer; attackers need only place themselves between the victim and the web server (e.g., by setting up a rogue wireless hotspot).[257] This vulnerability also requires access to the victim’s computer. Another possibility is when using FTP the data connection can have a false FIN in the data stream, and if the protocol rules for exchanging close_notify alerts is not adhered to a file can be truncated.

    Unholy PAC attack[edit]

    This attack, discovered in mid-2016, exploits weaknesses in the Web Proxy Autodiscovery Protocol (WPAD) to expose the URL that a web user is attempting to reach via a TLS-enabled web link.[260] Disclosure of a URL can violate a user’s privacy, not only because of the website accessed, but also because URLs are sometimes used to authenticate users. Document sharing services, such as those offered by Google and Dropbox, also work by sending a user a security token that’s included in the URL. An attacker who obtains such URLs may be able to gain full access to a victim’s account or data.

    The exploit works against almost all browsers and operating systems.

    Sweet32 attack[edit]

    The Sweet32 attack breaks all 64-bit block ciphers used in CBC mode as used in TLS by exploiting a birthday attack and either a man-in-the-middle attack or injection of a malicious JavaScript into a web page. The purpose of the man-in-the-middle attack or the JavaScript injection is to allow the attacker to capture enough traffic to mount a birthday attack.[261]

    Implementation errors: Heartbleed bug, BERserk attack, Cloudflare bug[edit]
    Main articles: Heartbleed and Cloudbleed

    The Heartbleed bug is a serious vulnerability specific to the implementation of SSL/TLS in the popular OpenSSL cryptographic software library, affecting versions 1.0.1 to 1.0.1f. This weakness, reported in April 2014, allows attackers to steal private keys from servers that should normally be protected.[262] The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret private keys associated with the public certificates used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.[263] The vulnerability is caused by a buffer over-read bug in the OpenSSL software, rather than a defect in the SSL or TLS protocol specification.

    In September 2014, a variant of Daniel Bleichenbacher’s PKCS#1 v1.5 RSA Signature Forgery vulnerability[264] was announced by Intel Security Advanced Threat Research. This attack, dubbed BERserk, is a result of incomplete ASN.1 length decoding of public key signatures in some SSL implementations, and allows a man-in-the-middle attack by forging a public key signature.[265]

    In February 2015, after media reported the hidden pre-installation of Superfish adware on some Lenovo notebooks,[266] a researcher found a trusted root certificate on affected Lenovo machines to be insecure, as the keys could easily be accessed using the company name, Komodia, as a passphrase.[267] The Komodia library was designed to intercept client-side TLS/SSL traffic for parental control and surveillance, but it was also used in numerous adware programs, including Superfish, that were often surreptitiously installed unbeknownst to the computer user. In turn, these potentially unwanted programs installed the corrupt root certificate, allowing attackers to completely control web traffic and confirm false websites as authentic.

    In May 2016, it was reported that dozens of Danish HTTPS-protected websites belonging to Visa Inc. were vulnerable to attacks allowing hackers to inject malicious code and forged content into the browsers of visitors.[268] The attacks worked because the TLS implementation used on the affected servers incorrectly reused random numbers (nonces) that are intended be used only once, ensuring that each TLS handshake is unique.[268]

    In February 2017, an implementation error caused by a single mistyped character in code used to parse HTML created a buffer overflow error on Cloudflare servers. Similar in its effects to the Heartbleed bug discovered in 2014, this overflow error, widely known as Cloudbleed, allowed unauthorized third parties to read data in the memory of programs running on the servers—data that should otherwise have been protected by TLS.[269]

    Survey of websites vulnerable to attacks[edit]

    As of October 2016[update], Trustworthy Internet Movement estimate the ratio of websites that are vulnerable to TLS attacks.[54]

    Forward secrecy[edit]

    Main article: Forward secrecy

    Forward secrecy is a property of cryptographic systems which ensures that a session key derived from a set of public and private keys will not be compromised if one of the private keys is compromised in the future.[270] Without forward secrecy, if the server’s private key is compromised, not only will all future TLS-encrypted sessions using that server certificate be compromised, but also any past sessions that used it as well (provided of course that these past sessions were intercepted and stored at the time of transmission).[271] An implementation of TLS can provide forward secrecy by requiring the use of ephemeral Diffie–Hellman key exchange to establish session keys, and some notable TLS implementations do so exclusively: e.g., Gmail and other Google HTTPS services that use OpenSSL.[272] However, many clients and servers supporting TLS (including browsers and web servers) are not configured to implement such restrictions.[273][274] In practice, unless a web service uses Diffie–Hellman key exchange to implement forward secrecy, all of the encrypted web traffic to and from that service can be decrypted by a third party if it obtains the server’s master (private) key; e.g., by means of a court order.[275]

    Even where Diffie–Hellman key exchange is implemented, server-side session management mechanisms can impact forward secrecy. The use of TLS session tickets (a TLS extension) causes the session to be protected by AES128-CBC-SHA256 regardless of any other negotiated TLS parameters, including forward secrecy ciphersuites, and the long-lived TLS session ticket keys defeat the attempt to implement forward secrecy.[276][277][278] Stanford University research in 2014 also found that of 473,802 TLS servers surveyed, 82.9% of the servers deploying ephemeral Diffie–Hellman (DHE) key exchange to support forward secrecy were using weak Diffie–Hellman parameters. These weak parameter choices could potentially compromise the effectiveness of the forward secrecy that the servers sought to provide.[279]

    Since late 2011, Google has provided forward secrecy with TLS by default to users of its Gmail service, along with Google Docs and encrypted search among other services.[280] Since November 2013, Twitter has provided forward secrecy with TLS to users of its service.[281] As of June 2016[update], 51.9% of TLS-enabled websites are configured to use cipher suites that provide forward secrecy to modern web browsers.[54]

    Dealing with man-in-the-middle attacks[edit]

    Main article: Man-in-the-middle attack
    Certificate pinning[edit]
    Main article: HTTP Public Key Pinning

    One way to detect and block many kinds of man-in-the-middle attacks is “certificate pinning”, sometimes called “SSL pinning”, but more accurately called “public key pinning”.[282] A client that does key pinning adds an extra step beyond the normal X.509 certificate validation: After obtaining the server’s certificate in the standard way, the client checks the public key(s) in the server’s certificate chain against a set of (hashes of) public keys for the server name. Typically the public key hashes are bundled with the application. For example, Google Chrome includes public key hashes for the *.google.com certificate that detected fraudulent certificates in 2011. (Chromium does not enforce the hardcoded key pins.) Since then, Mozilla has introduced public key pinning to its Firefox browser.[283]

    In other systems the client hopes that the first time it obtains a server’s certificate it is trustworthy and stores it; during later sessions with that server, the client checks the server’s certificate against the stored certificate to guard against later MITM attacks.

    Perspectives Project[edit]

    The Perspectives Project[284] operates network notaries that clients can use to detect if a site’s certificate has changed. By their nature, man-in-the-middle attacks place the attacker between the destination and a single specific target. As such, Perspectives would warn the target that the certificate delivered to the web browser does not match the certificate seen from other perspectives – the perspectives of other users in different times and places. Use of network notaries from a multitude of perspectives makes it possible for a target to detect an attack even if a certificate appears to be completely valid. However, the Perspectives Project appears to have been abandoned. (Ref. GitHub issue tracker 2017-07-11:[285] “perspectives-project.org domain expired” and 2017-10-24: “It’s now pointing at a non-existent WordPress site.”) Other projects, such as the EFF’s SSL Observatory, also make use of notaries or similar reporters in discovering man-in-the-middle attacks.

    DNSChain[edit]

    DNSChain[286] relies on the security that blockchains provide to distribute public keys. It uses one pin to secure the connection to the DNSChain server itself, after which all other public keys (that are stored in a block chain) become accessible over a secure channel.

    Online tools to test SSL/TLS security[edit]

    Online services perform security tests of SSL/TLS certificates. Each tool provides complete security data about SSL certificates installed on a web server.[287]

    • SSL/TLS Test by High-Tech Bridge – Test SSL/TLS security and implementation for compliance with PCI DSS requirements, HIPAA guidance and NIST guidelines.
    • SSL Labs by Qualys – Deep analysis of the configuration of any SSL web server on the public Internet.
    • SSL Checker by SSLstore – The SSL Checker tool can verify that the SSL Certificate on your web server is properly installed and trusted.
    • SSL Checker by Symantec – Check your SSL/TLS certificate installation.
    • SSL Certificate Checker by Digicert – Certificate details including Issuer, serial number, key length, signature algorithm, SSL cipher supported by the server and expiry details.
    • COMODO SSL Analyzer – Scans https URL and gives quick report on various parameters.
    • HowsMySSL Test – Immediately scans the client (browser) and gives the status on various checks..
    • SSL Checker by SSL Shopper – Verify the SSL certificate on web server to make sure it is correctly installed, valid and trusted.

    Protocol details[edit]

    The TLS protocol exchanges records, which encapsulate the data to be exchanged in a specific format (see below). Each record can be compressed, padded, appended with a message authentication code (MAC), or encrypted, all depending on the state of the connection. Each record has a content type field that designates the type of data encapsulated, a length field and a TLS version field. The data encapsulated may be control or procedural messages of the TLS itself, or simply the application data needed to be transferred by TLS. The specifications (cipher suite, keys etc.) required to exchange application data by TLS, are agreed upon in the “TLS handshake” between the client requesting the data and the server responding to requests. The protocol therefore defines both the structure of payloads transferred in TLS and the procedure to establish and monitor the transfer.

    TLS handshake[edit]

    When the connection starts, the record encapsulates a “control” protocol – the handshake messaging protocol (content type 22). This protocol is used to exchange all the information required by both sides for the exchange of the actual application data by TLS. It defines the format of messages and the order of their exchange. These may vary according to the demands of the client and server – i.e., there are several possible procedures to set up the connection. This initial exchange results in a successful TLS connection (both parties ready to transfer application data with TLS) or an alert message (as specified below).

    Basic TLS handshake[edit]

    A typical connection example follows, illustrating a handshake where the server (but not the client) is authenticated by its certificate:

  • Negotiation phase:
    • A client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and suggested compression methods. If the client is attempting to perform a resumed handshake, it may send a session ID. If the client can use Application-Layer Protocol Negotiation, it may include a list of supported application protocols, such as HTTP/2.
    • The server responds with a ServerHello message, containing the chosen protocol version, a random number, CipherSuite and compression method from the choices offered by the client. To confirm or allow resumed handshakes the server may send a session ID. The chosen protocol version should be the highest that both the client and server support. For example, if the client supports TLS version 1.1 and the server supports version 1.2, version 1.1 should be selected; version 1.2 should not be selected.
    • The server sends its Certificate message (depending on the selected cipher suite, this may be omitted by the server).[288]
    • The server sends its ServerKeyExchange message (depending on the selected cipher suite, this may be omitted by the server). This message is sent for all DHE and DH_anon ciphersuites.[2]
    • The server sends a ServerHelloDone message, indicating it is done with handshake negotiation.
    • The client responds with a ClientKeyExchange message, which may contain a PreMasterSecret, public key, or nothing. (Again, this depends on the selected cipher.) This PreMasterSecret is encrypted using the public key of the server certificate.
    • The client and server then use the random numbers and PreMasterSecret to compute a common secret, called the “master secret”. All other key data for this connection is derived from this master secret (and the client- and server-generated random values), which is passed through a carefully designed pseudorandom function.
  • The client now sends a ChangeCipherSpec record, essentially telling the server, “Everything I tell you from now on will be authenticated (and encrypted if encryption parameters were present in the server certificate).” The ChangeCipherSpec is itself a record-level protocol with content type of 20.
    • Finally, the client sends an authenticated and encrypted Finished message, containing a hash and MAC over the previous handshake messages.
    • The server will attempt to decrypt the client’s Finished message and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be torn down.
  • Finally, the server sends a ChangeCipherSpec, telling the client, “Everything I tell you from now on will be authenticated (and encrypted, if encryption was negotiated).”
    • The server sends its authenticated and encrypted Finished message.
    • The client performs the same decryption and verification procedure as the server did in the previous step.
  • Application phase: at this point, the “handshake” is complete and the application protocol is enabled, with content type of 23. Application messages exchanged between client and server will also be authenticated and optionally encrypted exactly like in their Finished message. Otherwise, the content type will return 25 and the client will not authenticate.
  • Client-authenticated TLS handshake[edit]

    The following full example shows a client being authenticated (in addition to the server as in the example above) via TLS using certificates exchanged between both peers.

  • Negotiation Phase:
    • A client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods.
    • The server responds with a ServerHello message, containing the chosen protocol version, a random number, cipher suite and compression method from the choices offered by the client. The server may also send a session id as part of the message to perform a resumed handshake.
    • The server sends its Certificate message (depending on the selected cipher suite, this may be omitted by the server).[288]
    • The server sends its ServerKeyExchange message (depending on the selected cipher suite, this may be omitted by the server). This message is sent for all DHE and DH_anon ciphersuites.[2]
    • The server sends a CertificateRequest message, to request a certificate from the client so that the connection can be mutually authenticated.
    • The server sends a ServerHelloDone message, indicating it is done with handshake negotiation.
    • The client responds with a Certificate message, which contains the client’s certificate.
    • The client sends a ClientKeyExchange message, which may contain a PreMasterSecret, public key, or nothing. (Again, this depends on the selected cipher.) This PreMasterSecret is encrypted using the public key of the server certificate.
    • The client sends a CertificateVerify message, which is a signature over the previous handshake messages using the client’s certificate’s private key. This signature can be verified by using the client’s certificate’s public key. This lets the server know that the client has access to the private key of the certificate and thus owns the certificate.
    • The client and server then use the random numbers and PreMasterSecret to compute a common secret, called the “master secret”. All other key data for this connection is derived from this master secret (and the client- and server-generated random values), which is passed through a carefully designed pseudorandom function.
  • The client now sends a ChangeCipherSpec record, essentially telling the server, “Everything I tell you from now on will be authenticated (and encrypted if encryption was negotiated). ” The ChangeCipherSpec is itself a record-level protocol and has type 20 and not 22.
    • Finally, the client sends an encrypted Finished message, containing a hash and MAC over the previous handshake messages.
    • The server will attempt to decrypt the client’s Finished message and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be torn down.
  • Finally, the server sends a ChangeCipherSpec, telling the client, “Everything I tell you from now on will be authenticated (and encrypted if encryption was negotiated). ”
    • The server sends its own encrypted Finished message.
    • The client performs the same decryption and verification procedure as the server did in the previous step.
  • Application phase: at this point, the “handshake” is complete and the application protocol is enabled, with content type of 23. Application messages exchanged between client and server will also be encrypted exactly like in their Finished message.
  • Resumed TLS handshake[edit]

    Public key operations (e.g., RSA) are relatively expensive in terms of computational power. TLS provides a secure shortcut in the handshake mechanism to avoid these operations: resumed sessions. Resumed sessions are implemented using session IDs or session tickets.

    Apart from the performance benefit, resumed sessions can also be used for single sign-on, as it guarantees that both the original session and any resumed session originate from the same client. This is of particular importance for the FTP over TLS/SSL protocol, which would otherwise suffer from a man-in-the-middle attack in which an attacker could intercept the contents of the secondary data connections.[289]

    Session IDs[edit]

    In an ordinary full handshake, the server sends a session id as part of the ServerHello message. The client associates this session id with the server’s IP address and TCP port, so that when the client connects again to that server, it can use the session id to shortcut the handshake. In the server, the session id maps to the cryptographic parameters previously negotiated, specifically the “master secret”. Both sides must have the same “master secret” or the resumed handshake will fail (this prevents an eavesdropper from using a session id). The random data in the ClientHello and ServerHello messages virtually guarantee that the generated connection keys will be different from in the previous connection. In the RFCs, this type of handshake is called an abbreviated handshake. It is also described in the literature as a restart handshake.

  • Negotiation phase:
    • A client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods. Included in the message is the session id from the previous TLS connection.
    • The server responds with a ServerHello message, containing the chosen protocol version, a random number, cipher suite and compression method from the choices offered by the client. If the server recognizes the session id sent by the client, it responds with the same session id. The client uses this to recognize that a resumed handshake is being performed. If the server does not recognize the session id sent by the client, it sends a different value for its session id. This tells the client that a resumed handshake will not be performed. At this point, both the client and server have the “master secret” and random data to generate the key data to be used for this connection.
  • The server now sends a ChangeCipherSpec record, essentially telling the client, “Everything I tell you from now on will be encrypted.” The ChangeCipherSpec is itself a record-level protocol and has type 20 and not 22.
    • Finally, the server sends an encrypted Finished message, containing a hash and MAC over the previous handshake messages.
    • The client will attempt to decrypt the server’s Finished message and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be torn down.
  • Finally, the client sends a ChangeCipherSpec, telling the server, “Everything I tell you from now on will be encrypted. ”
    • The client sends its own encrypted Finished message.
    • The server performs the same decryption and verification procedure as the client did in the previous step.
  • Application phase: at this point, the “handshake” is complete and the application protocol is enabled, with content type of 23. Application messages exchanged between client and server will also be encrypted exactly like in their Finished message.
  • Session tickets[edit]

    RFC 5077 extends TLS via use of session tickets, instead of session IDs. It defines a way to resume a TLS session without requiring that session-specific state is stored at the TLS server.

    When using session tickets, the TLS server stores its session-specific state in a session ticket and sends the session ticket to the TLS client for storing. The client resumes a TLS session by sending the session ticket to the server, and the server resumes the TLS session according to the session-specific state in the ticket. The session ticket is encrypted and authenticated by the server, and the server verifies its validity before using its contents.

    One particular weakness of this method with OpenSSL is that it always limits encryption and authentication security of the transmitted TLS session ticket to AES128-CBC-SHA256, no matter what other TLS parameters were negotiated for the actual TLS session.[277] This means that the state information (the TLS session ticket) is not as well protected as the TLS session itself. Of particular concern is OpenSSL’s storage of the keys in an application-wide context (SSL_CTX), i.e. for the life of the application, and not allowing for re-keying of the AES128-CBC-SHA256 TLS session tickets without resetting the application-wide OpenSSL context (which is uncommon, error-prone and often requires manual administrative intervention).[278][276]

    TLS record[edit]

    This is the general format of all TLS records.

    Content type
    This field identifies the Record Layer Protocol Type contained in this Record.

    Legacy version
    This field identifies the major and minor version of TLS prior to TLS 1.3 for the contained message. For a ClientHello message, this need not be the highest version supported by the client. For TLS 1.3 and later, this must to be set 0x0303 and application must send supported versions in an extra message extension block.

    Length

    The length of “protocol message(s)”, “MAC” and “padding” fields combined (i.e. q−5), not to exceed 214 bytes (16 KiB).
    Protocol message(s)
    One or more messages identified by the Protocol field. Note that this field may be encrypted depending on the state of the connection.
    MAC and padding
    A message authentication code computed over the “protocol message(s)” field, with additional key material included. Note that this field may be encrypted, or not included entirely, depending on the state of the connection.
    No “MAC” or “padding” fields can be present at end of TLS records before all cipher algorithms and parameters have been negotiated and handshaked and then confirmed by sending a CipherStateChange record (see below) for signalling that these parameters will take effect in all further records sent by the same peer.

    Handshake protocol[edit]

    Most messages exchanged during the setup of the TLS session are based on this record, unless an error or warning occurs and needs to be signaled by an Alert protocol record (see below), or the encryption mode of the session is modified by another record (see ChangeCipherSpec protocol below).

    Message type
    This field identifies the handshake message type.

    Handshake message data length
    This is a 3-byte field indicating the length of the handshake data, not including the header.

    Note that multiple handshake messages may be combined within one record.

    Alert protocol[edit]

    This record should normally not be sent during normal handshaking or application exchanges. However, this message can be sent at any time during the handshake and up to the closure of the session. If this is used to signal a fatal error, the session will be closed immediately after sending this record, so this record is used to give a reason for this closure. If the alert level is flagged as a warning, the remote can decide to close the session if it decides that the session is not reliable enough for its needs (before doing so, the remote may also send its own signal).

    Level
    This field identifies the level of alert. If the level is fatal, the sender should close the session immediately. Otherwise, the recipient may decide to terminate the session itself, by sending its own fatal alert and closing the session itself immediately after sending it. The use of Alert records is optional, however if it is missing before the session closure, the session may be resumed automatically (with its handshakes).
    Normal closure of a session after termination of the transported application should preferably be alerted with at least the Close notify Alert type (with a simple warning level) to prevent such automatic resume of a new session. Signalling explicitly the normal closure of a secure session before effectively closing its transport layer is useful to prevent or detect attacks (like attempts to truncate the securely transported data, if it intrinsically does not have a predetermined length or duration that the recipient of the secured data may expect).

    Description
    This field identifies which type of alert is being sent.

    ChangeCipherSpec protocol[edit]

    CCS protocol type
    Currently only 1.

    Application protocol[edit]

    Length
    Length of application data (excluding the protocol header and including the MAC and padding trailers)
    MAC
    20 bytes for the SHA-1-based HMAC, 16 bytes for the MD5-based HMAC.
    Padding
    Variable length; last byte contains the padding length.

    Support for name-based virtual servers[edit]

    From the application protocol point of view, TLS belongs to a lower layer, although the TCP/IP model is too coarse to show it. This means that the TLS handshake is usually (except in the STARTTLS case) performed before the application protocol can start. In the name-based virtual server feature being provided by the application layer, all co-hosted virtual servers share the same certificate because the server has to select and send a certificate immediately after the ClientHello message. This is a big problem in hosting environments because it means either sharing the same certificate among all customers or using a different IP address for each of them.

    There are two known workarounds provided by X.509:

    • If all virtual servers belong to the same domain, a wildcard certificate can be used.[290] Besides the loose host name selection that might be a problem or not, there is no common agreement about how to match wildcard certificates. Different rules are applied depending on the application protocol or software used.[291]
    • Add every virtual host name in the subjectAltName extension. The major problem being that the certificate needs to be reissued whenever a new virtual server is added.

    To provide the server name, RFC 4366 Transport Layer Security (TLS) Extensions allow clients to include a Server Name Indication extension (SNI) in the extended ClientHello message. This extension hints the server immediately which name the client wishes to connect to, so the server can select the appropriate certificate to send to the clients.

    RFC 2817, also documents a method to implement name-based virtual hosting by upgrading HTTP to TLS via an HTTP/1.1 Upgrade header. Normally this is to securely implement HTTP over TLS within the main “http” URI scheme (which avoids forking the URI space and reduces the number of used ports), however, few implementations currently support this.

    Standards[edit]

    Primary standards[edit]

    The current approved version of TLS is version 1.2, which is specified in:

    • RFC 5246: “The Transport Layer Security (TLS) Protocol Version 1.2”.

    The current standard replaces these former versions, which are now considered obsolete:

    • RFC 2246: “The TLS Protocol Version 1.0”.
    • RFC 4346: “The Transport Layer Security (TLS) Protocol Version 1.1”.

    As well as the never standardized SSL 2.0 and 3.0, which are considered obsolete:

    • Internet Draft (1995), SSL Version 2.0
    • RFC 6101: “The Secure Sockets Layer (SSL) Protocol Version 3.0”.

    Extensions[edit]

    Other RFCs subsequently extended TLS.

    Extensions to TLS 1.0 include:

    • RFC 2595: “Using TLS with IMAP, POP3 and ACAP”. Specifies an extension to the IMAP, POP3 and ACAP services that allow the server and client to use transport-layer security to provide private, authenticated communication over the Internet.
    • RFC 2712: “Addition of Kerberos Cipher Suites to Transport Layer Security (TLS)”. The 40-bit cipher suites defined in this memo appear only for the purpose of documenting the fact that those cipher suite codes have already been assigned.
    • RFC 2817: “Upgrading to TLS Within HTTP/1.1”, explains how to use the Upgrade mechanism in HTTP/1.1 to initiate Transport Layer Security (TLS) over an existing TCP connection. This allows unsecured and secured HTTP traffic to share the same well known port (in this case, http: at 80 rather than https: at 443).
    • RFC 2818: “HTTP Over TLS”, distinguishes secured traffic from insecure traffic by the use of a different ‘server port’.
    • RFC 3207: “SMTP Service Extension for Secure SMTP over Transport Layer Security”. Specifies an extension to the SMTP service that allows an SMTP server and client to use transport-layer security to provide private, authenticated communication over the Internet.
    • RFC 3268: “AES Ciphersuites for TLS”. Adds Advanced Encryption Standard (AES) cipher suites to the previously existing symmetric ciphers.
    • RFC 3546: “Transport Layer Security (TLS) Extensions”, adds a mechanism for negotiating protocol extensions during session initialisation and defines some extensions. Made obsolete by RFC 4366.
    • RFC 3749: “Transport Layer Security Protocol Compression Methods”, specifies the framework for compression methods and the DEFLATE compression method.
    • RFC 3943: “Transport Layer Security (TLS) Protocol Compression Using Lempel-Ziv-Stac (LZS)”.
    • RFC 4132: “Addition of Camellia Cipher Suites to Transport Layer Security (TLS)”.
    • RFC 4162: “Addition of SEED Cipher Suites to Transport Layer Security (TLS)”.
    • RFC 4217: “Securing FTP with TLS”.
    • RFC 4279: “Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)”, adds three sets of new cipher suites for the TLS protocol to support authentication based on pre-shared keys.

    Extensions to TLS 1.1 include:

    • RFC 4347: “Datagram Transport Layer Security” specifies a TLS variant that works over datagram protocols (such as UDP).
    • RFC 4366: “Transport Layer Security (TLS) Extensions” describes both a set of specific extensions and a generic extension mechanism.
    • RFC 4492: “Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)”.
    • RFC 4680: “TLS Handshake Message for Supplemental Data”.
    • RFC 4681: “TLS User Mapping Extension”.
    • RFC 4785: “Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for Transport Layer Security (TLS)”.
    • RFC 5054: “Using the Secure Remote Password (SRP) Protocol for TLS Authentication”. Defines the TLS-SRP ciphersuites.
    • RFC 5077: “Transport Layer Security (TLS) Session Resumption without Server-Side State”.
    • RFC 5081: “Using OpenPGP Keys for Transport Layer Security (TLS) Authentication”, obsoleted by RFC 6091.

    Extensions to TLS 1.2 include:

    • RFC 5288: “AES Galois Counter Mode (GCM) Cipher Suites for TLS”.
    • RFC 5289: “TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)”.
    • RFC 5746: “Transport Layer Security (TLS) Renegotiation Indication Extension”.
    • RFC 5878: “Transport Layer Security (TLS) Authorization Extensions”.
    • RFC 5932: “Camellia Cipher Suites for TLS”
    • RFC 6066: “Transport Layer Security (TLS) Extensions: Extension Definitions”, includes Server Name Indication and OCSP stapling.
    • RFC 6091: “Using OpenPGP Keys for Transport Layer Security (TLS) Authentication”.
    • RFC 6176: “Prohibiting Secure Sockets Layer (SSL) Version 2.0”.
    • RFC 6209: “Addition of the ARIA Cipher Suites to Transport Layer Security (TLS)”.
    • RFC 6347: “Datagram Transport Layer Security Version 1.2”.
    • RFC 6367: “Addition of the Camellia Cipher Suites to Transport Layer Security (TLS)”.
    • RFC 6460: “Suite B Profile for Transport Layer Security (TLS)”.
    • RFC 6655: “AES-CCM Cipher Suites for Transport Layer Security (TLS)”.
    • RFC 7027: “Elliptic Curve Cryptography (ECC) Brainpool Curves for Transport Layer Security (TLS)”.
    • RFC 7251: “AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites for TLS”.
    • RFC 7301: “Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension”.
    • RFC 7366: “Encrypt-then-MAC for Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)”.
    • RFC 7465: “Prohibiting RC4 Cipher Suites”.
    • RFC 7507: “TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks”.
    • RFC 7568: “Deprecating Secure Sockets Layer Version 3.0”.
    • RFC 7627: “Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension”.
    • RFC 7685: “A Transport Layer Security (TLS) ClientHello Padding Extension”.

    Encapsulations of TLS include:

    • RFC 5216: “The EAP-TLS Authentication Protocol”

    Informational RFCs[edit]

    • RFC 7457: “Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS)”
    • RFC 7525: “Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)”

    See also[edit]

    • Cryptography portal
    • Application-Layer Protocol Negotiation – a TLS extension used for SPDY and TLS False Start
    • Bullrun (decryption program) – a secret anti-encryption program run by the U.S. National Security Agency
    • CECPQ1 – a post-quantum cipher for Transport Layer Security
    • Key ring file
    • Multiplexed Transport Layer Security
    • Obfuscated TCP
    • QUIC (Quick UDP Internet Connections) – “…was designed to provide security protection equivalent to TLS/SSL”; QUIC’s main goal is to improve perceived performance of connection-oriented web applications that are currently using TCP
    • RdRand
    • Server-Gated Cryptography
    • SSL acceleration
    • tcpcrypt
    • Transport Layer Security Channel ID – a proposed protocol extension that improves web browser security via self-signed browser certificates
    • Wireless Transport Layer Security
    • HTTP Strict Transport Security – HSTS

    References[edit]

  • ^ R. Barnes; M. Thomson; A. Pironti; A. Langley (June 2015). “Deprecating Secure Sockets Layer Version 3.0”. Archived from the original on 2010-03-01. 
  • ^ a b c d e f T. Dierks; E. Rescorla (August 2008). “The Transport Layer Security (TLS) Protocol, Version 1.2”. Archived from the original on 2017-12-24. 
  • ^ SSL: Intercepted today, decrypted tomorrow Archived 2013-09-21 at the Wayback Machine., Netcraft, 2013-06-25.
  • ^ a b Gothard, Peter. “Google updates SSL certificates to 2048-bit encryption”. Computing. Incisive Media. Archived from the original on 22 September 2013. Retrieved 9 September 2013. 
  • ^ a b A. Freier; P. Karlton; P. Kocher (August 2011). “The Secure Sockets Layer (SSL) Protocol Version 3.0”. Archived from the original on 2012-01-15. 
  • ^ “What is SSL/TLS?”. Instantssl.com. Archived from the original on 2014-01-23. Retrieved 2013-02-20. 
  • ^ “SSL/TLS in Detail Archived 2015-02-06 at the Wayback Machine.”. Microsoft TechNet. Updated July 31, 2003.
  • ^ a b Hooper, Howard (2012). CCNP Security VPN 642-648 Official Cert Guide (2 ed.). Cisco Press. p. 22. ISBN 9780132966382. Archived from the original on 17 June 2016. Retrieved 17 August 2015. 
  • ^ a b https://security.stackexchange.com/a/93338
  • ^ a b T. Dierks, E. Rescorla (August 2008). “Introduction”. sec. 1. doi:10.17487/RFC5246. RFC 5246. https://tools.ietf.org/html/rfc5246#section-1. 
  • ^ Thomas Y. C. Woo, Raghuram Bindignavle, Shaowen Su and Simon S. Lam, SNP: An interface for secure network programming Proceedings USENIX Summer Technical Conference, June 1994
  • ^ a b Oppliger, Rolf (2016). “Introduction”. SSL and TLS: Theory and Practice (2nd ed.). Artech House. p. 13. ISBN 978-1-60807-999-5. Retrieved 2018-03-01 – via Google Books. 
  • ^ “THE SSL PROTOCOL”. Netscape Corporation. 2007. Archived from the original on 14 June 1997. 
  • ^ Rescorla 2001
  • ^ Messmer, Ellen. “Father of SSL, Dr. Taher Elgamal, Finds Fast-Moving IT Projects in the Middle East”. Network World. Archived from the original on 31 May 2014. Retrieved 30 May 2014. 
  • ^ Greene, Tim. “Father of SSL says despite attacks, the security linchpin has lots of life left”. Network World. Archived from the original on 31 May 2014. Retrieved 30 May 2014. 
  • ^ “POODLE: SSLv3 vulnerability (CVE-2014-3566)”. Archived from the original on 5 December 2014. Retrieved 21 October 2014. 
  • ^ a b c Polk, Tim; McKay, Terry; Chokhani, Santosh (April 2014). “Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations” (PDF). National Institute of Standards and Technology. p. 67. Archived from the original (PDF) on 2014-05-08. Retrieved 2014-05-07. CS1 maint: Uses authors parameter (link)
  • ^ Laura K. Gray (2015-12-18). “Date Change for Migrating from SSL and Early TLS”. Payment Card Industry Security Standards Council blog. Retrieved 2018-04-05. 
  • ^ Dierks, T. & E. Rescorla (April 2006). “The Transport Layer Security (TLS) Protocol Version 1.1”. RFC 4346 . Archived from the original on 2017-12-24. 
  • ^ T. Dierks, E. Rescorla (August 2008). “Finished”. sec. 7.4.9. doi:10.17487/RFC5246. RFC 5246. https://tools.ietf.org/html/rfc5246#section-7.4.9. 
  • ^ draft-ietf-tls-tls13-28 – The Transport Layer Security (TLS) Protocol Version 1.3
  • ^ draft-ietf-tls-tls13-latest Archived 2016-01-04 at the Wayback Machine.
  • ^ Protocol Action: ‘The Transport Layer Security (TLS) Protocol Version 1.3’ to Proposed Standard (draft-ietf-tls-tls13-28.txt)
  • ^ a b “NSS 3.29 release notes”. Mozilla Developer Network. February 2017. Archived from the original on 2017-02-22. 
  • ^ “Enable TLS 1.3 by default”. Bugzilla@Mozilla. 16 October 2016. Retrieved 10 October 2017. 
  • ^ “Firefox — Notes (60.0)”. Mozilla. Retrieved 2018-05-10. 
  • ^ “ProxySG, ASG and WSS will interrupt SSL connections when clients using TLS 1.3 access sites also using TLS 1.3”. BlueTouch Online. 16 May 2017. Archived from the original on 12 September 2017. Retrieved 11 September 2017. 
  • ^ “Pale Moon 27.4.0 released!”. Pale Moon forum. 12 July 2017. Archived from the original on 23 August 2017. Retrieved 11 September 2017. 
  • ^ “TLS 1.3 IETF 100 Hackathon”. Archived from the original on 2018-01-15. 
  • ^ a b IETF – Internet Engineering Task Force (2017-11-12), IETF Hackathon Presentations and Awards, retrieved 2017-11-14 
  • ^ “Hurrah! TLS 1.3 is here. Now to implement it and put it into software”. Retrieved 2018-03-28. 
  • ^ Rea, Scott (2013). “Alternatives to Certification Authorities for a Secure Web” (PDF). RSA Conference Asia Pacific. Archived (PDF) from the original on 7 October 2016. Retrieved 7 September 2016. 
  • ^ Counting SSL certificates; netcraft; May 13, 2015. Archived May 16, 2015, at the Wayback Machine.
  • ^ Law Enforcement Appliance Subverts SSL Archived 2014-03-15 at the Wayback Machine., Wired, 2010-04-03.
  • ^ New Research Suggests That Governments May Fake SSL Certificates Archived 2016-01-04 at the Wayback Machine., EFF, 2010-03-24.
  • ^ P. Eronen, Ed. “Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)”. Internet Engineering Task Force. RFC 4279 . Archived from the original on 5 September 2013. Retrieved 9 September 2013. 
  • ^ D. Taylor, Ed. “Using the Secure Remote Password (SRP) Protocol for TLS Authentication”. Internet Engineering Task Force. RFC 5054 . Archived from the original on December 7, 2014. Retrieved December 21, 2014. 
  • ^ “The value of 2,048-bit encryption: Why encryption key length matters”. SearchSecurity. Archived from the original on 2018-01-15. Retrieved 2017-12-18. 
  • ^ Sean Turner (September 17, 2015). “Consensus: remove DSA from TLS 1.3”. Archived from the original on October 3, 2015. 
  • ^ a b c d draft-chudov-cryptopro-cptls-04 – GOST 28147-89 Cipher Suites for Transport Layer Security (TLS)
  • ^ RFC 5288, 5289
  • ^ RFC 6655, 7251
  • ^ RFC 6367
  • ^ RFC 5932, 6367
  • ^ a b RFC 6209
  • ^ RFC 4162
  • ^ “On the Practical (In-)Security of 64-bit Block Ciphers — Collision Attacks on HTTP over TLS and OpenVPN” (PDF). 2016-10-28. Archived (PDF) from the original on 2017-04-24. Retrieved 2017-06-08. 
  • ^ “NIST Special Publication 800-57 Recommendation for Key Management — Part 1: General (Revised)” (PDF). 2007-03-08. Archived from the original (PDF) on June 6, 2014. Retrieved 2014-07-03. 
  • ^ a b c Qualys SSL Labs. “SSL/TLS Deployment Best Practices”. Archived from the original on 4 July 2015. Retrieved 2 June 2015. 
  • ^ RFC 5469
  • ^ RFC 7905
  • ^ “Http vs https”. Archived from the original on 2015-02-12. Retrieved 2015-02-12. 
  • ^ a b c d As of October 2, 2017. “SSL Pulse: Survey of the SSL Implementation of the Most Popular Websites”. Qualys. Archived from the original on December 2, 2017. Retrieved December 10, 2017. 
  • ^ a b ivanr. “RC4 in TLS is Broken: Now What?”. Qualsys Security Labs. Archived from the original on 2013-08-27. Retrieved 2013-07-30. 
  • ^ a b c Bodo Möller, Thai Duong & Krzysztof Kotowicz. “This POODLE Bites: Exploiting The SSL 3.0 Fallback” (PDF). Archived (PDF) from the original on 2014-10-14. Retrieved 2014-10-15. 
  • ^ a b c d e “Update to add support for TLS 1.1 TLS 1.2 in Windows Server 2008 SP2”. Retrieved 2017-07-19. 
  • ^ “What browsers support Extended Validation (EV) and display an EV indicator?”. Symantec. Archived from the original on 2015-12-31. Retrieved 2014-07-28. 
  • ^ a b c d e f g h i j k l m n “SHA-256 Compatibility”. Archived from the original on 2015-07-01. Retrieved 2015-06-12. 
  • ^ a b c d e f g h i j k l m n o p q r s t u v w x y z aa ab “ECC Compatibility”. Archived from the original on 2016-02-17. Retrieved 2015-06-13. 
  • ^ a b “Tracking the FREAK Attack”. Archived from the original on 2015-03-06. Retrieved 2015-03-08. 
  • ^ a b “FREAK: Factoring RSA Export Keys”. Archived from the original on 2015-03-11. Retrieved 2015-03-08. 
  • ^ Google (2012-05-29). “Dev Channel Update”. Archived from the original on 2013-03-02. Retrieved 2011-06-01. 
  • ^ Google (2012-08-21). “Stable Channel Update”. Archived from the original on 2012-08-25. Retrieved 2012-08-22. 
  • ^ Chromium Project (2013-05-30). “Chromium TLS 1.2 Implementation”. 
  • ^ “The Chromium Project: BoringSSL”. Archived from the original on 2015-09-23. Retrieved 2015-09-05. 
  • ^ a b “Chrome Stable Release”. Chrome Releases. Google. 2011-10-25. Archived from the original on 2015-02-20. Retrieved 2015-02-01. 
  • ^ “SVN revision log on Chrome 10.0.648.127 release”. Retrieved 2014-06-19. [permanent dead link]
  • ^ a b “ImperialViolet – CRIME”. 2012-09-22. Archived from the original on 2015-01-10. Retrieved 2014-10-18. 
  • ^ a b “SSL/TLS Overview”. 2008-08-06. Archived from the original on 2013-07-03. Retrieved 2013-03-29. 
  • ^ a b “Chromium Issue 90392”. 2008-08-06. Archived from the original on 2013-08-03. Retrieved 2013-06-28. 
  • ^ a b “Issue 23503030 Merge 219882”. 2013-09-03. Archived from the original on 2014-02-26. Retrieved 2013-09-19. 
  • ^ a b “Issue 278370: Unable to submit client certificates over TLS 1.2 from Windows”. 2013-08-23. Archived from the original on 2013-10-05. Retrieved 2013-10-03. 
  • ^ Möller, Bodo (2014-10-14). “This POODLE bites: exploiting the SSL 3.0 fallback”. Google Online Security blog. Google (via Blogspot). Archived from the original on 2014-10-28. Retrieved 2014-10-28. 
  • ^ a b c “An update on SSLv3 in Chrome”. Security-dev. Google. 2014-10-31. Retrieved 2014-11-04. 
  • ^ “Stable Channel Update”. Mozilla Developer Network. Google. 2014-02-20. Archived from the original on 2014-10-24. Retrieved 2014-11-14. 
  • ^ “Changelog for Chrome 33.0.1750.117”. Google. Google. Retrieved 2014-11-14. [permanent dead link]
  • ^ “Issue 318442: Update to NSS 3.15.3 and NSPR 4.10.2”. Archived from the original on 2015-03-15. Retrieved 2014-11-14. 
  • ^ a b c d e “Issue 693963003: Add minimum TLS version control to about:flags and Finch gate it. – Code Review”. Archived from the original on 2015-04-16. Retrieved 2015-01-22. 
  • ^ a b c “Issue 375342: Drop RC4 Support”. Archived from the original on 2015-09-12. Retrieved 2015-05-22. 
  • ^ a b “Issue 436391: Add info on end of life of SSLVersionFallbackMin & SSLVersionMin policy in documentation”. Archived from the original on 2015-04-18. Retrieved 2015-04-19. 
  • ^ “Issue 490240: Increase minimum DH size to 1024 bits (tracking bug)”. Archived from the original on 2015-09-12. Retrieved 2015-05-29. 
  • ^ a b c d e f “Intent to deprecate: RC4”. Retrieved 2015-12-21. 
  • ^ a b c d e f “An update on SHA-1 certificates in Chrome”. 2015-12-18. Archived from the original on 2015-12-18. Retrieved 2015-12-21. 
  • ^ “SSLSocket | Android Developers”. Archived from the original on 2015-03-18. Retrieved 2015-03-11. 
  • ^ a b c d “What browsers work with Universal SSL”. Archived from the original on 2016-03-04. Retrieved 2015-06-15. 
  • ^ a b c d “SSLSocket | Android Developers”. Archived from the original on 2016-03-04. Retrieved 2015-12-17. 
  • ^ a b “Android 5.0 Behavior Changes | Android Developers”. Archived from the original on 2015-03-09. Retrieved 2015-03-11. 
  • ^ “Android 8.0 Behavior Changes”. Archived from the original on 2017-12-01. 
  • ^ a b c d “Security in Firefox 2”. 2008-08-06. Archived from the original on 2014-07-14. Retrieved 2009-03-31. 
  • ^ “Attack against TLS-protected communications”. Mozilla Security Blog. Mozilla. 2011-09-27. Archived from the original on 2015-03-04. Retrieved 2015-02-01. 
  • ^ a b “Introduction to SSL”. MDN. Archived from the original on 2014-07-14. Retrieved 2014-06-19. 
  • ^ a b “NSS 3.15.3 Release Notes”. Mozilla Developer Network. Mozilla. Archived from the original on 2014-06-05. Retrieved 2014-07-13. 
  • ^ a b “MFSA 2013-103: Miscellaneous Network Security Services (NSS) vulnerabilities”. Mozilla. Mozilla. Archived from the original on 2014-07-14. Retrieved 2014-07-13. 
  • ^ “Bug 565047 – (RFC4346) Implement TLS 1.1 (RFC 4346)”. Retrieved 2013-10-29. 
  • ^ “Bug 480514 – Implement support for TLS 1.2 (RFC 5246)”. Retrieved 2013-10-29. 
  • ^ “Bug 733647 – Implement TLS 1.1 (RFC 4346) in Gecko (Firefox, Thunderbird), on by default”. Retrieved 2013-12-04. 
  • ^ a b “Firefox Notes – Desktop”. 2014-02-04. Archived from the original on 2014-02-07. Retrieved 2014-02-04. 
  • ^ “Bug 861266 – Implement TLS 1.2 (RFC 5246) in Gecko (Firefox, Thunderbird), on by default”. Retrieved 2013-11-18. 
  • ^ a b c “The POODLE Attack and the End of SSL 3.0”. Mozilla blog. Mozilla. 2014-10-14. Archived from the original on 2014-10-18. Retrieved 2014-10-28. 
  • ^ “Firefox — Notes (34.0) — Mozilla”. mozilla.org. 2014-12-01. Archived from the original on 2015-04-09. Retrieved 2015-04-03. 
  • ^ “Bug 1083058 – A pref to control TLS version fallback”. bugzilla.mozilla.org. Retrieved 2014-11-06. 
  • ^ “Bug 1036737 – Add support for draft-ietf-tls-downgrade-scsv to Gecko/Firefox”. bugzilla.mozilla.org. Retrieved 2014-10-29. 
  • ^ a b c “Bug 1166031 – Update to NSS 3.19.1”. bugzilla.mozilla.org. Retrieved 2015-05-29. 
  • ^ “Bug 1088915 – Stop offering RC4 in the first handshakes”. bugzilla.mozilla.org. Retrieved 2014-11-04. 
  • ^ “Firefox — Notes (39.0) — Mozilla”. mozilla.org. 2015-06-30. Archived from the original on 2015-07-03. Retrieved 2015-07-03. 
  • ^ “Google, Microsoft, and Mozilla will drop RC4 encryption in Chrome, Edge, IE, and Firefox next year”. VentureBeat. 2015-09-01. Archived from the original on 2015-09-05. Retrieved 2015-09-05. 
  • ^ “Intent to ship: RC4 disabled by default in Firefox 44”. Archived from the original on 2011-01-22. Retrieved 2015-10-18. 
  • ^ “RC4 is now allowed only on whitelisted sites (Reverted)”. Retrieved 2015-11-02. 
  • ^ “Firefox — Notes (44.0) — Mozilla”. mozilla.org. 2016-01-26. Archived from the original on 2016-03-04. Retrieved 2016-03-09. 
  • ^ “Bug 1342082 – Disable TLS 1.3 for FF52 Release”. Retrieved 2017-03-29. 
  • ^ https://www.securityweek.com/firefox-60-brings-support-enterprise-deployments
  • ^ Microsoft (2012-09-05). “Secure Channel”. Archived from the original on 2012-08-29. Retrieved 2012-10-18. 
  • ^ Microsoft (2009-02-27). “MS-TLSP Appendix A”. Archived from the original on 2013-09-27. Retrieved 2009-03-19. 
  • ^ a b “What browsers only support SSLv2?”. Archived from the original on 2009-11-23. Retrieved 2014-06-19. 
  • ^ a b c d “SHA2 and Windows – Windows PKI blog – Site Home – TechNet Blogs”. 2010-09-30. Archived from the original on 2014-07-16. Retrieved 2014-07-29. 
  • ^ “TLS Cipher Suites”. Microsoft. Archived from the original on 2017-03-13. 
  • ^ “Archived copy”. Archived from the original on 2015-03-11. Retrieved 2017-07-19. 
  • ^ a b c d e f g h i “Vulnerability in Schannel Could Allow Security Feature Bypass (3046049)”. 2015-03-10. Archived from the original on 2017-03-13. Retrieved 2015-03-11. 
  • ^ a b c d e f g h i “Vulnerability in Schannel Could Allow Information Disclosure (3061518)”. 2015-05-12. Archived from the original on 2016-10-08. Retrieved 2015-05-22. 
  • ^ a b c d e “HTTPS Security Improvements in Internet Explorer 7”. Archived from the original on 2013-10-10. Retrieved 2013-10-29. 
  • ^ “Microsoft Support Lifecycle”. Microsoft. Archived from the original on 2015-03-10. 
  • ^ a b c d e f “Windows 7 adds support for TLSv1.1 and TLSv1.2 – IEInternals – Site Home – MSDN Blogs”. Archived from the original on 2013-12-26. Retrieved 2013-10-29. 
  • ^ a b c Thomlinson, Matt (2014-11-11). “Hundreds of Millions of Microsoft Customers Now Benefit from Best-in-Class Encryption”. Microsoft Security. Archived from the original on 2014-11-14. Retrieved 2014-11-14. 
  • ^ Microsoft security advisory: Update for disabling RC4 Archived 2015-03-11 at the Wayback Machine.}}
  • ^ a b c d Microsoft (2013-09-24). “IE11 Changes”. Archived from the original on 2013-10-30. Retrieved 2013-11-01. 
  • ^ “February 2015 security updates for Internet Explorer”. 2015-02-11. Archived from the original on 2015-02-11. Retrieved 2015-02-11. 
  • ^ “Update turns on the setting to disable SSL 3.0 fallback for protected mode sites by default in Internet Explorer 11”. Archived from the original on 2015-02-14. Retrieved 2015-02-11. 
  • ^ “Vulnerability in SSL 3.0 Could Allow Information Disclosure”. 2015-04-14. Archived from the original on 2016-10-08. Retrieved 2015-04-14. 
  • ^ Microsoft Edge Team (2016-08-09). “RC4 is now disabled in Microsoft Edge and Internet Explorer 11”. Microsoft. Archived from the original on 2016-08-21. 
  • ^ a b c d e f g “TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016”. Microsoft. 2017-03-21. Archived from the original on 2017-03-30. Retrieved 2017-03-29. 
  • ^ Foley, Mary Jo. “Some Windows 10 Enterprise users won’t get Microsoft’s Edge browser”. ZDNet. Archived from the original on 2017-03-20. 
  • ^ “POODLE SSL vulnerability – secure your Windo… – Windows Phone 8 Development and Hacking”. XDA Developers. Archived from the original on 2016-09-23. 
  • ^ a b “What TLS version is used in Windows Phone 8 for secure HTTP connections?”. Microsoft. Archived from the original on 2016-03-04. Retrieved 2014-11-07. 
  • ^ “Qualys SSL Labs – Projects / User Agent Capabilities: Unknown”. Archived from the original on 2017-03-01. 
  • ^ a b “Platform Security”. Microsoft. 2014-06-25. Archived from the original on 2017-03-13. Retrieved 2014-11-07. 
  • ^ “Release Notes: Important Issues in Windows 8.1 Preview”. Microsoft. 2013-06-24. Archived from the original on 2014-11-04. Retrieved 2014-11-04. 
  • ^ “W8.1(IE11) vs RC4 | Qualys Community”. Archived from the original on 2014-11-04. Retrieved 2014-11-04. 
  • ^ “Opera 9.0 for Windows Changelog”. Archived from the original on 2012-09-10. 
  • ^ “Opera 2 series”. Archived from the original on 2014-10-23. Retrieved 2014-09-20. 
  • ^ “Opera 3 series”. Archived from the original on 2014-10-23. Retrieved 2014-09-20. 
  • ^ “Opera 4 series”. Archived from the original on 2014-10-23. Retrieved 2014-09-20. 
  • ^ a b “Changelog for Opera 5.x for Windows”. Archived from the original on 2014-10-19. Retrieved 2014-06-19. 
  • ^ “Changelog for Opera [8] Beta 2 for Windows”. Archived from the original on 2005-11-23. Retrieved 2014-06-19. 
  • ^ “Web Specifications Supported in Opera 9”. Archived from the original on 2014-10-26. Retrieved 2014-06-19. 
  • ^ a b “Opera: Opera 10 beta for Windows changelog”. Archived from the original on 2014-10-23. Retrieved 2014-06-19. 
  • ^ “About Opera 11.60 and new problems with some secure servers”. 2011-12-11. Archived from the original on 2012-01-18. 
  • ^ a b c “Security changes in Opera 25; the poodle attacks”. 2014-10-15. Archived from the original on 2014-10-20. Retrieved 2014-10-28. 
  • ^ a b c d “Unjam the logjam”. 2015-06-09. Archived from the original on 2015-06-14. Retrieved 2015-06-11. 
  • ^ “Advisory: RC4 encryption protocol is vulnerable to certain brute force attacks”. 2013-04-04. Archived from the original on 2015-03-15. Retrieved 2014-11-14. 
  • ^ “On the Precariousness of RC4”. 2013-03-20. Archived from the original on 2013-11-12. Retrieved 2014-11-17. 
  • ^ a b c d e “Opera 12 and Opera Mail security update”. 2016-02-16. Archived from the original on 2016-02-16. Retrieved 2016-02-17. 
  • ^ “Dev.Opera — Opera 14 for Android Is Out!”. 2013-05-21. Archived from the original on 2015-01-30. Retrieved 2014-09-23. 
  • ^ “Dev.Opera — Introducing Opera 15 for Computers, and a Fast Release Cycle”. 2013-07-02. Archived from the original on 2014-09-02. Retrieved 2014-09-23. 
  • ^ a b same as Chrome 26–29
  • ^ a b same as Chrome 30 and later
  • ^ a b same as Chrome 33 and later
  • ^ Adrian, Dimcev. “Common browsers/libraries/servers and the associated cipher suites implemented”. TLS Cipher Suites Project. Archived from the original on 2013-04-17. 
  • ^ Apple (2009-06-10). “Features”. Archived from the original on 2013-04-17. Retrieved 2009-06-10. 
  • ^ “Curl: Patch to add TLS 1.1 and 1.2 support & replace deprecated functions in SecureTransport”. Archived from the original on 2017-03-01. 
  • ^ Qualys SSL Report: google.co.uk Archived 2017-03-20 at the Wayback Machine. (simulation Safari 5.1.9 TLS 1.0)
  • ^ “Apple Secures Mac OS X with Mavericks Release – eSecurity Planet”. 2013-10-25. Archived from the original on 2014-07-08. Retrieved 2014-06-23. 
  • ^ Ristic, Ivan. “Is BEAST Still a Threat?”. qualys.com. Archived from the original on 2014-10-12. 
  • ^ a b Ristić, Ivan (2013-10-31). “Apple enabled BEAST mitigations in OS X 10.9 Mavericks”. Archived from the original on 2013-11-07. Retrieved 2013-11-07. 
  • ^ Ristić, Ivan (2014-02-26). “Apple finally releases patch for BEAST”. Archived from the original on 2014-07-14. Retrieved 2014-07-01. 
  • ^ “About Security Update 2014-005”. Archived from the original on 2014-10-24. 
  • ^ “About the security content of iOS 8.1”. Archived from the original on 2014-10-23. 
  • ^ a b c “About Security Update 2015-002”. Archived from the original on 2015-03-16. Retrieved 2015-03-09. 
  • ^ a b “About the security content of OS X Mavericks v10.9”. Archived from the original on 2014-07-04. Retrieved 2014-06-20. 
  • ^ “User Agent Capabilities: Safari 8 / OS X 10.10”. Qualsys SSL Labs. Archived from the original on 2015-09-06. Retrieved 2015-03-07. 
  • ^ “About the security content of OS X Yosemite v10.10.4 and Security Update 2015-005”. Archived from the original on 2015-07-02. Retrieved 2015-07-03. 
  • ^ a b c Apple (2011-10-14). “Technical Note TN2287 – iOS 5 and TLS 1.2 Interoperability Issues”. Archived from the original on 2011-09-07. Retrieved 2012-12-10. 
  • ^ Liebowitz, Matt (2011-10-13). “Apple issues huge software security patches”. NBCNews.com. Archived from the original on 2013-04-17. Retrieved 2012-12-10. 
  • ^ MWR Info Security (2012-04-16). “Adventures with iOS UIWebviews”. Archived from the original on 2013-04-17. Retrieved 2012-12-10. , section “HTTPS (SSL/TLS)”
  • ^ “Secure Transport Reference”. Archived from the original on 2014-06-04. Retrieved 2014-06-23.  kSSLProtocol2 is deprecated in iOS
  • ^ “iPhone 3.0: Mobile Safari Gets Enhanced Security Certificate Visualization | The iPhone Blog”. 2009-03-31. Archived from the original on 2009-04-03. 
  • ^ “Qualys SSL Labs – Projects / User Agent Capabilities: Safari 7 / iOS 7.1”. Archived from the original on 2017-03-13. 
  • ^ schurtertom (2013-10-11). “SOAP Request fails randomly on one Server but works on an other on iOS7”. Archived from the original on 2014-01-06. Retrieved 2014-01-05. 
  • ^ “User Agent Capabilities: Safari 8 / iOS 8.1.2”. Qualsys SSL Labs. Archived from the original on 2016-03-04. Retrieved 2015-03-07. 
  • ^ “About the security content of iOS 8.2”. Archived from the original on 2015-03-09. Retrieved 2015-03-09. 
  • ^ “About the security content of iOS 8.4”. Archived from the original on 2015-07-03. Retrieved 2015-07-03. 
  • ^ Oracle. “Java Cryptography Architecture Oracle Providers Documentation”. Archived from the original on 2012-06-22. Retrieved 2012-08-16. 
  • ^ Oracle. “JDK 8 Security Enhancements”. Archived from the original on 2015-02-09. Retrieved 2015-02-25. 
  • ^ “Version 1.11.13, 2015-01-11 — Botan”. 2015-01-11. Archived from the original on 2015-01-09. Retrieved 2015-01-16. 
  • ^ “[gnutls-devel] GnuTLS 3.4.0 released”. 2015-04-08. Archived from the original on 2015-04-16. Retrieved 2015-04-16. 
  • ^ “Java™ SE Development Kit 8, Update 31 Release Notes”. Archived from the original on 2015-01-21. Retrieved 2015-01-22. 
  • ^ “OpenBSD 5.6 Released”. 2014-11-01. Retrieved 2015-01-20. 
  • ^ “LibreSSL 2.3.0 Released”. 2015-09-23. Retrieved 2015-09-24. 
  • ^ “MatrixSSL – News”. Archived from the original on 2015-02-14. Retrieved 2014-11-09. 
  • ^ “mbed TLS 2.0.0 released”. 2015-07-10. Archived from the original on 2015-09-25. Retrieved 2015-07-14. 
  • ^ “NSS 3.19 release notes”. Mozilla Developer Network. Mozilla. Archived from the original on 2015-06-05. Retrieved 2015-05-06. 
  • ^ “NSS 3.14 release notes”. Mozilla Developer Network. Mozilla. Archived from the original on 2013-01-17. Retrieved 2012-10-27. 
  • ^ “NSS 3.15.1 release notes”. Mozilla Developer Network. Mozilla. Archived from the original on 2013-09-22. Retrieved 2013-08-10. 
  • ^ “OpenSSL 1.1.0 Series Release Notes”. Archived from the original on 2016-08-25. Retrieved 2016-10-02. 
  • ^ a b “Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]”. 2012-03-14. Archived from the original on January 20, 2015. Retrieved 2015-01-20. 
  • ^ “RSA BSAFE Technical Specification Comparison Tables” (PDF). Archived (PDF) from the original on 2015-09-24. 
  • ^ TLS cipher suites in Microsoft Windows XP and 2003 Archived 2015-01-18 at the Wayback Machine.
  • ^ a b SChannel Cipher Suites in Microsoft Windows Vista Archived 2015-01-12 at the Wayback Machine.
  • ^ a b c TLS Cipher Suites in SChannel for Windows 7, 2008R2, 8, 2012 Archived 2015-03-19 at the Wayback Machine.
  • ^ “[wolfssl] wolfSSL 3.6.6 Released”. 2015-08-20. Archived from the original on 2015-10-17. Retrieved 2015-08-25. 
  • ^ “[wolfssl] wolfSSL TLS1.3 support”. 2017-02-13. Retrieved 2017-02-13. 
  • ^ “NSS 3.24 release notes”. Mozilla Developer Network. Mozilla. Archived from the original on 2016-08-26. Retrieved 2016-06-19. 
  • ^ “Technical Note TN2287: iOS 5 and TLS 1.2 Interoperability Issues”. iOS Developer Library. Apple Inc. Archived from the original on 2015-04-03. Retrieved 2012-05-03. 
  • ^ Qualys SSL Labs – Projects / User Agent Capabilities Archived 2015-09-19 at the Wayback Machine.
  • ^ Georgiev, Martin and Iyengar, Subodh and Jana, Suman and Anubhai, Rishita and Boneh, Dan and Shmatikov, Vitaly (2012). The most dangerous code in the world: validating SSL certificates in non-browser software. Proceedings of the 2012 ACM conference on Computer and communications security (PDF). pp. 38–49. ISBN 978-1-4503-1651-4. Archived (PDF) from the original on 2017-10-22. CS1 maint: Multiple names: authors list (link)
  • ^ Joris Claessens; Valentin Dem; Danny De Cock; Bart Preneel; Joos Vandewalle (2002). “On the Security of Today’s Online Electronic Banking Systems”. Computers & Security. 21 (3): 253–265. doi:10.1016/S0167-4048(02)00312-7. 
  • ^ Lawrence, Eric (2005-10-22). “IEBlog: Upcoming HTTPS Improvements in Internet Explorer 7 Beta 2”. MSDN Blogs. Archived from the original on 2013-04-17. Retrieved 2007-11-25. 
  • ^ “Bugzilla@Mozilla — Bug 236933 – Disable SSL2 and other weak ciphers”. Mozilla Corporation. Retrieved 2007-11-25. 
  • ^ “Opera 9.5 for Windows Changelog” Archived 2009-06-26 at the Wayback Machine. at Opera.com: “Disabled SSL v2 and weak ciphers.”
  • ^ “Firefox still sends SSLv2 handshake even though the protocol is disabled”. 2008-09-11. 
  • ^ “Opera 10 for Windows changelog” Archived 2013-03-26 at the Wayback Machine. at Opera.com: “Removed support for SSL v2 and weak ciphers”
  • ^ Pettersen, Yngve (2007-04-30). “10 years of SSL in Opera — Implementer’s notes”. Opera Software. Archived from the original on October 12, 2007. Retrieved 2007-11-25. 
  • ^ National Institute of Standards and Technology (December 2010). “Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program” (PDF). Archived from the original (PDF) on November 6, 2010. 
  • ^ “Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS)”. RFC 7457 . Archived from the original on 2016-03-04. 
  • ^ “CVE – CVE-2009-3555”. Archived from the original on 2016-01-04. 
  • ^ Eric Rescorla (2009-11-05). “Understanding the TLS Renegotiation Attack”. Educated Guesswork. Archived from the original on 2012-02-09. Retrieved 2009-11-27. 
  • ^ “SSL_CTX_set_options SECURE_RENEGOTIATION”. OpenSSL Docs. 2010-02-25. Archived from the original on 2010-11-26. Retrieved 2010-11-18. 
  • ^ “GnuTLS 2.10.0 released”. GnuTLS release notes. 2010-06-25. Archived from the original on 2012-02-09. Retrieved 2011-07-24. 
  • ^ “NSS 3.12.6 release notes”. NSS release notes. 2010-03-03. Archived from the original on March 6, 2012. Retrieved 2011-07-24. 
  • ^ A. Langley; N. Modadugu; B. Moeller (2010-06-02). “Transport Layer Security (TLS) False Start”. Internet Engineering Task Force. IETF. Archived from the original on 2013-09-05. Retrieved 2013-07-31. 
  • ^ Gruener, Wolfgang. “False Start: Google Proposes Faster Web, Chrome Supports It Already”. Archived from the original on 2010-10-07. Retrieved 2011-03-09. 
  • ^ Smith, Brian. “Limited rollback attacks in False Start and Snap Start”. Archived from the original on 2011-05-04. Retrieved 2011-03-09. 
  • ^ Dimcev, Adrian. “False Start”. Random SSL/TLS 101. Archived from the original on 2011-05-04. Retrieved 2011-03-09. 
  • ^ Mavrogiannopoulos, Nikos; Vercautern, Frederik; Velichkov, Vesselin; Preneel, Bart (2012). A cross-protocol attack on the TLS protocol. Proceedings of the 2012 ACM conference on Computer and communications security (PDF). pp. 62–72. ISBN 978-1-4503-1651-4. Archived (PDF) from the original on 2015-07-06. 
  • ^ “SMACK: State Machine AttaCKs”. Archived from the original on 2015-03-12. 
  • ^ Goodin, Dan (2015-05-20). “HTTPS-crippling attack threatens tens of thousands of Web and mail servers”. Ars Technica. Archived from the original on 2017-05-19. 
  • ^ Leyden, John (1 March 2016). “One-third of all HTTPS websites open to DROWN attack”. The Register. Archived from the original on 1 March 2016. Retrieved 2016-03-02. 
  • ^ a b “More than 11 million HTTPS websites imperiled by new decryption attack”. Ars Technica. Archived from the original on 2016-03-01. Retrieved 2016-03-02. 
  • ^ Thai Duong & Juliano Rizzo (2011-05-13). “Here Come The ⊕ Ninjas”. Archived from the original on 2014-06-03. 
  • ^ Dan Goodin (2011-09-19). “Hackers break SSL encryption used by millions of sites”. Archived from the original on 2012-02-09. 
  • ^ “Y Combinator comments on the issue”. 2011-09-20. Archived from the original on 2013-04-17. 
  • ^ “Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures”. 2004-05-20. Archived from the original on 2012-06-30. 
  • ^ Ristic, Ivan (Sep 10, 2013). “Is BEAST Still a Threat?”. Archived from the original on 12 October 2014. Retrieved 8 October 2014. 
  • ^ “Attack against TLS-protected communications”. Mozilla Security Blog. Mozilla. 2011-09-27. Archived from the original on 2015-03-04. Retrieved 2015-02-01. 
  • ^ Brian Smith (2011-09-30). “(CVE-2011-3389) Rizzo/Duong chosen plaintext attack (BEAST) on SSL/TLS 1.0 (facilitated by websockets -76)”. 
  • ^ “Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)”. 2012-01-10. Archived from the original on 2014-08-15. 
  • ^ Ristic, Ivan (Oct 31, 2013). “Apple Enabled BEAST Mitigations in OS X 10.9 Mavericks”. Archived from the original on 12 October 2014. Retrieved 8 October 2014. 
  • ^ Dan Goodin (2012-09-13). “Crack in Internet’s foundation of trust allows HTTPS session hijacking”. Ars Technica. Archived from the original on 2013-08-01. Retrieved 2013-07-31. 
  • ^ Dennis Fisher (September 13, 2012). “CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions”. ThreatPost. Archived from the original on September 15, 2012. Retrieved 2012-09-13. 
  • ^ a b Goodin, Dan (1 August 2013). “Gone in 30 seconds: New attack plucks secrets from HTTPS-protected pages”. Ars Technica. Condé Nast. Archived from the original on 3 August 2013. Retrieved 2 August 2013. 
  • ^ Leyden, John (2 August 2013). “Step into the BREACH: New attack developed to read encrypted web data”. The Register. Archived from the original on 5 August 2013. Retrieved 2 August 2013. 
  • ^ P. Gutmann (September 2014). “Encrypt-then-MAC for Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)”. Archived from the original on 2015-05-12. 
  • ^ Hagai Bar-El. “Poodle flaw and IoT”. Archived from the original on 16 March 2015. Retrieved 15 October 2014. 
  • ^ Langley, Adam (December 8, 2014). “The POODLE bites again”. Archived from the original on December 8, 2014. Retrieved 2014-12-08. 
  • ^ security – Safest ciphers to use with the BEAST? (TLS 1.0 exploit) I’ve read that RC4 is immune – Server Fault
  • ^ Pouyan Sepehrdad; Serge Vaudenay; Martin Vuagnoux (2011). “Discovery and Exploitation of New Biases in RC4”. Lecture Notes in Computer Science. 6544: 74–91. doi:10.1007/978-3-642-19574-7_5. 
  • ^ Green, Matthew. “Attack of the week: RC4 is kind of broken in TLS”. Cryptography Engineering. Archived from the original on March 14, 2013. Retrieved March 12, 2013. 
  • ^ Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt. “On the Security of RC4 in TLS”. Royal Holloway University of London. Archived from the original on March 15, 2013. Retrieved March 13, 2013. CS1 maint: Multiple names: authors list (link)
  • ^ AlFardan, Nadhem J.; Bernstein, Daniel J.; Paterson, Kenneth G.; Poettering, Bertram; Schuldt, Jacob C. N. (8 July 2013). “On the Security of RC4 in TLS and WPA” (PDF). Archived (PDF) from the original on 22 September 2013. Retrieved 2 September 2013. 
  • ^ AlFardan, Nadhem J.; Bernstein, Daniel J.; Paterson, Kenneth G.; Poettering, Bertram; Schuldt, Jacob C. N. (15 August 2013). On the Security of RC4 in TLS (PDF). 22nd USENIX Security Symposium. p. 51. Archived (PDF) from the original on 22 September 2013. Retrieved 2 September 2013. Plaintext recovery attacks against RC4 in TLS are feasible although not truly practical 
  • ^ Goodin, Dan. “Once-theoretical crypto attack against HTTPS now verges on practicality”. Ars Technical. Conde Nast. Archived from the original on 16 July 2015. Retrieved 16 July 2015. 
  • ^ “Mozilla Security Server Side TLS Recommended Configurations”. Mozilla. Archived from the original on 2015-01-03. Retrieved 2015-01-03. 
  • ^ “Security Advisory 2868725: Recommendation to disable RC4”. Microsoft. 2013-11-12. Archived from the original on 2013-11-18. Retrieved 2013-12-04. 
  • ^ “Ending support for the RC4 cipher in Microsoft Edge and Internet Explorer 11”. Microsoft Edge Team. September 1, 2015. Archived from the original on September 2, 2015. 
  • ^ Langley, Adam (Sep 1, 2015). “Intent to deprecate: RC4”. 
  • ^ Barnes, Richard (Sep 1, 2015). “Intent to ship: RC4 disabled by default in Firefox 44”. Archived from the original on 2011-01-22. 
  • ^ a b John Leyden (1 August 2013). “Gmail, Outlook.com and e-voting ‘pwned’ on stage in crypto-dodge hack”. The Register. Archived from the original on 1 August 2013. Retrieved 1 August 2013. 
  • ^ “BlackHat USA Briefings”. Black Hat 2013. Archived from the original on 30 July 2013. Retrieved 1 August 2013. 
  • ^ Smyth, Ben; Pironti, Alfredo (2013). “Truncating TLS Connections to Violate Beliefs in Web Applications”. 7th USENIX Workshop on Offensive Technologies. Archived from the original on 6 November 2015. Retrieved 15 February 2016. 
  • ^ Goodin, Dan. “New attack bypasses HTTPS protection on Macs, Windows, and Linux”. Ars Technica. Condé Nast. Archived from the original on 27 July 2016. Retrieved 28 July 2016. 
  • ^ Goodin, Dan (August 24, 2016). “HTTPS and OpenVPN face new attack that can decrypt secret cookies”. Ars Technica. Archived from the original on August 24, 2016. Retrieved August 24, 2016. 
  • ^ “Why is it called the ‘Heartbleed Bug’?”. The Washington Post. 2014-04-09. Archived from the original on 2014-10-09. 
  • ^ “Heartbleed Bug vulnerability [9 April 2014]”. Comodo Group. Archived from the original on 5 July 2014. 
  • ^ Bleichenbacher, Daniel (August 2006). “Bleichenbacher’s RSA signature forgery based on implementation error”. Archived from the original on 2014-12-16. 
  • ^ “BERserk”. Intel Security: Advanced Threat Research. September 2014. Archived from the original on 2015-01-12. 
  • ^ Goodin, Dan (February 19, 2015). “Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections”. Ars Technica. Archived from the original on September 12, 2017. Retrieved December 10, 2017. 
  • ^ Valsorda, Filippo (2015-02-20). “Komodia/Superfish SSL validation is broken”. Filippo.io. Archived from the original on 2015-02-24. 
  • ^ a b Goodin, Dan. “”Forbidden attack” makes dozens of HTTPS Visa sites vulnerable to tampering”. Ars Technica. Archived from the original on 26 May 2016. Retrieved 26 May 2016. 
  • ^ Clark Estes, Adam. “Everything You Need to Know About Cloudbleed, the Latest Internet Security Disaster”. Gizmodo. Archived from the original on 2017-02-25. Retrieved 2017-02-24. 
  • ^ Diffie, Whitfield; van Oorschot, Paul C; Wiener, Michael J. (June 1992). “Authentication and Authenticated Key Exchanges”. Designs, Codes and Cryptography. 2 (2): 107–125. doi:10.1007/BF00124891. Archived from the original on 2008-03-13. Retrieved 2008-02-11. 
  • ^ Discussion on the TLS mailing list in October 2007 Archived 2013-09-22 at the Wayback Machine.
  • ^ “Protecting data for the long term with forward secrecy”. Archived from the original on 2013-05-06. Retrieved 2012-11-05. 
  • ^ Bernat, Vincent. “SSL/TLS & Perfect Forward Secrecy”. Archived from the original on 2012-08-27. Retrieved 2012-11-05. 
  • ^ “SSL Labs: Deploying Forward Secrecy”. Qualys.com. 2013-06-25. Archived from the original on 2013-06-26. Retrieved 2013-07-10. 
  • ^ Ristic, Ivan (2013-08-05). “SSL Labs: Deploying Forward Secrecy”. Qualsys. Archived from the original on 2013-09-20. Retrieved 2013-08-31. 
  • ^ a b Langley, Adam (27 June 2013). “How to botch TLS forward secrecy”. imperialviolet.org. Archived from the original on 8 August 2013. 
  • ^ a b Daignière, Florent. “TLS “Secrets”: Whitepaper presenting the security implications of the deployment of session tickets (RFC 5077) as implemented in OpenSSL” (PDF). Matta Consulting Limited. Archived (PDF) from the original on 6 August 2013. Retrieved 7 August 2013. 
  • ^ a b Daignière, Florent. “TLS “Secrets”: What everyone forgot to tell you…” (PDF). Matta Consulting Limited. Archived (PDF) from the original on 5 August 2013. Retrieved 7 August 2013. 
  • ^ L.S. Huang; S. Adhikarla; D. Boneh; C. Jackson (2014). “An Experimental Study of TLS Forward Secrecy Deployments”. IEEE Internet Computing. IEEE. 18 (6): 43–51. Archived from the original on 20 September 2015. Retrieved 16 October 2015. 
  • ^ “Protecting data for the long term with forward secrecy”. Google. Archived from the original on 2014-02-12. Retrieved 2014-03-07. 
  • ^ Hoffman-Andrews, Jacob. “Forward Secrecy at Twitter”. Twitter. Archived from the original on 2014-02-16. Retrieved 2014-03-07. 
  • ^ “Certificate Pinning (Warning: The link is broken)” Archived 2013-12-27 at the Wayback Machine..
  • ^ “Public key pinning released in Firefox” Archived 2014-12-04 at the Wayback Machine.
  • ^ Perspectives Project Archived 2014-03-06 at the Wayback Machine.
  • ^ https://github.com/danwent/Perspectives/issues/177 Archived 2018-03-30 at the Wayback Machine.
  • ^ DNSChain Archived 2015-02-19 at the Wayback Machine.
  • ^ “10 Online Tool to Test SSL, TLS and Latest Vulnerability”. Geek Flare. 2015-02-14. Retrieved 2018-03-26. 
  • ^ a b These certificates are currently X.509, but RFC 6091 also specifies the use of OpenPGP-based certificates.
  • ^ Chris (2009-02-18). “vsftpd-2.1.0 released – Using TLS session resume for FTPS data connection authentication”. Scarybeastsecurity. blogspot.com. Archived from the original on 2012-07-07. Retrieved 2012-05-17. 
  • ^ Wildcard SSL Certificate overview, archived from the original on 2015-06-23, retrieved 2015-07-02 
  • ^ Named-based SSL virtual hosts: how to tackle the problem (PDF), archived (PDF) from the original on 2012-08-03, retrieved 2012-05-17 
  • Further reading[edit]

    • Wagner, David; Schneier, Bruce (November 1996). “Analysis of the SSL 3.0 Protocol” (PDF). The Second USENIX Workshop on Electronic Commerce Proceedings. USENIX Press. pp. 29–40. 
    • Eric Rescorla (2001). SSL and TLS: Designing and Building Secure Systems. United States: Addison-Wesley Pub Co. ISBN 0-201-61598-3. 
    • Stephen A. Thomas (2000). SSL and TLS essentials securing the Web. New York: Wiley. ISBN 0-471-38354-6. 
    • Bard, Gregory (2006). “A Challenging But Feasible Blockwise-Adaptive Chosen-Plaintext Attack on SSL”. International Association for Cryptologic Research (136). Retrieved 2011-09-23. 
    • Canvel, Brice. “Password Interception in a SSL/TLS Channel”. Retrieved 2007-04-20. 
    • IETF Multiple Authors. “RFC of change for TLS Renegotiation”. Retrieved 2009-12-11. 
    • Creating VPNs with IPsec and SSL/TLS Linux Journal article by Rami Rosen
    • Polk, Tim; McKay, Kerry; Chokhani, Santosh (April 2014). “Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations” (PDF). National Institute of Standards and Technology. Archived from the original (PDF) on 2014-05-08. Retrieved 2014-05-07. 
    • Abdou, AbdelRahman; van Oorschot, Paul (August 2017). “Server Location Verification (SLV) and Server Location Pinning: Augmenting TLS Authentication”. Transactions on Privacy and Security. ACM. 

    External links[edit]

    Specifications (see § Standards section for older SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1 links)

    • The Transport Layer Security (TLS) Protocol Version 1.2 RFC 5246
    • IETF (Internet Engineering Task Force) TLS Workgroup

    TLS version intolerance

    • TLS version intolerance
    • TLS 1.3 and Version Intolerance

    Other

    • OWASP: Transport Layer Protection Cheat Sheet
    • A talk on SSL/TLS that tries to explain things in terms that people might understand.
    • SSL: Foundation for Web Security
    • TLS Renegotiation Vulnerability – IETF Tools
    • Trustworthy Internet Movement – SSL Pulse – Survey of TLS/SSL implementation of the most popular websites
    • How to Generate CSR for SSL
    • How TLS Handshake works in browser

    This article is based on material taken from the Free On-line Dictionary of Computing prior to 1 November 2008 and incorporated under the “relicensing” terms of the GFDL, version 1.3 or later.

    • Software no longer in development shown in italics
    • Category
    • Commons
    • Internet portal
    • Software portal


    Require Private Detectives

    Private investigatives also referred to as private investigators aid the public, company, legal & & insurance and also companies in obtaining private information, specifying the location of a particular individual, or investigating fraudulences and also various kinds of crimes. Individuals and also large corporate organizations living in metro cities usually call for exclusive detectives/private investigators to acquire covert truths as well as details relevant with a fraud, rip-off or a suspicious to ensure that they can take the best decision for their benefit.Hence, it comes to be important to hire the services of private detectives or investigatives due to the fact that they are not only professional in dealing with complicated examinations with perfection, but there many various other benefits of hiring their services, which are listed as follows: Work Individualism There are some instances in

    which more than one private compared to is requiredDetective but called for of yet cases needs the involvement requires a participation private investigator. These kind of private detectives function separately for their customers and also thus, the dedication and also dedication for getting the ideal information promptly is enhanced if you choose to employ services from a specific investigator.Better Devotion and Assistance Hiring solutions of a solitary private investigator implies that the client might rest guaranteed to obtain the very best of solutions with boosted dedication and support. Specific private
    detectives performance is often much better than a team of investigatives in terms of procuring secret information connected with a fraud or fraud, situating missing out on individual whereabouts, exploring deceitful insurance policy cases, commitment examination and history verification.Improved Enthusiasm When it comes to settling even the most complex situations, it is typically noticed that specific undercover representatives or investigatives work with even more interest and also enjoyment. They usually work on each angle of a case to solve it with much better performance. The majority of the independent detective takes pleasure in obtaining an excitement out of working with complete strangers by regarding the delights as the perquisite of their career. Expertise A lot of the private investigators who function as independent investigators have undergone strenuous training to perform the cases with quality. Most of these investigators have levels in authorities and justice science that add as an incentive to their occupation apart

    from their experience. Thus, taking services from them can assist you in getting more professional private investigator services.Apart from these advantages, a lot of the private investigators & detectives are technologically progressed with newest surveillance equipment and also approaches that make them a perfect choice to work with for both individuals as well as company companies.