Ciphers in HTTPS
The most common question in information security assessment is
Are you using strong ciphers ?
Many IT professional answers it in binary, Yes or No, but they sometimes don’t understand what is this Cipher thing is and how it classified in the strong or weak category. Sometimes people even get confused about cipher things with TLS versions. I remember one of Audit where I asked a question
“Do you have strong ciphers in place ?” and answer was YES, we having TLS 1.2 in place
TLS 1.2 is a protocol not cipher, TLS 1.2 is a framework of message or you can say arrangement of information inside the packet. HTTPS is an actually HTTP over TLS and if you using TLS 1.2 that means you using HTTP over TLS 1,2. TLS 1.2 supports more protocol fields, and provides protection against protocol weakness. Remember protocol is just a carrier of headers and payload(data), adding more fields in headers can provide protection against protocol weakness but can’t ensure data/information protection present in payload.
How Vulnerable is my data present in Payload inside TLS 1.2?
Your data security depends on the cipher used, there are many components in secure HTTPS connection between client and server
Certificate – RSA Certificate which hold server identification and public key
Protocol Support – TLS Protocol – TLS 1.2 and above is secure
Kex (Key Exchange) – Key (Secret/private key) establishment
Cipher Strength – Algorithm used to encrypt payload
For encrypting data in payload, two things are needed, secret/private key and algorithm. There are multiple algorithm, and any one can be used and chosen algorithm will use secret key and encrypt the payload.
What if weak algorithm chosen for payload encryption, will data will remain safe then?
but wait, basic question here is how we know if a particular algorithm is weak or not ? very simple, algorithm which had been cracked in past, I mean without getting decryption key anyone able to decrypt the data.
Any lock is considered safe as long as no one break it, right ?
All the encryption algorithms are basically complex mathematical functions, and though all considered safer initially but someone cracked some of them and cracked algorithms now considered as weak.