Back to Our Blogs

Ciphers in HTTPS

The most common question in information security assessment is

Are you using strong ciphers ?

Many IT professional answers it in binary, Yes or No, but they sometimes don’t understand what is this Cipher thing is and how it classified in the strong or weak category. Sometimes people even get confused about cipher things with TLS versions. I remember one of Audit where I asked a question

“Do you have strong ciphers in place ?” and answer was YES, we having TLS 1.2 in place

TLS 1.2 is a protocol not cipher, TLS 1.2 is a framework of message or you can say arrangement of information inside the packet. HTTPS is an actually HTTP over TLS and if you using TLS 1.2 that means you using HTTP over TLS 1,2. TLS 1.2 supports more protocol fields, and provides protection against protocol weakness. Remember protocol is just a carrier of headers and payload(data), adding more fields in headers can provide protection against protocol weakness but can’t ensure data/information protection present in payload.

How Vulnerable is my data present in Payload inside TLS 1.2?

Your data security depends on the cipher used, there are many components in secure HTTPS connection between client and server

Certificate – RSA Certificate which hold server identification and public key

Protocol Support – TLS Protocol – TLS 1.2 and above is secure

Kex (Key Exchange) – Key (Secret/private key) establishment

Cipher Strength – Algorithm used to encrypt payload

For encrypting data in payload, two things are needed, secret/private key and algorithm. There are multiple algorithm, and any one can be used and chosen algorithm will use secret key and encrypt the payload.

What if weak algorithm chosen for payload encryption, will data will remain safe then?

but wait, basic question here is how we know if a particular algorithm is weak or not ? very simple, algorithm which had been cracked in past, I mean without getting decryption key anyone able to decrypt the data.

Any lock is considered safe as long as no one break it, right ?

All the encryption algorithms are basically complex mathematical functions, and though all considered safer initially but someone cracked some of them and cracked algorithms now considered as weak.

Share this post

Back to Our Blogs