Over a million developers have joined DZone.

A Look Under the (TLS) Hood

DZone's Guide to

A Look Under the (TLS) Hood

While TLS is certainly an improvement over SSL, it's still not infallible (or really anywhere close to it). Learn what types of data TLS does, and doesn't, protect.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

TLS v.1.2 is the defacto standard for encrypted communications today. There are other protocols, like IPSEC, or even TLS v.1.3, but TLS v.1.2 is the default choice for web browsers at this point. And this makes it the most widely distributed encryption protocol ever.

So let's take a look inside a TLS v.1.2 packet.

Now, keep in mind, this is not an overview of the protocol itself, which features all kinds of neat stuff like certificate authentication, key exchange, and protocol negotiation. This is us disassembling an HTTPS packet to see what's protected and what isn't.

So just for fun, I loaded Slashdot's front page. And I did it while running Wireshark on my network interface, and I was able to capture this:

Image title

This is a TLS v.1.2 protected application data packet. In other words, a data packet that contains encrypted HTTP data. Now, there's lots of data here, but very little of it is actually encrypted:

Image title

927 bytes of the data is actually encrypted, in fact. Now, that's better than nothing, but it doesn't keep your internet use, or you, nearly as private as you'd expect.

Now, there's lots of metadata in this collected packet, but we can extract tons of interesting information just from what we see here. Just like your ISP can.

First, I can see the kind of computer I'm using - an Apple MacBook Pro. I can also tell that I'm browsing on a Technicolor modem/router based on the first three octets of the destination ethernet address. Technicolor equipment is commonly used by ISPs, particularly Time-Warner cable.

I can also see that I'm visiting Slashdot, and I can see the MAC address of the host I'm visiting from.

I can see ephemeral port numbers, the port at Slashdot I'm connecting to, and deep in the frame header (if I decide to cheat a bit), I can see the epoch time.

So from this, I can extract what site you visited, when you visited it, the workstation you visited from (via the MAC address), and how long you stayed there (via sequence numbers or traffic capture). This is actually a lot of interesting information.

If I'm a large ISP, I can tell what computers you're using to visit the internet. I can associate devices with your home, if you have home service with me, via MAC address as you're very unlikely to change this, even though you can. Then, I can tell what you're looking at whenever you're online. I can tell if you're accessing the internet when you're driving. I can tell what you're looking at when you're shopping. I can profile your interests - do you go to Bass Pro Shops or Lands End? Do you visit CNN or Fox News? Are you spending more time than you used to on Reddit late at night? Is your ISP the same as your mobile provider? Then I know everywhere you've gone too. I can track your traffic through the cell towers I manage.

I may not be able to tell what you're buying from Land's End, but those specifics may not be as important as the fact that you're there in the first place. So TLS may be better than nothing, but maybe not as much as we thought.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

tls ,security ,web security ,network security ,data security

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}