How secure is SSL/TLS, explained in laymans terms?

While trying to answer this question it occurred to me that while there’s many good answers about the strengths and weaknesses of SSL/TLS in terms a security professional or software developer can understand, there’s not many good responses that a layman might be able to properly understand.

For instance, we describe some variants of TLS/SSL as “insecure”, which in the security world has a somewhat specialized meaning that might be summarized as “There’s some known vulnerabilities that significantly degrade the security, and you should likely disable this variant on your servers.”. A layman might interpret “insecure” as “simple to exploit”, which isn’t necessarily true.

So can someone provide a good layman’s explanation as to the current security level offered by SSL/TLS? The answer should include the resources of the attacker, the effort, resources, and access involved, and (possibly) the cost.

The answer might also include other ways to achieve the same goal without attacking SSL/TLS, and risks we all take for granted every day. (My credit card, for instance, was compromised and used for fraud last year when Newegg got hacked)

WP Mail SMTP: What do the SSL/TLS options mean?

When setting up the WPForms WP Mail SMTP plugin, I got this choice:

screenshot

Encryption: ( ) None ( ) SSL ( ) TLS
For most servers TLS is the recommended option. If your SMTP provider offers both SSL and TLS options, we recommend using TLS.

What do those options mean? Do they mean (like in normal conversation):

  • SSL = SSLv3
  • TLS = at least TLS 1.0

or do they mean (like in Outlook and some other mail clients):

  • SSL = TLS
  • TLS = STARTTLS

I was assuming the latter, because that is really common with mail stuff.

But if that is the case, why would the plugin recommend to prefer “TLS” (STARTTLS, which is insecure) to “SSL” (TLS, which is safe)?

SSL/TLS Extended Validation implemented in fraudulent domains

People trust green bars, because it is proven to not to be of malicious origin.

This seems to be the questions of hundreds and many are concerned about it, picture that; a team of fraudsters(or at least one), promote their website to many people with the use of Facebook and Twitter advertising who can be easily set up in no time. (1).

The fraudulent websites created a site, looking real etc.. and as already said they have an EV certificate verified implemented. In what ways could such thing be successfully be done, how do certificate distributors verify who that who is(if it can be faked)? (2).

Is it safe to use RPC with sensitive data through an encrypted VPN connection instead of SSL/TLS?

I have an application where there I’m planning the following setup:

user  <-----------------> layer 1 server <------------------> backend server         internet (https)                    RPC through VPN 

So when a user makes a request, it goes through standard SSL/TLS to the layer 1 server, then that has a program that calls a software in another location through the internet, which is connected to the layer 1 server through an OpenVPN connection.

To simplify the design of my application, I’d prefer that the RPC connection is without SSL/TLS. I’m thinking of that VPN connection as a replacement to the security requirements of a TLS encrypted connection. Does this provide the same security level?

The RPC sends user/password data to the server, which it just forwards to the backend server after wrapping it with some other objects.

What are the expected drawbacks from such a design?

How do I fix: SSL/TLS: Report Weak Cipher Suites for Ubuntu Server

I ran a vulnerability scan and I got these results for ports 993, 995, and 5432. I am running Dovecot for POP3S and IMAPS and Postgres for port 5432. I got these results from the vulnerability scan:

Summary: This routine reports all Weak SSL/TLS cipher suites accepted by a service. NOTE: No severity for SMTP services with ‘Opportunistic TLS’ and weak cipher suites on port 25/tcp is reported. If too strong cipher suites are con gured for this service the alternative would be to fall back to an even more insecure cleartext communication.

Vulnerability Detection Result:

‘Weak’ cipher suites accepted by this service via the TLSv1.0 protocol: TLS_RSA_WITH_SEED_CBC_SHA

‘Weak’ cipher suites accepted by this service via the TLSv1.1 protocol: TLS_RSA_WITH_SEED_CBC_SHA

‘Weak’ cipher suites accepted by this service via the TLSv1.2 protocol: TLS_RSA_WITH_SEED_CBC_SHA

Solution – Solution type: Mitigation The configuration of this services should be changed so that it does not accept the listed weak cipher suites anymore. Please see the references for more resources supporting you with this task.

Vulnerability Insight These rules are applied for the evaluation of the cryptographic strength:

  • RC4 is considered to be weak (CVE-2013-2566, CVE-2015-2808).
  • Ciphers using 64 bit or less are considered to be vulnerable to brute force methods and therefore considered as weak (CVE-2015-4000).
  • 1024 bit RSA authentication is considered to be insecure and therefore as weak.
  • Any cipher considered to be secure for only the next 10 years is considered as medium
  • Any other cipher is considered as strong

I am new to this kind of thing and I tried looking for a way to fix this vulnerability. I am sure that there is a configuration file I am supposed to change, but I don’t know what to do. I want to figure out how to disable the weak cipher suites for each of these ports. Could someone please help me out?

Could not establish trust relationship for SSL/TLS secure channel

I found solution to this problem.

The issue was due to the self signed certificate which I was using for the SharePoint site. When I used the certificate issued particularly to my SharePoint site it worked without any errors.

i saw your solution for the below thread https://social.msdn.microsoft.com/Forums/expression/en-US/1a32b892-08c6-43e7-b988-667fc6ef1aa3/https-sharepoint-site-with-https-provider-hosted-app-the-remote-certificate-is-invalid-according?forum=sharepointdevelopment

Can you please explain more details about the solution you provided because i am getting same error