SSL TLS

Aus sichardt
Zur Navigation springenZur Suche springen

SSL and TLS are methods for the transfer of encrypted information. Since parts of the different SSL protocol versions are considered unsecure, TLS is the method of choice nowadays. Unfortunately, there is a complicated set of combinations (cipher suites) of the key exchange, authentication, hash function and encryption methods within TLS. Depending on the supported algorithms of the client and server and the preference of the server one set is chosen. Since a lot of different client systems might want to communicate with the server it is often not possible to restrict the server to very secure cipher suites. In the case of HTTPS servers some compatibilities with different operating systems and browsers can be tested at Qualys SSLlabs. Another issue for the client is that the certificate that the server provides should be checked for authenticity. This is usually done by checking with a certificate authority (CA) that checks URL and certificate id. In order to achieve this the server needs to get a certificate from that CA which is usually combined with annual fees. There are some free CAs like CAcert, startSSL and let's encrypt (LE). Often, these free certificates are not trusted by many operating systems and browsers, because they have not included their root certificates. Furthermore, often free certificates are not available for subdomains which is the most common case of free domain names. In the case of LE, the certificates are cross checked with IdenTrust which is widely accepted and subdomains are available. One limitation using LE is that there are not more than 5 certificates available each 7 days for one domain. So again subdomain are no good choice for LE since it is very probable that many people using the same free subdomain provider also use LE. Furthermore, the LE certificates are only valid for few months so that you always run into problems when you want to renew a certificate for such a domain. Fortunately, there is a list of public suffixes that contains many providers of free subdomains and LE uses this list to disable this limit (better to say: move this limit to the subdomain level). Therefore, I recommend to use a public suffix from a provider on that list together with LE in order to have full compatibility. Furthermore, LE comes with a client software that can install the certificate and set secure cipher suites in many cases.