Which of the following provides the highest level of security to protect sessions between a client and server? (Wentz QOTD)
A. TLS 1.3
B. SSL 3.0
C. TLS 3.1
D. HTTPS
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. TLS 1.3.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
HTTPS and TLS/SSL
Browsers communicate with web servers through either HTTP or HTTPS. Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP) and uses Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL) to encrypt traffic.
Even though HTTPS negotiates secure protocols used in the communication (e.g., TLS and SSL), it cannot guarantee which version of secure protocols is used. When a TLS connection is unavailable, many browsers will downgrade to SSL 3.0, which has a design flaw called POODLE that “allows the padding data at the end of a block cipher to be changed so that the encryption cipher becomes less secure each time it is passed.” (POODLE)
TLS/SSL Versions
There is no TLS 3.1 as of this post’s writing.
| Protocol | Published | Status |
| TLS 1.3 | 2018 | |
| TLS 1.2 | 2008 | |
| TLS 1.1 | 2006 | Deprecation planned in 2020 |
| TLS 1.0 | 1999 | Deprecation planned in 2020 |
| SSL 3.0 | 1996 | Deprecated in 2015 (RFC 7568) |
| SSL 2.0 | 1995 | Deprecated in 2011 (RFC 6176) |
| SSL 1.0 | Unpublished | Unpublished |
TLS and SSL Handshake
Reference
- FRC 2818: HTTP Over TLS
- TLS vs SSL vs HTTPS: What’s the Difference?
- HTTPS vs SSL vs TLS
- The differences between HTTPS, SSL, and TLS
- Windows and Supported TLS Versions
- SSL vs TLS and how to check TLS version in Linux
- Understanding SSL Handshake
- TLS Ciphersuite Search
以下哪項提供了最高級別的安全性來保護客戶端和服務器之間的會話? (Wentz QOTD)
A. TLS 1.3
B. SSL 3.0
C. TLS 3.1
D. HTTPS