Case 3:17-cv-05659-WHA Document 470-6 Filed 05/13/19 Page 1 of 32
`Case 3:17-cv-05659-WHA Document 470-6 Filed 05/13/19 Page 1 of 32
`
`
`
`
`
`EXHIBIT 4
`EXHIBIT 4
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 470-6 Filed 05/13/19 Page 2 of 32
`
`Transport Layer Security
`
`Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL),[1] are cryptographic protocols designed to provide communications security over a computer
`network.[2] Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites can use TLS to secure all
`communications between their servers and web browsers.
`
`The TLS protocol aims primarily to provide privacy and data integrity between two or more communicating computer applications.[2]:3 When secured by TLS, connections between a client (e.g., a web
`browser) and a server (e.g., wikipedia.org) should have one or more of the following properties:
`
`The connection is private (or secure) because symmetric cryptography is used to encrypt the data transmitted. The keys for this symmetric encryption are generated uniquely for
`each connection and are based on a shared secret that was negotiated at the start of the session (see § TLS handshake). The server and client negotiate the details of which
`encryption algorithm and cryptographic keys to use before the first byte of data is transmitted (see § Algorithm below). The negotiation of a shared secret is both secure (the
`negotiated secret is unavailable to eavesdroppers and cannot be obtained, even by an attacker who places themselves in the middle of the connection) and reliable (no attacker
`can modify the communications during the negotiation without being detected).
`The identity of the communicating parties can be authenticated using public-key cryptography. This authentication can be made optional, but is generally required for at least one
`of the parties (typically the server).
`The connection is reliable because each message transmitted includes a message integrity check using a message authentication code to prevent undetected loss or alteration of
`the data during transmission.[2]:3
`In addition to the properties above, careful configuration of TLS can provide additional privacy-related properties such as forward secrecy, ensuring that any future disclosure of encryption keys cannot
`be used to decrypt any TLS communications recorded in the past.[3]
`
`TLS supports many different methods for exchanging keys, encrypting data, and authenticating message integrity (see § Algorithm below). As a result, secure configuration of TLS involves many
`configurable parameters, and not all choices provide all of the privacy-related properties described in the list above (see the § Key exchange (authentication), § Cipher security, and § Data integrity
`tables).
`
`Attempts have been made to subvert aspects of the communications security that TLS seeks to provide, and the protocol has been revised several times to address these security threats (see § Security).
`Developers of web browsers have also revised their products to defend against potential security weaknesses after these were discovered (see TLS/SSL support history of web browsers).[4]
`
`The TLS protocol comprises two layers: the TLS record and the TLS handshake protocols.
`
`TLS is a proposed Internet Engineering Task Force (IETF) standard, first defined in 1999, and the current version is TLS 1.3 defined in RFC 8446 (August 2018). TLS builds on the earlier SSL
`specifications (1994, 1995, 1996) developed by Netscape Communications[5] for adding the HTTPS protocol to their Navigator web browser.
`
`Contents
`Description
`History and development
`Secure Network Programming
`SSL 1.0, 2.0, and 3.0
`TLS 1.0
`TLS 1.1
`TLS 1.2
`TLS 1.3
`Digital certificates
`Certificate authorities
`Algorithm
`Key exchange or key agreement
`Cipher
`Data integrity
`Applications and adoption
`Websites
`Web browsers
`Libraries
`Other uses
`Security
`SSL 2.0
`SSL 3.0
`TLS
`Attacks against TLS/SSL
`Forward secrecy
`TLS interception
`Protocol details
`TLS handshake
`TLS record
`Support for name-based virtual servers
`Standards
`Primary standards
`Extensions
`Informational RFCs
`See also
`References
`Further reading
`External links
`
`Description
`
`

`

`Case 3:17-cv-05659-WHA Document 470-6 Filed 05/13/19 Page 3 of 32
`Client-server applications use the TLS protocol to communicate across a network in a way designed to prevent eavesdropping and tampering.
`
`Since applications can communicate either with or without TLS (or SSL), it is necessary for the client to indicate to the server the setup of a TLS connection.[6] One of the main ways of achieving this is
`to use a different port number for TLS connections, for example port 443 for HTTPS. Another mechanism is for the client to make a protocol-specific request to the server to switch the connection to
`TLS; for example, by making a STARTTLS request when using the mail and news protocols.
`
`Once the client and server have agreed to use TLS, they negotiate a stateful connection by using a handshaking procedure.[7] The protocols use a handshake with an asymmetric cipher to establish not
`only cipher settings but also a session-specific shared key with which further communication is encrypted using a symmetric cipher. During this handshake, the client and server agree on various
`parameters used to establish the connection's security:
`
`The handshake begins when a client connects to a TLS-enabled server requesting a secure connection and the client presents a list of supported cipher suites (ciphers and hash
`functions).
`From this list, the server picks a cipher and hash function that it also supports and notifies the client of the decision.
`The server usually then provides identification in the form of a digital certificate. The certificate contains the server name, the trusted certificate authority (CA) that vouches for the
`authenticity of the certificate, and the server's public encryption key.
`The client confirms the validity of the certificate before proceeding.
`To generate the session keys used for the secure connection, the client either:
`
`encrypts a random number with the server's public key and sends the result to the server (which only the server should be able to decrypt with its private key); both parties then
`use the random number to generate a unique session key for subsequent encryption and decryption of data during the session
`uses Diffie–Hellman key exchange to securely generate a random and unique session key for encryption and decryption that has the additional property of forward secrecy: if
`
`the server's private key is disclosed in future, it cannot be used to decrypt the current session, even if the session is intercepted and recorded by a third party.
`
`This concludes the handshake and begins the secured connection, which is encrypted and decrypted with the session key until the connection closes. If any one of the above steps fails, then the TLS
`handshake fails and the connection is not created.
`
`TLS and SSL do not fit neatly into any single layer of the OSI model or the TCP/IP model.[8][9] TLS runs "on top of some reliable transport protocol (e.g., TCP),"[10] which would imply that it is above
`the transport layer. It serves encryption to higher layers, which is normally the function of the presentation layer. However, applications generally use TLS as if it were a transport layer,[8][9] even though
`[10]
`applications using TLS must actively control initiating TLS handshakes and handling of exchanged authentication certificates.
`
`History and development
`
`Secure Network Programming
`Early research efforts towards transport layer security included the Secure Network Programming (SNP) application programming
`interface (API), which in 1993 explored the approach of having a secure transport layer API closely resembling Berkeley sockets, to
`facilitate retrofitting pre-existing network applications with security measures.[12]
`
`1995
`
`1996
`
`Unpublished
`
`Unpublished
`
`SSL and TLS protocols
`Protocol Published
`Status
`SSL 1.0
`SSL 2.0
`SSL 3.0
`
`Deprecated in 2011 (RFC 6176)
`
`Deprecated in 2015 (RFC 7568)
`
`SSL 1.0, 2.0, and 3.0
`Netscape developed the original SSL protocols.[13][14] Version 1.0 was never publicly released because of serious security flaws in
`the protocol; version 2.0, released in February 1995, contained a number of security flaws which necessitated the design of version
`3.0.[15][13] Released in 1996, SSL version 3.0 represented a complete redesign of the protocol produced by Paul Kocher working
`with Netscape engineers Phil Karlton and Alan Freier, with a reference implementation by Christopher Allen and Tim Dierks of
`Consensus Development. Newer versions of SSL/TLS are based on SSL 3.0. The 1996 draft of SSL 3.0 was published by IETF as a
`historical document in RFC 6101.
`
`TLS 1.0
`
`TLS 1.1
`
`TLS 1.2
`TLS 1.3
`
`1999
`
`2006
`
`2008
`
`2018
`
`[16][17]
`Taher Elgamal, chief scientist at Netscape Communications from 1995 to 1998, has been described as the "father of SSL".
`
`Deprecation planned in 2020[11]
`
`Deprecation planned in 2020[11]
`
`SSL 2.0 was deprecated in 2011 by RFC 6176.
`In 2014, SSL 3.0 was found to be vulnerable to the POODLE attack that affects all block ciphers in SSL; RC4, the only non-block cipher supported by SSL 3.0, is also feasibly broken as used in SSL
`3.0.[18]
`
`SSL 3.0 was deprecated in June 2015 by RFC 7568.
`
`TLS 1.0
`TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0, and written by Christopher Allen and Tim Dierks of Consensus Development. As stated in the RFC, "the
`differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to preclude interoperability between TLS 1.0 and SSL 3.0". TLS 1.0 does include a means by which a TLS
`implementation can downgrade the connection to SSL 3.0, thus weakening security.[19]:1–2
`
`The PCI Council suggested that organizations migrate from TLS 1.0 to TLS 1.1 or higher before June 30, 2018.[20][21] In October 2018, Apple, Google, Microsoft, and Mozilla jointly announced they
`would deprecate TLS 1.0 and 1.1 in March 2020.[11]
`
`TLS 1.1
`TLS 1.1 was defined in RFC 4346 in April 2006.[22] It is an update from TLS version 1.0. Significant differences in this version include:
`
`Added protection against cipher-block chaining (CBC) attacks.
`
`The implicit initialization vector (IV) was replaced with an explicit IV.
`Change in handling of padding errors.
`Support for IANA registration of parameters.[19]:2
`
`TLS 1.2
`TLS 1.2 was defined in RFC 5246 in August 2008. It is based on the earlier TLS 1.1 specification. Major differences include:
`
`The MD5-SHA-1 combination in the pseudorandom function (PRF) was replaced with SHA-256, with an option to use cipher suite specified PRFs.
`The MD5-SHA-1 combination in the finished message hash was replaced with SHA-256, with an option to use cipher suite specific hash algorithms. However, the size of the hash
`in the finished message must still be at least 96 bits.[23]
`The MD5-SHA-1 combination in the digitally signed element was replaced with a single hash negotiated during handshake, which defaults to SHA-1.
`
`

`

`Case 3:17-cv-05659-WHA Document 470-6 Filed 05/13/19 Page 4 of 32
`Enhancement in the client's and server's ability to specify which hashes and signature algorithms they accept.
`Expansion of support for authenticated encryption ciphers, used mainly for Galois/Counter Mode (GCM) and CCM mode of Advanced Encryption Standard (AES) encryption.
`TLS Extensions definition and AES cipher suites were added.[19]:2
`All TLS versions were further refined in RFC 6176 in March 2011, removing their backward compatibility with SSL such that TLS sessions never negotiate the use of Secure Sockets Layer (SSL)
`version 2.0.
`
`TLS 1.3
`TLS 1.3 was defined in RFC 8446 in August 2018. It is based on the earlier TLS 1.2 specification. Major differences from TLS 1.2 include:
`
`Separating key agreement and authentication algorithms from the cipher suites
`Removing support for weak and lesser-used named elliptic curves
`Removing support for MD5 and SHA-224 cryptographic hash functions
`Requiring digital signatures even when a previous configuration is used
`Integrating HKDF and the semi-ephemeral DH proposal
`Replacing resumption with PSK and tickets
`Supporting 1-RTT handshakes and initial support for 0-RTT
`Mandating perfect forward secrecy, by means of using ephemeral keys during the (EC)DH key agreement
`Dropping support for many insecure or obsolete features including compression, renegotiation, non-AEAD ciphers, non-PFS key exchange (among which are static RSA and static
`DH key exchanges), custom DHE groups, EC point format negotiation, Change Cipher Spec protocol, Hello message UNIX time, and the length field AD input to AEAD ciphers
`Prohibiting SSL or RC4 negotiation for backwards compatibility
`Integrating use of session hash
`Deprecating use of the record layer version number and freezing the number for improved backwards compatibility
`Moving some security-related algorithm details from an appendix to the specification and relegating ClientKeyShare to an appendix
`Adding the ChaCha20 stream cipher with the Poly1305 message authentication code
`Adding the Ed25519 and Ed448 digital signature algorithms
`Adding the x25519 and x448 key exchange protocols
`Network Security Services (NSS), the cryptography library developed by Mozilla and used by its web browser Firefox, enabled TLS 1.3 by default in February 2017.[24] TLS 1.3 was added to Firefox
`
`52.0, which was released in March 2017, but it was disabled by default due to compatibility issues for some users.[25] It has been enabled by default since Firefox 60.0.[26]
`
`Google Chrome set TLS 1.3 as the default version for a short time in 2017. It then removed it as the default, due to incompatible middleboxes such as Blue Coat web proxies.[27]
`
`Pale Moon enabled the use of TLS 1.3 as of version 27.4, released in July 2017.[28] During the IETF 100 Hackathon which took place in Singapore, The TLS Group worked on adapting open-source
`applications to use TLS 1.3.[29][30] The TLS group was made up of individuals from Japan, United Kingdom, and Mauritius via the cyberstorm.mu team.[30] During the IETF 101 Hackathon which took
`place in London, more work was done on application support of TLS 1.3.[31] During IETF 102 Hackathon, work continued to inter-operate lesser known TLS 1.3 implementations along with application
`integration.[32]
`
`wolfSSL enabled the use of TLS 1.3 as of version 3.11.1, released in May 2017.[33] As the first commercial TLS 1.3 implementation, wolfSSL 3.11.1 supported Draft 18 and now supports Draft 28,[34]
`the final version, as well as many older versions. A series of blogs was published on the performance difference between TLS 1.2 and 1.3.[35]
`
`In September 2018, the popular OpenSSL project released version 1.1.1 of its library, in which support for TLS 1.3 was "[t]he headline new feature".[36]
`
`[37]
`The Electronic Frontier Foundation praises TLS 1.3 and warns about "a look-alike protocol brewing called ETS (or eTLS) that intentionally disables important security measures in TLS 1.3".
`
`Digital certificates
`A digital certificate certifies the ownership of a public key by the named subject of the certificate, and indicates certain expected usages of that key. This
`allows others (relying parties) to rely upon signatures or on assertions made by the private key that corresponds to the certified public key.
`
`Certificate authorities
`TLS typically relies on a set of trusted third-party certificate authorities to establish the authenticity of certificates. Trust is usually anchored in a list of
`certificates distributed with user agent software,[38] and can be modified by the relying party.
`
`According to Netcraft, who monitors active TLS certificates, the market-leading certificate authority (CA) has been Symantec since the beginning of
`their survey (or VeriSign before the authentication services business unit was purchased by Symantec). Symantec currently accounts for just under a third
`[39]
`of all certificates and 44% of the valid certificates used by the 1 million busiest websites, as counted by Netcraft.
`
`As a consequence of choosing X.509 certificates, certificate authorities and a public key infrastructure are necessary to verify the relation between a
`certificate and its owner, as well as to generate, sign, and administer the validity of certificates. While this can be more convenient than verifying the
`identities via a web of trust, the 2013 mass surveillance disclosures made it more widely known that certificate authorities are a weak point from a
`security standpoint, allowing man-in-the-middle attacks (MITM) if the certificate authority cooperates (or is compromised).[40][41]
`
`Example of a website with digital
`certificate
`
`Algorithm
`
`Key exchange or key agreement
`Before a client and server can begin to exchange information protected by TLS, they must securely exchange or agree upon an encryption key and a cipher to use when encrypting data (see § Cipher).
`Among the methods used for key exchange/agreement are: public and private keys generated with RSA (denoted TLS_RSA in the TLS handshake protocol), Diffie–Hellman (TLS_DH), ephemeral
`Diffie–Hellman (TLS_DHE), elliptic-curve Diffie–Hellman (TLS_ECDH), ephemeral elliptic-curve Diffie–Hellman (TLS_ECDHE), anonymous Diffie–Hellman (TLS_DH_anon),[2] pre-shared key
`(TLS_PSK)[42] and Secure Remote Password (TLS_SRP).[43]
`
`The TLS_DH_anon and TLS_ECDH_anon key agreement methods do not authenticate the server or the user and hence are rarely used because those are vulnerable to man-in-the-middle attacks. Only
`TLS_DHE and TLS_ECDHE provide forward secrecy.
`
`Public key certificates used during exchange/agreement also vary in the size of the public/private encryption keys used during the exchange and hence the robustness of the security provided. In July
`2013, Google announced that it would no longer use 1024-bit public keys and would switch instead to 2048-bit keys to increase the security of the TLS encryption it provides to its users because the
`encryption strength is directly related to the key size.[4][44]
`
`

`

`Case 3:17-cv-05659-WHA Document 470-6 Filed 05/13/19 Page 5 of 32
`Key exchange/agreement and authentication
`SSL 2.0 SSL 3.0 TLS 1.0
`TLS 1.1
`TLS 1.2
`
`TLS 1.3
`
`Status
`
`Yes
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`Yes
`
`Yes
`
`Yes
`
`No
`
`No
`
`Yes
`
`Yes
`
`No
`
`No
`
`No
`
`No
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`No
`
`No
`
`Yes
`
`No
`
`Yes
`
`No
`
`No[45]
`
`No
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Defined for TLS 1.2 in RFCs
`
`Algorithm
`RSA
`DH-RSA
`DHE-RSA (forward secrecy)
`ECDH-RSA
`ECDHE-RSA (forward secrecy)
`DH-DSS
`DHE-DSS (forward secrecy)
`ECDH-ECDSA
`ECDHE-ECDSA (forward secrecy)
`PSK
`PSK-RSA
`DHE-PSK (forward secrecy)
`ECDHE-PSK (forward secrecy)
`SRP
`SRP-DSS
`SRP-RSA
`Kerberos
`DH-ANON (insecure)
`ECDH-ANON (insecure)
`
`GOST R 34.10-94 / 34.10-2001[46]
`
`Cipher
`
`Type
`
`Cipher
`
`Algorithm
`
`AES GCM[47][n 5]
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`Yes
`
`No
`
`No
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Proposed in RFC drafts
`
`Cipher security against publicly known feasible attacks
`Protocol version
`TLS 1.0
`TLS 1.1
`[n 1][n 3]
`[n 1]
`
`Nominal
`strength (bits)
`
`SSL 2.0
`
`SSL 3.0
`[n 1][n 2][n 3][n 4]
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`Status
`
`TLS 1.2
`[n 1]
`
`Secure
`
`TLS
`1.3
`
`Secure
`
`Secure
`
`AES CCM[48][n 5]
`
`AES CBC[n 6]
`
`Camellia GCM[49][n 5]
`
`Camellia CBC[50][n 6]
`
`ARIA GCM[51][n 5]
`
`ARIA CBC[51][n 6]
`
`SEED CBC[52][n 6]
`
`3DES EDE CBC[n 6][n 7]
`GOST 28147-89
`CNT[46][n 7]
`
`256, 128
`
`256, 128
`
`256, 128
`
`128
`
`112[n 8]
`
`256
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`Secure
`
`Depends on
`mitigations
`
`Depends on
`mitigations
`
`Depends on
`mitigations
`
`N/A
`
`N/A
`
`Secure
`
`Depends on
`mitigations
`
`Depends on
`mitigations
`
`Depends on
`mitigations
`
`N/A
`
`N/A
`
`Secure
`
`Depends on
`mitigations
`
`Depends on
`mitigations
`
`Depends on
`mitigations
`
`Depends on
`mitigations
`
`Depends on
`mitigations
`
`Depends on
`mitigations
`
`Insecure
`
`Insecure
`
`Insecure
`
`Insecure
`
`Insecure
`
`N/A
`
`N/A
`
`Insecure
`
`Insecure
`
`Insecure
`
`Insecure
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`Block
`cipher
`with
`mode of
`operation
`
`Defined for TLS 1.2 in
`RFCs
`
`Defined in RFC 4357
`
`128
`
`56
`
`40[n 10]
`
`40[n 10]
`
`256
`
`128
`
`IDEA CBC[n 6][n 7][n 9]
`
`DES CBC[n 6][n 7][n 9]
`
`RC2 CBC[n 6][n 7]
`
`ChaCha20-Poly1305[57][n 5]
`
`RC4[n 11]
`
`Null[n 12]
`
`Stream
`cipher
`
`None
`
`Notes
`
`Insecure
`
`Insecure
`
`40[n 10]
`
`Insecure
`
`Insecure
`
`Insecure
`
`Insecure
`
`Insecure
`
`Insecure
`
`N/A
`
`N/A
`
`–
`
`N/A
`
`Insecure
`
`Insecure
`
`Insecure
`
`Insecure
`
`Insecure
`
`Insecure
`
`Insecure
`
`Insecure
`
`Insecure
`
`Insecure
`
`Insecure
`
`Insecure
`
`Insecure
`
`Insecure
`
`Insecure
`
`Insecure
`
`N/A
`
`N/A
`
`N/A
`
`Insecure
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`Secure
`
`Secure
`
`Removed from TLS 1.2
`
`Forbidden in TLS 1.1
`and later
`
`Defined for TLS 1.2 in
`RFCs
`
`Prohibited in all
`versions of TLS by
`RFC 7465
`
`Defined for TLS 1.2 in
`RFCs
`
`N/A
`
`N/A
`
`N/A
`
`1. RFC 5746 (https://tools.ietf.org/html/rfc5746) must be implemented to fix a
`renegotiation flaw that would otherwise break this protocol.
`2. If libraries implement fixes listed in RFC 5746 (https://tools.ietf.org/html/rfc5746), this
`violates the SSL 3.0 specification, which the IETF cannot change unlike TLS. Most
`current libraries implement the fix and disregard the violation that this causes.
`3. The BEAST attack breaks all block ciphers (CBC ciphers) used in SSL 3.0 and TLS
`1.0 unless mitigated by the client and/or the server. See § Web browsers.
`
`4. The POODLE attack breaks all block ciphers (CBC ciphers) used in SSL 3.0 unless
`mitigated by the client and/or the server. See § Web browsers.
`5. AEAD ciphers (such as GCM and CCM) can be used in only TLS 1.2.
`6. CBC ciphers can be attacked with the Lucky Thirteen attack if the library is not written
`carefully to eliminate timing side channels.
`7. The Sweet32 attack breaks block ciphers with a block size of 64 bits.[53]
`8. Although the key length of 3DES is 168 bits, effective security strength of 3DES is
`only 112 bits,[54] which is below the recommended minimum of 128 bits.[55]
`
`

`

`Case 3:17-cv-05659-WHA Document 470-6 Filed 05/13/19 Page 6 of 32
`9. IDEA and DES have been removed from TLS 1.2.[56]
`11. Use of RC4 in all versions of TLS is prohibited by RFC 7465 (https://tools.ietf.org/htm
`l/rfc7465) (because RC4 attacks weaken or break RC4 used in SSL/TLS).
`10. 40 bits strength of cipher suites were designed to operate at reduced key lengths to
`12. Authentication only, no encryption.
`comply with US regulations about the export of cryptographic software containing
`certain strong encryption algorithms (see Export of cryptography from the United
`States). These weak suites are forbidden in TLS 1.1 and later.
`
`Data integrity
`Message authentication code (MAC) is used for data integrity. HMAC is used for CBC mode of block ciphers and stream ciphers. AEAD is used for authenticated encryption such as GCM mode and
`CCM mode.
`
`Algorithm
`HMAC-MD5
`HMAC-SHA1
`HMAC-SHA256/384
`AEAD
`
`GOST 28147-89 IMIT[46]
`
`GOST R 34.11-94[46]
`
`Data integrity
`SSL 2.0 SSL 3.0 TLS 1.0
`TLS 1.1
`
`TLS 1.2
`
`TLS 1.3
`
`Status
`
`Yes
`
`No
`
`No
`
`No
`
`No
`
`No
`
`Yes
`
`Yes
`
`No
`
`No
`
`No
`
`No
`
`Yes
`
`Yes
`
`No
`
`No
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`No
`
`No
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`No
`
`No
`
`No
`
`Yes
`
`Defined for TLS 1.2 in RFCs
`
`Proposed in RFC drafts
`
`Applications and adoption
`In applications design, TLS is usually implemented on top of Transport Layer protocols, encrypting all of the protocol-related data of protocols such as HTTP, FTP, SMTP, NNTP and XMPP.
`
`Historically, TLS has been used primarily with reliable transport protocols such as the Transmission Control Protocol (TCP). However, it has also been implemented with datagram-oriented transport
`protocols, such as the User Datagram Protocol (UDP) and the Datagram Congestion Control Protocol (DCCP), usage of which has been standardized independently using the term Datagram Transport
`Layer Security (DTLS).
`
`Websites
`A primary use of TLS is to secure World Wide Web traffic between a website and a web browser encoded with the HTTP protocol. This use of TLS to secure HTTP traffic constitutes the HTTPS
`protocol.[58]
`
`Website protocol support
`
`Security[59][60]
`
`Insecure
`
`Insecure[61]
`
`Depends on cipher[n 1] and client mitigations[n 2]
`
`Depends on cipher[n 1] and client mitigations[n 2]
`
`Depends on cipher[n 1] and client mitigations[n 2]
`
`Secure
`
`Protocol
`version
`
`Website
`support[59]
`
`1.9%
`
`7.6%
`
`68.0%
`
`77.4%
`
`95.2%
`
`14.2%
`
`SSL 2.0
`
`SSL 3.0
`
`TLS 1.0
`
`TLS 1.1
`
`TLS 1.2
`
`TLS 1.3
`
`Notes
`
`1. see § Cipher table above
`2. see § Web browsers and § Attacks against TLS/SSL sections
`
`Web browsers
`As of April 2016, the latest versions of all major web browsers support TLS 1.0, 1.1, and 1.2, and have them enabled by default. However, not all supported Microsoft operating systems support the
`latest version of IE. Additionally, many operating systems currently support multiple versions of IE, but this has changed according to Microsoft's Internet Explorer Support Lifecycle Policy FAQ,
`"beginning January 12, 2016, only the most current version of Internet Explorer available for a supported operating system will receive technical support and security updates." The page then goes on to
`list the latest supported version of IE at that date for each operating system. The next critical date would be when an operating system reaches the end of life stage, which is in Microsoft's Windows
`lifecycle fact sheet.
`
`There are still problems on several browser versions:
`
`TLS 1.1 and 1.2 supported, but disabled by default: Internet Explorer 10 for Server 2012 and Internet Explorer 9 for Server 2008[62]
`Mitigations against known attacks are not enough yet:
`
`Mitigations against POODLE attack: some browsers already prevent fallback to SSL 3.0; however, this mitigation needs to be supported by not only clients but also servers.
`Disabling SSL 3.0 itself, implementation of "anti-POODLE record splitting", or denying CBC ciphers in SSL 3.0 is required.
`
`Google Chrome: complete (TLS_FALLBACK_SCSV is implemented since version 33, fallback to SSL 3.0 is disabled since version 39, SSL 3.0 itself is disabled by default
`since version 40. Support of SSL 3.0 itself was dropped since version 44.)
`Mozilla Firefox: complete (support of SSL 3.0 itself is dropped since version 39. SSL 3.0 itself is disabled by default and fallback to SSL 3.0 are disabled since version 34,
`TLS_FALLBACK_SCSV is implemented since version 35. In ESR, SSL 3.0 itself is disabled by default and TLS_FALLBACK_SCSV is implemented since ESR 31.3.)
`Internet Explorer: partial (only in version 11, SSL 3.0 is disabled by default since April 2015. Version 10 and older are still vulnerable against POODLE.)
`Opera: complete (TLS_FALLBACK_SCSV is implemented since version 20, "anti-POODLE record splitting", which is effective only with client-side implementation, is
`implemented since version 25, SSL 3.0 itself is disabled by default since version 27. Support of SSL 3.0 itself will be dropped since version 31.)
`Safari: complete (only on OS X 10.8 and later and iOS 8, CBC ciphers during fallback to SSL 3.0 is denied, but this means it will use RC4, which is not recommended as well.
`Support of SSL 3.0 itself is dropped on OS X 10.11 and later and iOS 9.)
`Mitigation against RC4 attacks:
`
`Google Chrome disabled RC4 except as a fallback since version 43. RC4 is disabled since Chrome 48.
`Firefox disabled RC4 except as a fallback since version 36. Firefox 44 disabled RC4 by default.
`
`

`

`Case 3:17-cv-05659-WHA Document 470-6 Filed 05/13/19 Page 7 of 32
`Opera disabled RC4 except as a fallback since version 30. RC4 is disabled since Opera 35.
`Internet Explorer for Windows 7 / Server 2008 R2 and for Windows 8 / Server 2012 have set the priority of RC4 to lowest and can also disable RC4 except as a fallback
`through registry settings. Internet Explorer 11 Mobile 11 for Windows Phone 8.1 disable RC4 except as a fallback if no other enabled algorithm works. Edge and IE 11 disable
`RC4 completely in August 2016.
`Mitigation against FREAK attack:
`
`The Android Browser of Android 4 and older is still vulnerable to the FREAK attack.
`Internet Explorer 11 Mobile is still vulnerable to the FREAK attack.
`Google Chrome, Internet Explorer (desktop), Safari (desktop & mobile), and Opera (mobile) have FREAK mitigations in place.
`Mozilla Firefox on all platforms and Google Chrome on Windows were not affected by FREAK.
`
`

`

`Case 3:17-cv-05659-WHA Document 470-6 Filed 05/13/19 Page 8 of 32
`TLS/SSL support history of web browsers
`
`Browser
`
`Version
`
`Platforms
`
`SSL protocols
`
`SSL 2.0
`(insecure)
`
`SSL 3.0
`(insecure)
`
`TLS protocols
`
`Certificate support
`
`TLS 1.0
`
`TLS 1.1
`
`TLS 1.2
`
`TLS 1.3
`
`EV
`[n 3][63]
`
`SHA-2
`[64]
`
`ECDSA
`[65]
`
`1–9
`
`10–20
`
`21
`
`22–29
`
`30–32
`
`Disabled
`by default
`
`Enabled by
`default
`
`Yes
`
`No
`
`No[73]
`
`Enabled by
`default
`
`Yes
`
`No
`
`Enabled by
`default
`
`Yes
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`Yes
`(only
`desktop)
`
`Yes
`(only
`desktop)
`
`Yes
`(only
`desktop)
`
`Yes
`(only
`desktop)
`
`Yes
`(only
`desktop)
`
`needs SHA-
`2
`compatible
`OS[64]
`
`needs SHA-
`2
`compatible
`OS[64]
`
`needs SHA-
`2
`compatible
`OS[64]
`
`needs SHA-
`2
`compatible
`OS[64]
`
`needs SHA-
`2
`compatible
`OS[64]
`
`needs ECC
`compatible
`OS[65]
`
`needs ECC
`compatible
`OS[65]
`
`needs ECC
`compatible
`OS[65]
`
`needs ECC
`compatible
`OS[65]
`
`needs ECC
`compatible
`OS[65]
`
`Enabled by
`default
`
`Enabled by
`default
`
`Yes
`
`Yes[75]
`
`No[75][76][77][78]
`
`No
`
`Yes
`
`Yes
`
`Yes [76][77][78]
`
`No
`
`Yes
`
`Yes
`
`Yes
`
`No
`
`Google
`Chrome
`(Chrome for
`Android)
`[n 8]
`[n 9]
`
`33–37
`
`38, 39
`
`40
`
`41, 42
`
`43
`
`44–47
`
`48, 49
`
`Windows (7+)
`OS X (10.10+)
`Linux
`Android (4.1+)
`iOS (9.0+)
`Chrome OS
`
`Enabled by
`default
`
`Enabled by
`default
`
`Disabled by
`default [80][84]
`
`Disabled by
`default
`
`Disabled by
`default
`
`No[86]
`
`No
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`(only
`desktop)
`
`Yes
`(only
`desktop)
`
`Yes
`(only
`desktop)
`
`Yes
`(only
`desktop)
`
`Yes
`(only
`desktop)
`
`Yes
`(only
`desktop)
`
`Yes
`(only
`desktop)
`
`needs SHA-
`2
`compatible
`OS[64]
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`needs ECC
`compatible
`OS[65]
`
`needs ECC
`compatible
`OS[65]
`
`needs ECC
`compatible
`OS[65]
`
`needs ECC
`compatible
`OS[65]
`
`needs ECC
`compatible
`OS[65]
`
`needs ECC
`compatible
`OS[65]
`
`needs ECC
`compatible
`OS[65]
`
`Yes
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`50–53
`
`54–66
`
`67–69
`
`70–72
`
`73
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`(only
`desktop)
`
`Yes
`(only
`desktop)
`
`Yes
`(only
`desktop)
`
`Yes
`(only
`desktop)
`
`Disabled
`by default
`(draft
`version)
`
`Yes
`(draft
`version)
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Browser
`
`Version
`
`Platforms
`
`SSL 2.0
`(insecure)
`
`SSL 3.0
`(insecure)
`
`TLS 1.0
`
`TLS 1.1
`
`TLS 1.2
`
`TLS 1.3
`
`EV
`certificate
`
`SHA-2
`certificate
`
`ECDSA
`certificate
`
`Google
`Android
`OS
`Browser
`[90]
`
`Android 1.0, 1.1, 1.5, 1.6, 2.0–2.1, 2.2–
`2.2.3
`
`Android 2.3–2.3.7
`
`No
`
`No
`
`Enabled by
`default
`
`Enabled by
`default
`
`Yes
`
`Yes
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`Unknown
`
`No
`
`Unknown
`
`Yes[64]
`
`No
`
`No
`
`Android 3.0–3.2.6, 4.0–4.0.4
`
`Android 4.1–4.3.1, 4.4–4.4.4
`
`Android 5.0–5.0.2
`
`Android 5.1–5.1.1
`
`Android 6.0–6.0.1
`
`Android 7.0–7.1.2
`
`Android 8.0-8.1
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`Enabled by
`default
`
`Enabled by
`default
`
`Enabled by
`default
`
`Disabled by
`default
`
`Disabled by
`default
`
`Disabled by
`default
`
`No
`[94]
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`No
`
`No
`
`Disabled by
`default [92]
`
`Disabled by
`default [92]
`
`Yes[92][93]
`
`Yes[92][93]
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`Unknown
`
`Yes[64]
`
`Yes[91]
`
`Unknown
`
`Unknown
`
`Unknown
`
`Unknown
`
`Unknown
`
`Unknown
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes[65]
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`

`

`Case 3:17-cv-05659-WHA Document 470-6 Filed 05/13/19 Page 9 of 32
`Android 9.0
`No
`No
`Yes
`Yes
`Yes
`No
`
`Unknown
`
`Android 10.0
`
`No
`
`No
`
`Yes
`
`Yes
`
`Yes
`
`Unknown
`
`Unknown
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Browser
`
`Version
`
`Platforms
`
`SSL 2.0
`(insecure)
`
`SSL 3.0
`(insecure)
`
`TLS 1.0
`
`TLS 1.1
`
`TLS 1.2
`
`TLS 1.3
`
`EV
`certificate
`
`SHA-2
`certificate
`
`ECDSA
`certificate
`
`1.0, 1.5
`
`2
`
`3–7
`
`8–10
`ESR 10
`
`11–14
`
`Enabled
`by default
`[95]
`
`Disabled
`by default
`[95][97]
`
`Disabled
`by default
`
`No[97]
`
`No
`
`Enabled by
`default
`[95]
`
`Enabled by
`default
`
`Enabled by
`default
`
`Enabled by
`default
`
`Enabled by
`default
`
`Yes[95]
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`No
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes[64]
`
`No
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes[65]
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`15–22
`ESR 17.0–17.0.10
`
`ESR 17.0.11
`
`23
`
`24, 25.0.0
`ESR 24.0–24.1.0
`
`25.0.1, 26
`ESR 24.1.1
`
`27