The basics of VPN encryption

A VPN encrypts all your Internet traffic so it can only be decrypted using the correct key. Before leaving your device, the outgoing data is encrypted and sent to the VPN server, which decrypts the data using the appropriate key. From there, your information is sent to its destination, such as a website. This way, the encryption prevents anyone who can intercept the data between you and the VPN server from decrypting the content. This could be your ISP, a government agency, or hackers. In some cases, they may be synonymous with each other.

With incoming traffic, the same thing happens, only in reverse order. For example, when the data comes from a website, it goes to the VPN server first, gets encrypted, and arrives at your device. Your device decrypts the data, and you can browse the website as usual. All of this ensures that your Internet data remains private and does not fall into the hands of unauthorized parties. But, of course, if the VPN provider does not keep much data about its users and will not provide it by order of the police.

Encryption types may differ in the following ways:

• The persistence of encryption, or the method and degree to which your data is encrypted.
• How encryption keys are managed and exchanged
• What interfaces, protocols, and ports do they use
• What OSI (Open Systems Interconnection) layers do they operate on
• How easy is it to deploy
• Performance (read: speed)

Difference between IPSec and SSL: Security

In a nutshell, a slight advantage in favor of SSL. IPSec connections require a shared key on both the client and the server to encrypt and send traffic to each other. However, sharing this key allows attackers to hack or capture the pre-shared key. SSL VPNs are devoid of this problem because they use public key cryptography to negotiate the handshake and exchange encryption keys securely. Unfortunately, TLS/SSL has a list of other vulnerabilities, such as Heartbleed.

Some SSL VPNs allow untrusted self-authenticating certificates and do not verify clients, which are especially common in SSL VPN browser extensions. Such virtual private networks allow anyone to connect from any computer and are vulnerable to man-in-the-middle attacks. However, this does not apply to most of OpenVPN’s clients. Likewise, SSL usually requires frequent patches to update the server and the client.

The lack of open source for IPSec-based VPN protocols may worry people who fear government spies and spyware. Thus 2013, Edward Snowden reported that the U.S. National Security Agency’s Bullrun program was actively trying to “insert vulnerabilities into commercial encryption systems, IT systems, networks and communication endpoints used by targets.” The NSA allegedly used IPSec to add backdoors and side channels that hackers could exploit – even the ones hired by the government. In the end, strong security is likely the result of experienced and careful network administrators, not protocol choices.

Firewall traversal

In short, SSL-based VPNs are better suited for bypassing firewalls. However, most Wi-Fi routers and other network equipment contain NAT firewalls. So they reject unrecognized Internet traffic and data packets without port numbers to protect against threats. IPSec encrypted packets (ESP packets) do not have default port numbers assigned to them. Therefore, NAT firewalls can intercept them, which can interfere with IPSec VPN workflow.

To avoid this, many IPSec VPNs encapsulate ESP packets into UDP packets. This assigns the data a UDP port number (usually UDP 4500). Although this solves the problem of NAT traversal, your network firewall may not allow packets through this port. Thus, network administrators at airports, hotels, and other locations may only allow traffic through certainly required protocols, and UDP 4500 may not be one of them.

SSL traffic can go through port 443, which most devices know as the port used for secure HTTPS traffic. Since almost all networks allow HTTPS traffic through port 443, it is likely to be open. In addition, although OpenVPN uses port 1194 by default for UDP traffic, it can be redirected through UDP or TCP ports, including TCP port 443. This makes SSL more helpful in bypassing firewalls and other forms of censorship that block port-based traffic.

Speed and reliability

Although both are reasonably fast, IKEv2/IPSec negotiates connections faster. Most IPSec-based VPN protocols take slightly longer to negotiate connections than SSL-based protocols. However, this does not apply to IKEv2/IPSec. IKEv2 is an IPSec-based VPN protocol that is more than a decade old. Nevertheless, it is still popular among VPN providers. Its crucial feature is quickly reconnecting whenever the VPN connection is interrupted. This makes it especially useful for mobile iOS and Android clients who don’t always have a reliable connection or frequently switch between Wi-Fi and mobile data.

As for the actual bandwidth, things are not clear here, as there are arguments on both sides. However, according to some claims, IKEv2/IPSec can offer higher throughput than OpenVPN, although both protocols typically use 128-bit or 256-bit AES encryption. The extra layer of UDP that many ISPs add to IPSec traffic to help it pass through firewalls adds to the load. This means that more resources may be required to process it. However, most people won’t notice the difference because, in most consumer VPNs, throughput is determined by server and network congestion, not the VPN protocol.

Ease of use

IPSec is more versatile, but most VPN provider applications users will not notice the difference. Because IKEv2, SSTP, and L2TP are built-in IPSec-based VPN protocols in most major operating systems, they do not necessarily require an additional application to run and work. However, most consumer VPN users will still use an ISP application to connect. In addition, although SSL works by default in most web browsers, you will need a standalone application to use OpenVPN. From an end-user perspective, IKEv2 offers a more user-friendly interface. This is because IKEv2 connects and handles interruptions faster. That said, OpenVPN is more versatile and may be better suited for users who can’t get what they need with IKEv2.

If we talk about corporate VPNs, they aim to provide access to the company network, not the Internet. The consensus is that SSL is better suited for remote access, and IPSec is preferred for VPNs between networks. Because IPSec operates at the network layer of the OSI model, it gives the user full access to the corporate network regardless of the application. Consequently, restricting access to specific resources can be more difficult. On the other hand, SSL VPNs allow businesses to control remote access to specific applications at a fine level.

Generally, network administrators who work with VPNs find that client management using SSL is much easier and less time-consuming than using IPSec.

Conclusion

If you have both options, we recommend using IKEv2/IPSec first, and if you have any problems, try OpenVPN. IKEv2 connection speed will be more comfortable for everyday VPN users while offering comparable security and speed. However, it may not work in some circumstances. Until recently, OpenVPN/SSL was considered the best VPN combination for most consumer VPN users. It is fast enough, secure, open-source, and can overcome NAT firewalls. It can also support UDP or TCP.

In turn, IKEv2/IPSec is a new competitor to OpenVPN. It improves L2TP and other IPSec-based protocols with faster connections, excellent stability, and built-in support for most new consumer devices. In any case, SSL and IPSec boast reliable levels of security with sufficient bandwidth, safety, and ease of use for most commercial VPN service customers.

The post Difference Between IPSec and SSL appeared first on Gridinsoft Blog.

What the error “This Site Can’t Provide a Secure Connection” means

First, let’s find out what a “secure connection” is. It is a connection to a website that uses the secure Hypertext Transfer Protocol (HTTPS), not HTTP. Browsers usually mark secure websites with a lock icon at the address bar’s beginning, confirming that the connection is secure. The secure connection supposes the encryption of all data packages your device exchanges with the server, so the third party is not able to see the contents. HTTPS offers significant security advantages over HTTP but imposes strict requirements for compliance. One of these is a valid SSL certificate. Thus, the “This site can’t provide a secure connection” error tells us there is a problem with the SSL certificate. That is, the site claims to be HTTPS compliant but either does not provide a certificate or provides an invalid certificate. If the browser can’t verify the certificate, it won’t load the site and will display this error message instead.

Causes of the “This Site Can’t Provide a Secure Connection” error

If you see a site security warning, it does not necessarily mean the site is unsafe. Although it is not impossible, more often than not, it is less dangerous. The problem can be divided into problems with the web browser or system configuration and issues with the site. You can check this by opening the problem page in several browsers. Suppose you see the error in one browser, which works fine in another. In that case, the problem is probably in the browser (usually the cache). If the error appears in all browsers, the problem is either with your computer or the site itself. Listed below are the most common causes of this error message:

• Incorrect time and date settings on your device. If your laptop has the wrong date and time settings, this can cause problems with SSL certificate authentication. Your PC may think it is already expired or, what is more comic, have not been issued yet.
• Outdated SSL caches in your browser. This is one of the common causes. Because web browsers store SSL certificates in a cache, they don’t need to check the certificate every time you visit a site, thereby speeding up browsing. However, if the SSL certificate changes, but the browser still loads an older version from the cache, it can cause this error.
• Invalid or expired SSL certificate. Certificates must be periodically renewed. You will see this error if the website’s SSL certificate has expired.
• Fraudulent browser extensions. An incorrectly working browser extension can also cause problems with certificate authentication. Often it’s a simple error caused by a poor design, though sometimes the extension can be malicious.
• Overzealous antivirus. Incorrectly configured antivirus software can sometimes erroneously produce this message. This may be due to an encryption error.

Fix the “This Site Can’t Provide a Secure Connection” error

Fortunately for the user, the problem solving does not require any serious interruptions. However, in certain cases, you will be forced to witness the error until the other party does not deal with an outdated certificate. Below we will look at how to eliminate the secure connection error.

Set the correct date and time

The certificate’s expiration date is significant, and you need to keep an eye on the signing and expiration date of the certificate. Incorrect date and time zone can lead to a secure connection error in Chrome browser. Therefore, ensure that the time on your system is synchronized with your current time zone. In most cases, this simple solution is effective.

Clear Chrome’s browsing data

If the problem persists after setting the date and time, try clearing the Chrome cache and cookies. To do this, press Ctrl + Shift + Delete, select the time range “all time,” and click “Clear data“.

Check recently installed extensions

Recently installed extensions and ad blockers can interfere with how you see Chrome sites. First, try removing these extensions and then reloading the web page again. To remove extensions from Chrome, follow these steps:

First, open the Chrome browser and type chrome://extensions in the address bar.

This will take you to the extensions page, where you can click on the “Remove” button next to your recently installed extensions.

You can do the same step to disable ad blockers.

Check your antivirus and firewall settings

Sometimes the connection error in Chrome can occur due to too aggressive or incorrect settings of the antivirus and firewall installed on your PC. Most modern antivirus programs scan websites for malicious elements and other security threats. They also check the SSL/TLS versions of the website. If the website uses an outdated version of SSL, the antivirus will block it. In this case, you can solve the problem by temporarily disabling the antivirus. However, it would not be safe.

Clear SSL state

If the above methods don’t help, try to clear the SSL status. To do this, perform the following steps:

• Open the Start menu.
• Search for and open Internet Properties.
• Select the Content tab.
• Click Clear SSL State

Disable the QUIC protocol

QUIC (Quick UDP Internet Connections) provides a connection equivalent to TLS/SSL to Google’s servers. QUIC is enabled by default in Chrome. To disable it, copy chrome://flags/#enable-quic, paste it into the address bar, and press Enter. At the top of the screen, the experimental QUIC protocol is set as the Default protocol. Please disable it and restart Chrome.

Enable TLS and SSL support.

TLS and SSL are old protocols that are disabled in most browsers and operating systems. Since most websites use much more secure and fast protocols, Chrome did not allow you to visit this site and warned you that it was not secure. However, you can enable TLS/SSL protocol support:

• Open the Control Panel, find Internet Options.
• Click the Advanced.
• Scroll down and select TLS 1.0, TLS 1.1, TLS 1.2, SSL 3.0, and SSL 2.0 and click ” OK”.

Restart your computer and try to visit the web page.

The post “This Site Can’t Provide a Secure Connection”: How to Fix appeared first on Gridinsoft Blog.

The difference between TLS and HTTPS

The predecessor of TLS is the previous Secure Sockets Layer (SSL) encryption protocol developed by Netscape. Because TLS version 1.0 began development as SSL version 3.1, the name of the protocol was changed before publication. Therefore, the terms TLS and SSL are sometimes used synonymously. Moreover, you can meet both technologies in use even nowadays. Most web browsers support the use of SSL protocol to secure the connection, despite IETF considering it obsolete in 2014. In some configurations, you may witness a connection error when trying to open the site with the obsolete security standard.

SSL/TLS is what adds S to HTTP. To make the website connection secure, you need an up-to-date SSL/TLS certificate. When you install an SSL certificate, you configure it to transfer data using HTTPS. Thus, the two technologies go hand in hand and, therefore, cannot be operated one without the other. URLs are preceded by either HTTP (Hypertext Transfer Protocol) or HTTPS (Hypertext Transfer Protocol Secure), which determines how the data you receive or send is transferred. To determine if a site uses an SSL certificate, check the URL and see if it uses HTTP or HTTPS because HTTPS connections require an SSL security certificate. Hence, we can conclude that difference between TLS and HTTPS is not that big: the former is a part of the latter.

Why should businesses use TLS?

Because TLS encryption can help protect web applications from data leakage and other attacks, HTTPS with TLS security is standard practice for websites. At that point, there is no difference between TLS and HTTPS, as they mean equal things for you. The Chrome browser promoted the transition of Web sites to HTTPS, after which other browsers followed suit. Today, cybersecurity experts don’t recommend trusting websites that don’t have an HTTPS padlock icon. SSL or more early TLS versions may contain exploitable breaches – thus, the last version (1.3) is the only option. Needless to say that using unsecured connections is like having a shower in a transparent stall amidst the crowded square.

What does TLS do?

The purpose of TLS protocol consists of services to all applications working on it: encryption, authentication, and integrity. Technically, you can apply only a random two of them, providing a sufficient level of security. But in practice, all of them are usually applied for security:

• Encryption – hiding information one computer sends to another. Even if a third party catches it, there will be no way to read the data without the public key. For a bystander, it becomes an unreadable sequence of symbols.
• Authentication – checking the identity of both parties of communication. Usually, that is a handshake and a check of URL correspondence. That ensures the absence of a third party that acts as a shady intermediary and sits in the middle.
• Integrity – detection of information spoofing. The intermediary we mentioned above could not just get the public key and read the info but also inject its own packages, spoofing the result. Integrity checks the hash sum of internet packages at each transfer step.

How does TLS work?

For TLS to work on a website or application, the source server must contain the TLS or SSL certificate. A certificate authority issues it to the person or company that owns the domain. It contains essential information about who owns the domain and the server’s public key, which is necessary for server authentication. Then, a TLS connection is initiated using a sequence known as the TLS handshake. For example, when a user goes to a website that uses TLS, the TLS handshake begins between the user’s device (also called the client device) and the web server. During the TLS handshake, the user’s device and the web server do the following:

• Specify the version of TLS they will use (TLS 1.0, 1.2, 1.3, etc.)
• Decide which cipher suites they will use.
• Authenticate the server with the TLS server certificate.
• Generate session keys to encrypt messages between them after the handshake is completed

The TLS handshake sets a cipher for each communication session. Cipher suites are algorithms that specify the information, such as shared encryption or session keys, to be used for a given session. For example, thanks to cryptography, TLS can establish matching session keys over an unencrypted channel. Cryptography is based on a public key technology. In addition, handshake handles authentication, which consists of the server confirming its identity to the client.

Public keys are used for this. These are encryption keys that use one-way encryption. Anyone with a public key can decrypt data encrypted with the server’s private key to guarantee its authenticity. However, only the original sender can encrypt the data with the private key. The server’s public key is part of its TLS certificate.

Once the data is encrypted and authenticated, it is signed with a message authentication code (MAC). The recipient can check the MAC to ensure the integrity of the data. This is something like the protective foil on a bottle of aspirin, which integrity assures the buyer that no one has tampered with the medicine.

The impact of TLS on the performance of Web applications

The latest versions of TLS have almost no effect on the performance of web applications. However, because of the complex process of setting up a TLS connection, it takes some time and processing power to load. In addition, the client and server need to exchange data several times before exchanging packets, which eats up precious milliseconds of web application load time and memory for both client and server.

Server administrators can use certain tricks to reduce the potential delay created by the TLS handshake. One such is TLS False Start, which allows the server and client to begin transferring data before the TLS handshake is complete. Another technology for accelerating TLS is TLS session resumption. It will enable clients and servers that have previously exchanged data to use a shortened handshake.

These improvements make TLS a fast protocol that should not affect access times noticeably. As for the computational cost associated with TLS, it is not very important by today’s standards. TLS 1.3, released in 2018, made TLS even faster. Because TLS handshakes in TLS 1.3 require only one round-trip (or two-way communication) instead of two, this reduces the process by a few milliseconds. However, suppose a user had previously connected to a website. In that case, the TLS handshake has no round trips, thereby speeding it up even more.

How to implement an SSL certificate on-site?

Depending on the site hosting parameters, there are different ways to add an SSL certificate. Sometimes, the site should obligatory have the certificate – for example, if it is an e-commerce page. Large hosting providers often offer to host packages that already include SSL certificates. In addition, it is possible to transfer an existing SSL from another host by exporting it from the original server and importing it to the new server. There must be special instructions on the hosting website for this. Finally, some certificate authorities require purchasing a server license for each server hosting the certificate.

The post Transport Layer Security (TLS): Difference Between TLS and HTTPS? appeared first on Gridinsoft Blog.