本页使用了标题或全文手工转换

傳輸層安全性協定

维基百科,自由的百科全书
(重定向自TLS
跳到导航 跳到搜索

傳輸層安全性協定英语:Transport Layer Security縮寫TLS),及其前身安全套接层Secure Sockets Layer,縮寫作 SSL)是一种安全协议,目的是為網際網路通信提供安全及数据完整性保障。網景公司(Netscape)在1994年推出首版網頁瀏覽器網景領航員時,推出HTTPS協定,以SSL進行加密,這是SSL的起源。IETF將SSL進行標準化,1999年公布第一版TLS標準文件。隨後又公布RFC 5246 (2008年8月)與 RFC 6176 (2011年3月)。在瀏覽器電子郵件即時通訊VoIP網路傳真等應用程式中,廣泛支持這個協定。主要的網站,如GoogleFacebook等也以這個協定來建立安全連線,傳送資料。目前已成为互联网上保密通信的工业标准。

SSL包含记录层(Record Layer)和传输层,记录层协议确定传输层数据的封装格式。傳輸層安全協議使用X.509認證,之後利用非對稱加密演算來對通訊方做身份認證,之後交換對稱金鑰作為會談金鑰(Session key)。這個會談金鑰是用來將通訊兩方交換的資料做加密,保证两个应用间通信的保密性和可靠性,使客户與服务器应用之间的通信不被攻击者窃听。

概論[编辑]

TLS協定採用主從式架構模型,用于在兩個應用程式間透過網路建立起安全的連線,防止在交換資料时受到竊聽及篡改。

TLS协议的优势是与高层的应用层协议(如HTTPFTPTelnet等)无耦合。应用层协议能透明地运行在TLS协议之上,由TLS协议进行建立加密通道需要的协商和认证。应用层协议传送的数据在通过TLS协议时都会被加密,从而保证通信的私密性。

TLS协议是可选的,必须配置客户端和服务器才能使用。主要有两种方式实现这一目标:一个是使用统一的TLS协议通訊埠(例如:用于HTTPS的端口443);另一个是客户端请求服务器连接到TLS时使用特定的协议机制(例如:邮件、新闻协议和STARTTLS)。一旦客户端和服务器都同意使用TLS协议,他们通过使用一个握手过程协商出一个有状态的连接以传输数据[1]。通过握手,客户端和服务器协商各种参数用于建立安全连接:

  • 当客户端连接到支持TLS协议的服务器要求建立安全连接并列出了受支持的密码组合(加密密码算法和加密哈希函数),握手开始。
  • 服务器从该列表中决定加密和散列函数,并通知客户端。
  • 服务器发回其数字证书,此证书通常包含服务器的名称、受信任的证书颁发机构(CA)和服务器的公钥。
  • 客户端确认其颁发的证书的有效性。
  • 为了生成会话密钥用于安全连接,客户端使用服务器的公钥加密随机生成的密钥,并将其发送到服务器,只有服务器才能使用自己的私钥解密。
  • 利用随机数,双方生成用于加密和解密的对称密钥。这就是TLS协议的握手,握手完毕后的连接是安全的,直到连接(被)关闭。如果上述任何一个步骤失败,TLS握手过程就会失败,并且断开所有的连接。

發展歷史[编辑]

協議 發布時間 狀態
SSL 1.0 未公佈 未公佈
SSL 2.0 1995年 已於2011年棄用
SSL 3.0 1996年 已於2015年棄用
TLS 1.0 1999年 計劃於2020年棄用
TLS 1.1 2006年 計劃於2020年棄用
TLS 1.2 2008年
TLS 1.3 2018年

安全网络编程[编辑]

早期的研究工作,为方便改造原有网络应用程序,在1993年已经有了相似的Berkeley套接字安全传输层API方法[2]

SSL 1.0、2.0和3.0[编辑]

SSL(Secure Sockets Layer)是网景公司(Netscape)设计的主要用于Web的安全传输协议,这种协议在Web上获得了广泛的应用[3]

基础算法由作为网景公司的首席科学家塔希爾·蓋莫爾(Taher Elgamal)编写,所以他被人称为“SSL之父”。[4][5]

2014年10月,Google發布在SSL 3.0中發現設計缺陷,建議禁用此一協議。攻擊者可以向TLS發送虛假錯誤提示,然後將安全連接強行降級到过时且不安全的SSL 3.0,然後就可以利用其中的設計漏洞竊取敏感信息。Google在自己公司相關產品中陸續禁止回溯相容,強制使用TLS協議。Mozilla也在11月25日發布的Firefox 34中徹底禁用了SSL 3.0。微軟同樣發出了安全通告[6]

  • 1.0版本从未公开过,因为存在严重的安全漏洞。
  • 2.0版本在1995年2月发布,但因为存在数个严重的安全漏洞而被3.0版本替代[7]
  • 3.0版本在1996年发布,是由網景工程師Paul KocherPhil KarltonAlan Freier完全重新设计的。较新版本的SSL/TLS基于SSL 3.0。SSL 3.0作为历史文献IETF通过 RFC 6101 发表。

TLS 1.0[编辑]

IETF将SSL标准化,即 RFC 2246 ,并将其称为TLS(Transport Layer Security)。从技术上讲,TLS 1.0与SSL 3.0的差異非常微小。但正如RFC所述"the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to preclude interoperability between TLS 1.0 and SSL 3.0"(本协议和SSL 3.0之间的差异并不是显著,却足以排除TLS 1.0和SSL 3.0之间的互操作性)。TLS 1.0包括可以降级到SSL 3.0的实现,这削弱了连接的安全性[8]:1–2

TLS 1.1[编辑]

TLS 1.1在 RFC 4346 中定义,于2006年4月发表[9],它是TLS 1.0的更新。在此版本中的差异包括:

  • 添加对CBC攻击的保护:
    • 隐式IV被替换成一个显式的IV
    • 更改分组密码模式中的填充错误。
  • 支持IANA登记的参数。[8]:2

TLS 1.2[编辑]

TLS 1.2在 RFC 5246 中定义,于2008年8月发表。它基于更早的TLS 1.1规范。主要区别包括:

  • 可使用密码组合选项指定伪随机函数使用SHA-256替换MD5-SHA-1组合。
  • 可使用密码组合选项指定在完成消息的哈希认证中使用SHA-256替换MD5-SHA-1算法,但完成消息中哈希值的长度仍然被截断为96位。
  • 在握手期间MD5-SHA-1组合的数字签名被替换为使用单一Hash方法,默认为SHA-1。
  • 增强服务器和客户端指定Hash和签名算法的能力。
  • 扩大经过身份验证的加密密码,主要用于GCM和CCM模式的AES加密的支持。
  • 添加TLS扩展定义和AES密码组合[8]:2。所有TLS版本在2011年3月发布的RFC 6176中删除了对SSL的兼容,这样TLS会话将永远无法协商使用的SSL 2.0以避免安全问题。

TLS 1.3[编辑]

TLS 1.3在 RFC 8446 中定义,于2018年8月发表。[10]它基于更早的TLS 1.2规范,与TLS 1.2的主要区别包括:

  • 将密钥协商和认证算法从密码套件中分离出来。
  • 移除脆弱和较少使用的命名椭圆曲线支持(参见椭圆曲线密码学)。
  • 移除MD5和SHA-224密碼雜湊函數的支持。
  • 请求数字签名,即便使用之前的配置。
  • 集成HKDF英语Key derivation function和半短暂DH提议。
  • 替换使用PSK英语TLS-PSK和票据的恢复。
  • 支持1-RTT握手并初步支持0-RTT。
  • 通过在(EC)DH密钥协议期间使用临时密钥来保证完善的前向安全性
  • 放弃许多不安全或过时特性的支持,包括数据压缩、重新协商、非AEAD密码本、静态RSA和静态DH密钥交换、自定义DHE分组、点格式协商、更改密码本规范的协议、UNIX时间的Hello消息,以及长度字段AD输入到AEAD密码本。
  • 禁止用于向后兼容性的SSL和RC4协商。
  • 集成会话散列的使用。
  • 弃用记录层版本号和冻结数以改进向后兼容性。
  • 将一些安全相关的算法细节从附录移动到标准,并将ClientKeyShare降级到附录。
  • 添加带有Poly1305消息验证码的ChaCha20流加密。
  • 添加Ed25519英语EdDSA#Ed25519和Ed448数字签名算法。
  • 添加x25519和x448密钥交换协议。
  • 将支持加密服务器名称指示Encrypted Server Name Indication, ESNI)。[11]

网络安全服务(NSS)是由Mozilla开发并由其网络浏览器Firefox使用的加密库,自2017年2月起便默认启用TLS 1.3。[12]随后TLS 1.3被添加到2017年3月发布的Firefox 52.0中,但它由于某些用户的兼容性问题,默认情况下禁用。[13]直到Firefox 60.0才正式默认启用。[14]

Google Chrome曾在2017年短时间将TLS 1.3设为默认,然而由于类似Blue Coat Systems英语Blue Coat Systems等不兼容组件而被取消。[15]

wolfSSL在2017年5月发布的3.11.1版本中启用了TLS 1.3。[16] 作为第一款支持TLS 1.3部署,wolfSSL 3.11.1 支持 TLS 1.3 Draft 18( 现已支持到Draft 28),[17]同时官方也发布了一系列关于TLS 1.2和TLS 1.3性能差距的博客。[18]

算法[编辑]

密钥交换和密钥协商[编辑]

在客户端和服务器开始交换TLS所保护的加密信息之前,他们必须安全地交换或协定加密密钥和加密数据时要使用的密码。用于密钥交换的方法包括:使用RSA算法生成公钥和私钥(在TLS 握手协议中被称为TLS_RSA),Diffie-Hellman(在TLS握手协议中被称为TLS_DH),临时Diffie-Hellman(在TLS握手协议中被称为TLS_DHE),橢圓曲線迪菲-赫爾曼(在TLS握手协议中被称为TLS_ECDH),临时椭圆曲线Diffie-Hellman(在TLS握手协议中被称为TLS_ECDHE),匿名Diffie-Hellman(在TLS握手协议中被称为TLS_DH_anon[19]和预共享密钥(在TLS握手协议中被称为TLS_PSK)。[20]

TLS_DH_anon和TLS_ECDH_anon的密钥协商协议不能验证服务器或用户,因为易受中间人攻击因此很少使用。只有TLS_DHE和TLS_ECDHE提供前向保密能力。

在交换过程中使用的公钥/私钥加密密钥的长度和在交换协议过程中使用的公钥证书也各不相同,因而提供的強健性的安全。2013年7月Google宣布向其用户提供的TLS加密将不再使用1024位公钥并切换到2048位,以提高安全性。[21]

身份验证和密钥交换协议列表
算法 SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 状态
RSA RFC中TLS 1.2的定義
DH-RSA
DHE-RSA(具有前向安全性
ECDH-RSA
ECDHE-RSA(具有前向安全性
DH-DSS英语Digital Signature Algorithm
DHE-DSS英语Digital Signature Algorithm(具有前向安全性 [22]
ECDH-ECDSA
ECDHE-ECDSA(具有前向安全性
SRP
P S K英语Pre-shared key-RSA
DHE-P S K英语Pre-shared key(具有前向安全性
ECDHE-P S K英语Pre-shared key(具有前向安全性
SRP
SRP-DSS英语Digital Signature Algorithm
SRP-RSA
Kerberos
DH-ANON(不安全)
ECDH-ANON(不安全)
GOST R 34.10-94 / 34.10-2001英语GOST[23] 在RFC草案中提出

加密密码[编辑]

针对公开可行的攻击的密碼安全性
密碼 协议版本 状态
类型 算法 长度(bits) SSL 2.0 SSL 3.0
[n 1][n 2][n 3][n 4]
TLS 1.0
[n 1][n 3]
TLS 1.1
[n 1]
TLS 1.2
[n 1]
TLS 1.3
分组密码其加密方式 AES GCM[24][n 5] 256, 128 不適用 不適用 不適用 不適用 安全 安全 RFC中TLS 1.2的定義
AES CCM[25][n 5] 不適用 不適用 不適用 不適用 安全 安全
AES CBC[n 6] 不適用 不適用 依赖于后期加入的措施 依赖于后期加入的措施 依赖于后期加入的措施 不適用
Camellia GCM[26][n 5] 256, 128 不適用 不適用 不適用 不適用 安全 不適用
Camellia CBC[27][n 6] 不適用 不適用 依赖于后期加入的措施 依赖于后期加入的措施 依赖于后期加入的措施 不適用
ARIA GCM[28][n 5] 256, 128 不適用 不適用 不適用 不適用 安全 不適用
ARIA CBC[28][n 6] 不適用 不適用 依赖于后期加入的措施 依赖于后期加入的措施 依赖于后期加入的措施 不適用
SEED CBC[29][n 6] 128 不適用 不適用 依赖于后期加入的措施 依赖于后期加入的措施 依赖于后期加入的措施 不適用
3DES EDE CBC[n 6][n 7] 112[n 8] 不安全 不安全 不安全 不安全 不安全 不適用
GOST 28147-89 CNT[23][n 7] 256 不適用 不適用 不安全 不安全 不安全 不適用 定义于RFC 4357
IDEA CBC[n 6][n 7][n 9] 128 不安全 不安全 不安全 不安全 不適用 不適用 从TLS 1.2标准中移除
DES CBC[n 6][n 7][n 9] 056 不安全 不安全 不安全 不安全 不適用 不適用
040[n 10] 不安全 不安全 不安全 不適用 不適用 不適用 在TLS 1.1及之后版本禁止
RC2 CBC[n 6][n 7] 040[n 10] 不安全 不安全 不安全 不適用 不適用 不適用
流加密 ChaCha20-Poly1305[34][n 5] 256 不適用 不適用 不適用 不適用 安全 安全 RFC中TLS 1.2的定義
RC4[n 11] 128 不安全 不安全 不安全 不安全 不安全 不適用 RFC 7465定义所有版本TLS禁止
040[n 10] 不安全 不安全 不安全 不適用 不適用 不適用
None Null[n 12] 不適用 不安全 不安全 不安全 不安全 不適用 RFC中TLS 1.2的定義
标注
  1. ^ 1.0 1.1 1.2 1.3 RFC 5746 must be implemented to fix a renegotiation flaw that would otherwise break this protocol.
  2. ^ If libraries implement fixes listed in RFC 5746, this violates the SSL 3.0 specification, which the IETF cannot change unlike TLS. Fortunately, most current libraries implement the fix and disregard the violation that this causes.
  3. ^ 3.0 3.1 The BEAST attack breaks all block ciphers (CBC ciphers) used in SSL 3.0 and TLS 1.0 unless mitigated by the client and/or the server. See § Web browsers.
  4. ^ The POODLE attack breaks all block ciphers (CBC ciphers) used in SSL 3.0 unless mitigated by the client and/or the server. See § Web browsers.
  5. ^ 5.0 5.1 5.2 5.3 5.4 AEAD ciphers (such as GCM and CCM) can be used in only TLS 1.2.
  6. ^ 6.0 6.1 6.2 6.3 6.4 6.5 6.6 6.7 CBC ciphers can be attacked with the Lucky Thirteen attack if the library is not written carefully to eliminate timing side channels.
  7. ^ 7.0 7.1 7.2 7.3 7.4 The Sweet32 attack breaks block ciphers with a block size of 64 bits.[30]
  8. ^ Although the key length of 3DES is 168 bits, effective security strength of 3DES is only 112 bits,[31] which is below the recommended minimum of 128 bits.[32]
  9. ^ 9.0 9.1 IDEA and DES have been removed from TLS 1.2.[33]
  10. ^ 10.0 10.1 10.2 40 bits strength of cipher suites were designed to operate at reduced key lengths to comply with US regulations about the export of cryptographic software containing certain strong encryption algorithms (see Export of cryptography from the United States). These weak suites are forbidden in TLS 1.1 and later.
  11. ^ Use of RC4 in all versions of TLS is prohibited by RFC 7465 (because RC4 attacks weaken or break RC4 used in SSL/TLS).
  12. ^ Authentication only, no encryption.

数据完整性[编辑]

訊息鑑別碼(MAC)用于对数据完整性进行认证。HMAC用于CBC模式的块密码和流密码,AEAD用于身份验证加密,例如GCM模式和CCM模式。

數據的完整性
算法 SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 狀態
HMAC-MD5 RFC中TLS 1.2的定義
HMAC-SHA1
HMAC-SHA256/384
AEAD
GOST 28147-89 IMIT英语GOST (hash function) 在RFC草案中提出
GOST R 34.11-94英语GOST (hash function)

應用及採用[编辑]

在應用程序設計中,TLS通常在傳輸層協議之上實現,加密協議的所有協議相關數據,如HTTPFTPSMTPNNTPXMPP

Historically, TLS has been used primarily with reliable transport protocols such as the Transmission Control Protocol (TCP). However, it has also been implemented with datagram-oriented transport protocols, such as the User Datagram Protocol (UDP) and the Datagram Congestion Control Protocol (DCCP), usage of which has been standardized independently using the term Datagram Transport Layer Security (DTLS).

網站[编辑]

A primary use of TLS is to secure World Wide Web traffic between a website and a web browser encoded with the HTTP protocol. This use of TLS to secure HTTP traffic constitutes the HTTPS protocol.[35]

網站協議支持
協議
版本
網站
使用率[36]
安全性[36][37]
SSL 2.0 2.2% 不安全
SSL 3.0 8.7% 不安全[38]
TLS 1.0 71.3% Depends on cipher[n 1] and client mitigations[n 2]
TLS 1.1 79.1% Depends on cipher[n 1] and client mitigations[n 2]
TLS 1.2 94.3% Depends on cipher[n 1] and client mitigations[n 2]
TLS 1.3 10.5% 安全
Notes
  1. ^ 1.0 1.1 1.2 详情请看上方§ 加密密码列表
  2. ^ 2.0 2.1 2.2 see § Web browsers and § Attacks against TLS/SSL sections

瀏覽器[编辑]

截至2016年4月 (2016-04), the latest versions of all major web browsers support TLS 1.0, 1.1, and 1.2, and have them enabled by default. However, not all supported Microsoft operating systems support the latest version of IE. Additionally, many operating systems currently support multiple versions of IE, but this has changed according to Microsoft's Internet Explorer Support Lifecycle Policy FAQ, "beginning January 12, 2016, only the most current version of Internet Explorer available for a supported operating system will receive technical support and security updates." The page then goes on to list the latest supported version of IE at that date for each operating system. The next critical date would be when an operating system reaches the end of life stage, which is in Microsoft's Windows lifecycle fact sheet.

There are still problems on several browser versions:

Mitigations against known attacks are not enough yet:

  • Mitigations against POODLE attack: some browsers already prevent fallback to SSL 3.0; however, this mitigation needs to be supported by not only clients, but also servers. Disabling SSL 3.0 itself, implementation of "anti-POODLE record splitting", or denying CBC ciphers in SSL 3.0 is required.
    • Google Chrome: complete (TLS_FALLBACK_SCSV is implemented since version 33, fallback to SSL 3.0 is disabled since version 39, SSL 3.0 itself is disabled by default since version 40. Support of SSL 3.0 itself was dropped since version 44.)
    • Mozilla Firefox: complete (support of SSL 3.0 itself is dropped since version 39. SSL 3.0 itself is disabled by default and fallback to SSL 3.0 are disabled since version 34, TLS_FALLBACK_SCSV is implemented since version 35. In ESR, SSL 3.0 itself is disabled by default and TLS_FALLBACK_SCSV is implemented since ESR 31.3.)
    • Internet Explorer: partial (only in version 11, SSL 3.0 is disabled by default since April 2015. Version 10 and older are still vulnerable against POODLE.)
    • Opera: complete (TLS_FALLBACK_SCSV is implemented since version 20, "anti-POODLE record splitting", which is effective only with client-side implementation, is implemented since version 25, SSL 3.0 itself is disabled by default since version 27. Support of SSL 3.0 itself will be dropped since version 31.)
    • Safari: complete (only on OS X 10.8 and later and iOS 8, CBC ciphers during fallback to SSL 3.0 is denied, but this means it will use RC4, which is not recommended as well. Support of SSL 3.0 itself is dropped on OS X 10.11 and later and iOS 9.)
  • Mitigation against RC4 attacks:
    • Google Chrome disabled RC4 except as a fallback since version 43. RC4 is disabled since Chrome 48.
    • Firefox disabled RC4 except as a fallback since version 36. Firefox 44 disabled RC4 by default.
    • Opera disabled RC4 except as a fallback since version 30. RC4 is disabled since Opera 35.
    • Internet Explorer for Windows 7 / Server 2008 R2 and for Windows 8 / Server 2012 have set the priority of RC4 to lowest and can also disable RC4 except as a fallback through registry settings. Internet Explorer 11 Mobile 11 for Windows Phone 8.1 disable RC4 except as a fallback if no other enabled algorithm works. Edge and IE 11 disable RC4 completely in August 2016.
  • Mitigation against FREAK attack:
    • The Android Browser of Android 4 and older is still vulnerable to the FREAK attack.
    • Internet Explorer 11 Mobile is still vulnerable to the FREAK attack.
    • Google Chrome, Internet Explorer (desktop), Safari (desktop & mobile), and Opera (手機版) have FREAK mitigations in place.
    • Mozilla Firefox on all platforms and Google Chrome on Windows were not affected by FREAK.
TLS / SSL支持Web瀏覽器的歷史記錄
瀏覽器 版本 平台 SSL協議 TLS協議 證書支持 Vulnerabilities fixed[n 1] 用戶選擇協議
[n 2]
SSL 2.0
(不安全)
SSL 3.0
(不安全)
TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 EV
[n 3][40]
SHA-2
[41]
ECDSA
[42]
BEAST[n 4] CRIME[n 5] POODLE (SSLv3)[n 6] RC4[n 7] FREAK[43][44] Logjam
Google Chrome
(Chrome for Android英语Google Chrome for Android)
[n 8]
[n 9]
1–9 Windows (7+)
OS X (10.10+)
Linux
Android (4.1+)
iOS (9.0+)
Chrome OS
默認禁用 默認啟用
(僅限PC端)
需要SHA-2兼容的操作系统[41] 需要兼容ECC的操作系统[42] 不受影響
[49]
Vulnerable
(HTTPS)
Vulnerable Vulnerable Vulnerable
(except Windows)
Vulnerable Yes[n 10]
10–20 No[50] 默認啟用
(僅限PC端)
需要SHA-2兼容的操作系统[41] 需要兼容ECC的操作系统[42] 不受影響 Vulnerable
(HTTPS/SPDY)
Vulnerable Vulnerable Vulnerable
(except Windows)
Vulnerable Yes[n 10]
21 No 默認啟用
(僅限PC端)
需要SHA-2兼容的操作系统[41] 需要兼容ECC的操作系统[42] 不受影響 Mitigated
[51]
Vulnerable Vulnerable Vulnerable
(except Windows)
Vulnerable Yes[n 10]
22–29 No 默認啟用 [52] [52][53][54][55]
(僅限PC端)
需要SHA-2兼容的操作系统[41] 需要兼容ECC的操作系统[42] 不受影響 Mitigated Vulnerable Vulnerable Vulnerable
(except Windows)
Vulnerable 臨時
[n 11]
30–32 No 默認啟用 [53][54][55]
(僅限PC端)
需要SHA-2兼容的操作系统[41] 需要兼容ECC的操作系统[42] 不受影響 Mitigated Vulnerable Vulnerable Vulnerable
(except Windows)
Vulnerable 臨時
[n 11]
33–37 No 默認啟用
(僅限PC端)
需要SHA-2兼容的操作系统[41] 需要兼容ECC的操作系统[42] 不受影響 Mitigated Partly mitigated
[n 12]
最低優先級
[58][59][60]
Vulnerable
(except Windows)
Vulnerable 臨時
[n 11]
38, 39 No 默認啟用
(僅限PC端)
需要兼容ECC的操作系统[42] 不受影響 Mitigated Partly mitigated 最低優先級 Vulnerable
(except Windows)
Vulnerable 臨時
[n 11]
40 No 默認禁用
[57][61]

(僅限PC端)
需要兼容ECC的操作系统[42] 不受影響 Mitigated Mitigated
[n 13]
最低優先級 Vulnerable
(except Windows)
Vulnerable Yes[n 14]
41, 42 No 默認禁用
(僅限PC端)
需要兼容ECC的操作系统[42] 不受影響 Mitigated Mitigated 最低優先級 Mitigated Vulnerable Yes[n 14]
43 No 默認禁用
(僅限PC端)
需要兼容ECC的操作系统[42] 不受影響 Mitigated Mitigated Only as fallback
[n 15][62]
Mitigated Vulnerable Yes[n 14]
44–47 No No[63]
(僅限PC端)
需要兼容ECC的操作系统[42] 不受影響 Mitigated 不受影響 Only as fallback
[n 15]
Mitigated Mitigated[64] 臨時
[n 11]
48, 49 No No
(僅限PC端)
需要兼容ECC的操作系统[42] 不受影響 Mitigated 不受影響 默認禁用[n 16][65][66] Mitigated Mitigated 臨時
[n 11]
50–53 No No
(僅限PC端)
不受影響 Mitigated 不受影響 默認禁用[n 16][65][66] Mitigated Mitigated 臨時
[n 11]
54–66 No No 默認禁用
(draft version)

(僅限PC端)
不受影響 Mitigated 不受影響 默認禁用[n 16][65][66] Mitigated Mitigated 臨時
[n 11]
67–69 No No Yes
(draft version)

(僅限PC端)
不受影響 Mitigated 不受影響 默認禁用[n 16][65][66] Mitigated Mitigated 臨時
[n 11]
70 71 No No
(僅限PC端)
不受影響 Mitigated 不受影響 默認禁用[n 16][65][66] Mitigated Mitigated 臨時
[n 11]
Google Android 瀏覽器
[67]
Android 1.0, 1.1, 1.5, 1.6, 2.0–2.1, 2.2–2.2.3 No 默認啟用 未知 未知 未知 Vulnerable Vulnerable Vulnerable Vulnerable
Android 2.3–2.3.7, 3.0–3.2.6, 4.0–4.0.4 No 默認啟用 未知 [41] since Android OS 3.0[68] 未知 未知 Vulnerable Vulnerable Vulnerable Vulnerable
Android 4.1–4.3.1, 4.4–4.4.4 No 默認啟用 默認禁用[69] 默認禁用[69] 未知 [42] 未知 未知 Vulnerable Vulnerable Vulnerable Vulnerable
Android 5.0–5.0.2 No 默認啟用 [69][70] [69][70] 未知 未知 未知 Vulnerable Vulnerable Vulnerable Vulnerable
Android 5.1–5.1.1 No No
[來源請求]
未知 未知 未知 不受影響 Only as fallback
[n 15]
Mitigated Mitigated
Android 6.0–6.0.1, 7.0–7.1.2, 8.0-8.1 No No
[71]
未知 未知 未知 不受影響 默認禁用 Mitigated Mitigated
Android 9.0 No No 未知 未知 未知 不受影響 默認禁用 Mitigated Mitigated
瀏覽器 版本 平台 SSL 2.0
(不安全)
SSL 3.0
(不安全)
TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 EV證書 SHA-2證書 ECDSA證書 BEAST CRIME POODLE (SSLv3) RC4 FREAK Logjam 用戶選擇協議
Mozilla Firefox
(Firefox for mobile)
[n 17]
1.0, 1.5 Windows (7+)
OS X (10.9+)
Linux
Android (4.1+)
iOS (9.0+)
Firefox OS
Maemo

ESR only for:
Windows (7+)
OS X (10.9+)
Linux
默認啟用
[72]
默認啟用
[72]
[72] [41] 不受影響
[73]
不受影響 Vulnerable Vulnerable 不受影響 Vulnerable Yes[n 10]
2 默認禁用
[72][74]
默認啟用 [42] 不受影響 不受影響 Vulnerable Vulnerable 不受影響 Vulnerable Yes[n 10]
3–7 默認禁用 默認啟用 不受影響 不受影響 Vulnerable Vulnerable 不受影響 Vulnerable Yes[n 10]
8–10
ESR 10
No[74] 默認啟用 不受影響 不受影響 Vulnerable Vulnerable 不受影響 Vulnerable Yes[n 10]
11–14 No 默認啟用 不受影響 Vulnerable
(SPDY)[51]
Vulnerable Vulnerable 不受影響 Vulnerable Yes[n 10]
15–22
ESR 17.0–17.0.10
No 默認啟用 不受影響 Mitigated Vulnerable Vulnerable 不受影響 Vulnerable Yes[n 10]
ESR 17.0.11 No 默認啟用 不受影響 Mitigated Vulnerable 最低優先級
[75][76]
不受影響 Vulnerable Yes[n 10]
23 No 默認啟用 默認禁用
[77]
不受影響 Mitigated Vulnerable Vulnerable 不受影響 Vulnerable Yes[n 18]
24, 25.0.0
ESR 24.0–24.1.0
No 默認啟用 默認禁用 默認禁用
[78]
不受影響 Mitigated Vulnerable Vulnerable 不受影響 Vulnerable Yes[n 18]
25.0.1, 26
ESR 24.1.1
No 默認啟用 默認禁用 默認禁用 不受影響 Mitigated Vulnerable 最低優先級
[75][76]
不受影響 Vulnerable Yes[n 18]
27–33
ESR 31.0–31.2
No 默認啟用 [79][80] [81][80] 不受影響 Mitigated Vulnerable 最低優先級 不受影響 Vulnerable Yes[n 18]
34, 35
ESR 31.3–31.7
No 默認禁用
[82][83]
不受影響 Mitigated Mitigated
[n 19]
最低優先級 不受影響 Vulnerable Yes[n 18]
ESR 31.8 No 默認禁用 不受影響 Mitigated Mitigated 最低優先級 不受影響 Mitigated[86] Yes[n 18]
36–38
ESR 38.0
No 默認禁用 不受影響 Mitigated Mitigated Only as fallback
[n 15][87]
不受影響 Vulnerable Yes[n 18]
ESR 38.1–38.8 No 默認禁用 不受影響 Mitigated Mitigated Only as fallback
[n 15]
不受影響 Mitigated[86] Yes[n 18]
39–43 No No[88] 不受影響 Mitigated 不受影響 Only as fallback
[n 15]
不受影響 Mitigated[86] Yes[n 18]
44–48
ESR 45.0–45.9
No No 不受影響 Mitigated 不受影響 默認禁用[n 16][89][90][91][92] 不受影響 Mitigated Yes[n 18]
49–59
ESR 52.0–52.9
No No 默認禁用
(draft version)[93]
不受影響 Mitigated 不受影響 默認禁用[n 16] 不受影響 Mitigated Yes[n 18]
60–61
ESR 60.0–60.2
ESR 60.3 No No Yes
(draft version)
不受影響 Mitigated 不受影響 默認禁用[n 16] 不受影響 Mitigated Yes[n 18]
62
63 No No 不受影響 Mitigated 不受影響 默認禁用[n 16] 不受影響 Mitigated Yes[n 18]
瀏覽器 版本 平台 SSL 2.0
(不安全)
SSL 3.0
(不安全)
TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 EV證書 SHA-2證書 ECDSA證書 BEAST CRIME POODLE (SSLv3) RC4 FREAK Logjam 用戶選擇協議
Microsoft Internet Explorer
[n 20]
1.x Windows 3.1, 95, NT,[n 21][n 22]
Mac OS 7, 8
不支持SSL/TLS
2 Yes No SSL 3.0 or TLS support Vulnerable Vulnerable Vulnerable 不適用
3 Yes Yes[96] Vulnerable 不受影響 Vulnerable Vulnerable Vulnerable Vulnerable 未知
4, 5, 6 Windows 3.1, 95, 98, NT, 2000[n 21][n 22]
Mac OS 7.1, 8, X,
Solaris, HP-UX
默認啟用 默認啟用 默認禁用
[96]
Vulnerable 不受影響 Vulnerable Vulnerable Vulnerable Vulnerable Yes[n 10]
6 Windows XP[n 22] 默認啟用 默認啟用 默認禁用
[n 23][97]
Mitigated 不受影響 Vulnerable Vulnerable Vulnerable Vulnerable Yes[n 10]
6 Server 2003[n 22] 默認啟用 默認啟用 默認禁用
[n 23][97]
Mitigated 不受影響 Vulnerable Vulnerable Mitigated
[100]
Mitigated
[101]
Yes[n 10]
7, 8 Windows XP[n 22] 默認禁用
[102]
默認啟用 [102]
[n 23][97]
Mitigated 不受影響 Vulnerable Vulnerable Vulnerable Vulnerable Yes[n 10]
7, 8 Server 2003[n 22] 默認禁用
[102]
默認啟用 [102]
[n 23][97]
Mitigated 不受影響 Vulnerable Vulnerable Mitigated
[100]
Mitigated
[101]
Yes[n 10]
7, 8, 9 Windows Vista 默認禁用 默認啟用 [42] Mitigated 不受影響 Vulnerable Vulnerable Mitigated
[100]
Mitigated
[101]
Yes[n 10]
7, 8[n 24] 9 Server 2008 默認禁用 默認啟用 默認禁用[39]
(KB4019276)
默認禁用[39]
(KB4019276)
[42] Mitigated 不受影響 Vulnerable Vulnerable Mitigated
[100]
Mitigated
[101]
Yes[n 10]
8, 9, 10[n 24] Windows 7 默認禁用 默認啟用 默認禁用
[104]
默認禁用
[104]
Mitigated 不受影響 Vulnerable 最低優先級
[105][n 25]
Mitigated
[100]
Mitigated
[101]
Yes[n 10]
Server 2008 R2
10[n 24] Windows 8 默認禁用 默認啟用 默認禁用
[104]
默認禁用
[104]
Mitigated 不受影響 Vulnerable 最低優先級
[105][n 25]
Mitigated
[100]
Mitigated
[101]
Yes[n 10]
10 Server 2012 默認禁用 默認啟用 默認禁用
[104]
默認禁用
[104]
Mitigated 不受影響 Vulnerable 最低優先級
[105][n 25]
Mitigated
[100]
Mitigated
[101]
Yes[n 10]
11 Windows 7 默認禁用 默認禁用
[n 26]
[107] [107] Mitigated 不受影響 Mitigated
[n 26]
默認禁用[111] Mitigated
[100]
Mitigated
[101]
Yes[n 10]
Server 2008 R2
11 Windows 8.1 默認禁用 默認禁用
[n 26]
[107] [107] Mitigated 不受影響 Mitigated
[n 26]
默認禁用[n 16] Mitigated
[100]
Mitigated
[101]
Yes[n 10]
Server 2012 R2
瀏覽器 版本 平台 SSL 2.0
(不安全)
SSL 3.0
(不安全)
TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 EV證書 SHA-2證書 ECDSA證書 BEAST CRIME POODLE (SSLv3) RC4 FREAK Logjam 用戶選擇協議
Microsoft Edge[n 27]
and (as fallback)
Internet Explorer[n 20]
IE 11 Edge
12–13
Windows 10
v1507–v1511
默認禁用 默認禁用 Mitigated 不受影響 Mitigated 默認禁用[n 16] Mitigated Mitigated Yes[n 10]
IE 11 Edge 14 Windows 10 v1607 No[112] 默認禁用 Mitigated 不受影響 Mitigated 默認禁用[n 16] Mitigated Mitigated Yes[n 10]
IE 11 Edge 15 Windows 10 v1703 No 默認禁用 Mitigated 不受影響 Mitigated 默認禁用[n 16] Mitigated Mitigated Yes[n 10]
IE 11 Edge 16 Windows 10 v1709 No 默認禁用 Mitigated 不受影響 Mitigated 默認禁用[n 16] Mitigated Mitigated Yes[n 10]
IE 11 Edge 17 Windows 10 v1803 No 默認禁用 Mitigated 不受影響 Mitigated 默認禁用[n 16] Mitigated Mitigated Yes[n 10]
IE 11 Edge 18 Windows 10 v1809 No 默認禁用 Mitigated 不受影響 Mitigated 默認禁用[n 16] Mitigated Mitigated Yes[n 10]
Microsoft Internet Explorer
Client LTSC
[n 20]
IE 11 Windows 10 LTSB 2015 (v1507)[n 28] 默認禁用 默認禁用 Mitigated 不受影響 Mitigated 默認禁用[n 16] Mitigated Mitigated Yes[n 10]
IE 11 Windows 10 LSTB 2016 (v1607) No[112] 默認禁用 Mitigated 不受影響 Mitigated 默認禁用[n 16] Mitigated Mitigated Yes[n 10]
IE 11 Windows 10 LSTC 2019 (v1809) No 默認禁用 Mitigated 不受影響 Mitigated 默認禁用[n 16] Mitigated Mitigated Yes[n 10]
Microsoft Internet Explorer
Server
[n 20]
IE 11 Server 2016
v1607 (LTSB)
No[112] 默認禁用 Mitigated 不受影響 Mitigated 默認禁用[n 16] Mitigated Mitigated Yes[n 10]
IE 11 Server v1709 (SAC) No 默認禁用 Mitigated 不受影響 Mitigated 默認禁用[n 16] Mitigated Mitigated Yes[n 10]
IE 11 Server v1803 (SAC) No 默認禁用 Mitigated 不受影響 Mitigated 默認禁用[n 16] Mitigated Mitigated Yes[n 10]
IE 11 Server 2019
v1809 (LTSC)
No 默認禁用 Mitigated 不受影響 Mitigated 默認禁用[n 16] Mitigated Mitigated Yes[n 10]
Microsoft Internet Explorer Mobile
[n 20]
7, 9 Windows Phone 7, 7.5, 7.8 默認禁用
[102]
默認啟用
[來源請求]

[來源請求]

[來源請求]
[68] 未知 不受影響 Vulnerable Vulnerable Vulnerable Vulnerable Only with 3rd party tools[n 29]
10 Windows Phone 8 默認禁用 默認啟用 默認禁用
[115]
默認禁用
[115]

[來源請求]
[116] Mitigated 不受影響 Vulnerable Vulnerable Vulnerable Vulnerable Only with 3rd party tools[n 29]
11 Windows Phone 8.1 默認禁用 默認啟用 [117] [117]
[來源請求]
Mitigated 不受影響 Vulnerable Only as fallback
[n 15][118][119]
Vulnerable Vulnerable Only with 3rd party tools[n 29]
Microsoft Edge
[n 27]
Edge 13 Windows 10 Mobile v1511 默認禁用 默認禁用 Mitigated 不受影響 Mitigated 默認禁用[n 16] Mitigated Mitigated
Edge 14 Windows 10 Mobile v1607 No[112] 默認禁用 Mitigated 不受影響 Mitigated 默認禁用[n 16] Mitigated Mitigated
Edge 15 Windows 10 Mobile v1703 No 默認禁用 Mitigated 不受影響 Mitigated 默認禁用[n 16] Mitigated Mitigated
Edge 15 Windows 10 Mobile v1709 No 默認禁用 Mitigated 不受影響 Mitigated 默認禁用[n 16] Mitigated Mitigated
瀏覽器 版本 平台 SSL 2.0
(不安全)
SSL 3.0
(不安全)
TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 EV證書 SHA-2證書 ECDSA證書 BEAST CRIME POODLE (SSLv3) RC4 FREAK Logjam 用戶選擇協議
Opera瀏覽器
(Opera行動瀏覽器)
Pre-Presto和Presto
[n 30]
1–2 Windows
MacOS
Linux
Android
Symbian S60
Maemo
Windows Mobile
No SSL/TLS support[121]
3 Yes[122] No No SSL 3.0 or TLS support Vulnerable 未知 未知 不適用
4 Yes Yes[123] Vulnerable 不受影響 Vulnerable Vulnerable 未知 未知 未知
5 默認啟用 默認啟用 [124] Vulnerable 不受影響 Vulnerable Vulnerable 未知 未知 Yes[n 10]
6–7 默認啟用 默認啟用 [124] [41] Vulnerable 不受影響 Vulnerable Vulnerable 未知 未知 Yes[n 10]
8 默認啟用 默認啟用 默認禁用
[125]
Vulnerable 不受影響 Vulnerable Vulnerable 未知 未知 Yes[n 10]
9 默認禁用
[126]
默認啟用 since v9.5
(僅限PC端)
Vulnerable 不受影響 Vulnerable Vulnerable 未知 未知 Yes[n 10]
10–11.52 No[127] 默認啟用 默認禁用 默認禁用
[127]

(僅限PC端)
Vulnerable 不受影響 Vulnerable Vulnerable 未知 未知 Yes[n 10]
11.60–11.64 No 默認啟用 默認禁用 默認禁用
(僅限PC端)
Mitigated
[128]
不受影響 Vulnerable Vulnerable 未知 未知 Yes[n 10]
12–12.14 No 默認禁用
[n 31]
默認禁用 默認禁用
(僅限PC端)
Mitigated 不受影響 Mitigated
[n 31]
Vulnerable 未知 Mitigated[130] Yes[n 10]
12.15–12.17 No 默認禁用 默認禁用 默認禁用
(僅限PC端)
Mitigated 不受影響 Mitigated Partly mitigated
[131][132]
未知 Mitigated[130] Yes[n 10]
12.18 No 默認禁用 [133] [133]
(僅限PC端)
[133] Mitigated 不受影響 Mitigated 默認禁用[n 16][133] Mitigated[133] Mitigated[130] Yes[n 10]
瀏覽器 版本 平台 SSL 2.0
(不安全)
SSL 3.0
(不安全)
TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 EV證書 SHA-2證書 ECDSA證書 BEAST CRIME POODLE (SSLv3) RC4 FREAK Logjam 用戶選擇協議
Opera瀏覽器
(Opera行動瀏覽器)
WebkitBlink
[n 32]
14–16 Windows (7+)
OS X (10.9+)
Linux
Android (4.1+)
No 默認啟用 [136] [136]
(僅限PC端)
需要SHA-2兼容的操作系统[41] 需要兼容ECC的操作系统[42] 不受影響 Mitigated Vulnerable Vulnerable Vulnerable
(except Windows)
Vulnerable 臨時
[n 11]
17–19 No 默認啟用 [137] [137]
(僅限PC端)
需要SHA-2兼容的操作系统[41] 需要兼容ECC的操作系统[42] 不受影響 Mitigated Vulnerable Vulnerable Vulnerable
(except Windows)
Vulnerable 臨時
[n 11]
20–24 No 默認啟用
(僅限PC端)
需要SHA-2兼容的操作系统[41] 需要兼容ECC的操作系统[42] 不受影響 Mitigated Partly mitigated
[n 33]
最低優先級
[138]
Vulnerable
(except Windows)
Vulnerable 臨時
[n 11]
25, 26 No 默認啟用
[n 34]

(僅限PC端)
需要兼容ECC的操作系统[42] 不受影響 Mitigated Mitigated
[n 35]
最低優先級 Vulnerable
(except Windows)
Vulnerable 臨時
[n 11]
27 No 默認禁用
[61]

(僅限PC端)
需要兼容ECC的操作系统[42] 不受影響 Mitigated Mitigated
[n 36]
最低優先級 Vulnerable
(except Windows)
Vulnerable Yes[n 37]
(僅限PC端)
28, 29 No 默認禁用
(僅限PC端)
需要兼容ECC的操作系统[42] 不受影響 Mitigated Mitigated 最低優先級 Mitigated Vulnerable Yes[n 37]
(僅限PC端)
30 No 默認禁用
(僅限PC端)
需要兼容ECC的操作系统[42] 不受影響 Mitigated Mitigated Only as fallback
[n 15][62]
Mitigated Mitigated[130] Yes[n 37]
(僅限PC端)
31–34 No No[63]
(僅限PC端)
需要兼容ECC的操作系统[42] 不受影響 Mitigated 不受影響 Only as fallback
[n 15][62]
Mitigated Mitigated 臨時
[n 11]
35, 36 No No
(僅限PC端)
需要兼容ECC的操作系统[42] 不受影響 Mitigated 不受影響 默認禁用[n 16][65][66] Mitigated Mitigated 臨時
[n 11]
37–40 No No
(僅限PC端)
不受影響 Mitigated 不受影響 默認禁用[n 16][65][66] Mitigated Mitigated 臨時
[n 11]
41–56 No No 默認禁用
(draft version)

(僅限PC端)
不受影響 Mitigated 不受影響 默認禁用[n 16][65][66] Mitigated Mitigated 臨時
[n 11]
57 No No
(僅限PC端)
不受影響 Mitigated 不受影響 默認禁用[n 16][65][66] Mitigated Mitigated 臨時
[n 11]
瀏覽器 版本 平台 SSL 2.0
(不安全)
SSL 3.0
(不安全)
TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 EV證書 SHA-2證書 ECDSA證書 BEAST CRIME POODLE (SSLv3) RC4 FREAK Logjam 用戶選擇協議
Safari
[n 38]
1 Mac OS X 10.2, 10.3 No[143] Yes Vulnerable 不受影響 Vulnerable Vulnerable Vulnerable Vulnerable
2–5 Mac OS X 10.4, 10.5, Win XP No Yes since v3.2 Vulnerable 不受影響 Vulnerable Vulnerable Vulnerable Vulnerable
3–5 Vista, Win 7 No Yes since v3.2 [68] Vulnerable 不受影響 Vulnerable Vulnerable Vulnerable Vulnerable
4–6 Mac OS X 10.6, 10.7 No Yes [41] [42] Vulnerable 不受影響 Vulnerable Vulnerable Vulnerable Vulnerable
6 OS X 10.8 No Yes [42] Mitigated
[n 39]
不受影響 Mitigated
[n 40]
Vulnerable
[n 40]
Mitigated
[149]
Vulnerable
7, 9 OS X 10.9 No Yes [150] [150] Mitigated
[145]
不受影響 Mitigated
[n 40]
Vulnerable
[n 40]
Mitigated
[149]
Vulnerable
8–10 OS X 10.10 No Yes Mitigated 不受影響 Mitigated
[n 40]
最低優先級
[151][n 40]
Mitigated
[149]
Mitigated
[152]
9–11 OS X 10.11 No No Mitigated 不受影響 不受影響 最低優先級 Mitigated Mitigated
10, 11 12 macOS 10.12 No No Mitigated 不受影響 不受影響 默認禁用[n 16] Mitigated Mitigated
11 12 macOS 10.13 No No Mitigated 不受影響 不受影響 默認禁用[n 16] Mitigated Mitigated
12 macOS 10.14 No No Mitigated 不受影響 不受影響 默認禁用[n 16] Mitigated Mitigated
Safari
(手機版)
[n 41]
3 iPhone OS 1, 2 No[156] Yes Vulnerable 不受影響 Vulnerable Vulnerable Vulnerable Vulnerable
4, 5 iPhone OS 3, iOS 4 No Yes [157] since iOS 4[68] Vulnerable 不受影響 Vulnerable Vulnerable Vulnerable Vulnerable
5, 6 iOS 5, 6 No Yes [153] [153] Vulnerable 不受影響 Vulnerable Vulnerable Vulnerable Vulnerable
7 iOS 7 No Yes [158] Mitigated
[159]
不受影響 Vulnerable Vulnerable Vulnerable Vulnerable
8 iOS 8 No Yes Mitigated 不受影響 Mitigated
[n 40]
最低優先級
[160][n 40]
Mitigated
[161]
Mitigated
[162]
9 iOS 9 No No Mitigated 不受影響 不受影響 最低優先級 Mitigated Mitigated
10 iOS 10 No No Mitigated 不受影響 不受影響 默認禁用[n 16] Mitigated Mitigated
11 iOS 11 No No Mitigated 不受影響 不受影響 默認禁用[n 16] Mitigated Mitigated
12 iOS 12 No No Mitigated 不受影響 不受影響 默認禁用[n 16] Mitigated Mitigated
瀏覽器 版本 平台 SSL 2.0
(不安全)
SSL 3.0
(不安全)
TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 EV
[n 3]
SHA-2 ECDSA BEAST[n 4] CRIME[n 5] POODLE (SSLv3)[n 6] RC4[n 7] FREAK[43][44] Logjam 用戶選擇協議
SSL協議 TLS協議 證書支持 Vulnerabilities fixed
Color or Note Significance
瀏覽器版本 平台
瀏覽器版本 操作系统 未來發布; 正在開發中
瀏覽器版本 操作系统 最新版本
瀏覽器版本 操作系统 以前發布; 仍然支持
瀏覽器版本 操作系统 以前發布;仍支持,但將在不到12個月內結束
瀏覽器版本 操作系统 以前發布; 不再支持
n/a 操作系统 混合/未指定
操作系统 (Version+) 所需的最低操作系统版本(對於支持的瀏覽器版本)
操作系统 此操作系统不再支持
Notes
  1. ^ Does the browser have mitigations or is not vulnerable for the known attacks. Note actual security depends on other factors such as negotiated cipher, encryption strength etc (see § Cipher table).
  2. ^ 用戶或管理員是否可以選擇要使用的協議。 如果是,則可以避免多種攻擊,例如BEAST(在SSL 3.0和TLS 1.0中易受攻擊)或POODLE(在SSL 3.0中易受攻擊)。
  3. ^ 3.0 3.1 Whether EV SSL and DV SSL (normal SSL) can be distinguished by indicators (green lock icon, green address bar, etc.) or not.
  4. ^ 4.0 4.1 e.g. 1/n-1 record splitting.
  5. ^ 5.0 5.1 e.g. Disabling header compression in HTTPS/SPDY.
  6. ^ 6.0 6.1
    • Complete mitigations; disabling SSL 3.0 itself, "anti-POODLE record splitting". "Anti-POODLE record splitting" is effective only with client-side implementation and valid according to the SSL 3.0 specification, however, it may also cause compatibility issues due to problems in server-side implementations.
    • Partial mitigations; disabling fallback to SSL 3.0, TLS_FALLBACK_SCSV, disabling cipher suites with CBC mode of operation. If the server also supports TLS_FALLBACK_SCSV, the POODLE attack will fail against this combination of server and browser, but connections where the server does not support TLS_FALLBACK_SCSV and does support SSL 3.0 will still be vulnerable. If disabling cipher suites with CBC mode of operation in SSL 3.0, only cipher suites with RC4 are available, RC4 attacks become easier.
    • When disabling SSL 3.0 manually, POODLE attack will fail.
  7. ^ 7.0 7.1
    • Complete mitigation; disabling cipher suites with RC4.
    • Partial mitigations to keeping compatibility with old systems; setting the priority of RC4 to lower.
  8. ^ Google Chrome (and Chromium) supports TLS 1.0, and TLS 1.1 from version 22 (it was added, then dropped from version 21). TLS 1.2 support has been added, then dropped from Chrome 29.[45][46][47]
  9. ^ Uses the TLS implementation provided by BoringSSL for Android, OS X, and Windows[48] or by NSS for Linux. Google is switching the TLS library used in Chrome to BoringSSL from NSS completely.
  10. ^ 10.00 10.01 10.02 10.03 10.04 10.05 10.06 10.07 10.08 10.09 10.10 10.11 10.12 10.13 10.14 10.15 10.16 10.17 10.18 10.19 10.20 10.21 10.22 10.23 10.24 10.25 10.26 10.27 10.28 10.29 10.30 10.31 10.32 10.33 10.34 10.35 10.36 10.37 10.38 10.39 10.40 10.41 10.42 10.43 configure enabling/disabling of each protocols via setting/option (menu name is dependent on browsers)
  11. ^ 11.00 11.01 11.02 11.03 11.04 11.05 11.06 11.07 11.08 11.09 11.10 11.11 11.12 11.13 11.14 11.15 11.16 11.17 11.18 configure the maximum and the minimum version of enabling protocols with command-line option
  12. ^ TLS_FALLBACK_SCSV is implemented.[56] Fallback to SSL 3.0 is disabled since version 39.[57]
  13. ^ In addition to TLS_FALLBACK_SCSV and disabling a fallback to SSL 3.0, SSL 3.0 itself is disabled by default.[57]
  14. ^ 14.0 14.1 14.2 configure the minimum version of enabling protocols via chrome://flags[61] (the maximum version can be configured with command-line option)
  15. ^ 15.0 15.1 15.2 15.3 15.4 15.5 15.6 15.7 15.8 Only when no cipher suites with other than RC4 is available, cipher suites with RC4 will be used as a fallback.
  16. ^ 16.00 16.01 16.02 16.03 16.04 16.05 16.06 16.07 16.08 16.09 16.10 16.11 16.12 16.13 16.14 16.15 16.16 16.17 16.18 16.19 16.20 16.21 16.22 16.23 16.24 16.25 16.26 16.27 16.28 16.29 16.30 16.31 16.32 16.33 16.34 16.35 16.36 16.37 All RC4 cipher suites are disabled by default.
  17. ^ Uses the TLS implementation provided by NSS. As of Firefox 22, Firefox supports only TLS 1.0 despite the bundled NSS supporting TLS 1.1. Since Firefox 23, TLS 1.1 can be enabled, but was not enabled by default due to issues. Firefox 24 has TLS 1.2 support disabled by default. TLS 1.1 and TLS 1.2 have been enabled by default in Firefox 27 release.
  18. ^ 18.00 18.01 18.02 18.03 18.04 18.05 18.06 18.07 18.08 18.09 18.10 18.11 18.12 configure the maximum and the minimum version of enabling protocols via about:config
  19. ^ SSL 3.0 itself is disabled by default.[82] In addition, fallback to SSL 3.0 is disabled since version 34,[84] and TLS_FALLBACK_SCSV is implemented since 35.0 and ESR 31.3.[82][85]
  20. ^ 20.0 20.1 20.2 20.3 20.4 IE uses the TLS implementation of the Microsoft Windows operating system provided by the SChannel security support provider. TLS 1.1 and 1.2 are disabled by default until IE11.[94][95]
  21. ^ 21.0 21.1 Windows NT 3.1 supports IE 1–2, Windows NT 3.5 supports IE 1–3, Windows NT 3.51 and Windows NT 4.0 supports IE 1–6
  22. ^ 22.0 22.1 22.2 22.3 22.4 22.5 Windows XP as well as Server 2003 and older support only weak ciphers like 3DES and RC4 out of the box.[98] The weak ciphers of these SChannel version are not only used for IE, but also for other Microsoft products running on this OS, like Office or Windows Update. Only Windows Server 2003 can get a manually update to support AES ciphers by KB948963[99]
  23. ^ 23.0 23.1 23.2 23.3 MS13-095 or MS14-049 for 2003 and XP-64 or SP3 for XP (32-bit)
  24. ^ 24.0 24.1 24.2 Internet Explorer Support Announcement[103]
  25. ^ 25.0 25.1 25.2 RC4 can be disabled except as a fallback (Only when no cipher suites with other than RC4 is available, cipher suites with RC4 will be used as a fallback.)[106]
  26. ^ 26.0 26.1 26.2 26.3 Fallback to SSL 3.0 is sites blocked by default in Internet Explorer 11 for Protected Mode.[108][109] SSL 3.0 is disabled by default in Internet Explorer 11 since April 2015.[110]
  27. ^ 27.0 27.1 Edge (formerly known as Project Spartan) is based on a fork of the Internet Explorer 11 rendering engine.
  28. ^ Except Windows 10 LTSB 2015 (LongTermSupportBranch)[113]
  29. ^ 29.0 29.1 29.2 Could be disabled via registry editing but need 3rd Party tools to do this.[114]
  30. ^ Opera 10 added support for TLS 1.2 as of Presto 2.2. Previous support was for TLS 1.0 and 1.1. TLS 1.1 and 1.2 are disabled by default (except for version 9[120] that enabled TLS 1.1 by default).
  31. ^ 31.0 31.1 SSL 3.0 is disabled by default remotely since October 15, 2014[129]
  32. ^ TLS support of Opera 14 and above is same as that of Chrome, because Opera has migrated to Chromium backend (Opera 14 for Android is based on Chromium 26 with WebKit,[134] and Opera 15 and above are based on Chromium 28 and above with Blink[135]).
  33. ^ TLS_FALLBACK_SCSV is implemented.[138]
  34. ^ SSL 3.0 is enabled by default, with some mitigations against known vulnerabilities such as BEAST and POODLE implemented.[129]
  35. ^ In addition to TLS_FALLBACK_SCSV, "anti-POODLE record splitting" is implemented.[129]
  36. ^ In addition to TLS_FALLBACK_SCSV and "anti-POODLE record splitting", SSL 3.0 itself is disabled by default.[61]
  37. ^ 37.0 37.1 37.2 configure the minimum version of enabling protocols via opera://flags[61] (the maximum version can be configured with command-line option)
  38. ^ Safari uses the operating system implementation on Mac OS X, Windows (XP, Vista, 7)[139] with unknown version,[140] Safari 5 is the last version available for Windows. OS X 10.8 on have SecureTransport support for TLS 1.1 and 1.2[141] Qualys SSL report simulates Safari 5.1.9 connecting with TLS 1.0 not 1.1 or 1.2[142]
  39. ^ In September 2013, Apple implemented BEAST mitigation in OS X 10.8 (Mountain Lion), but it was not turned on by default resulting in Safari still being theoretically vulnerable to the BEAST attack on that platform.[144][145] BEAST mitigation has been enabled by default from OS X 10.8.5 updated in February 2014.[146]
  40. ^ 40.0 40.1 40.2 40.3 40.4 40.5 40.6 40.7 Because Apple removed support for all CBC protocols in SSL 3.0 to mitigate POODLE,[147][148] this leaves only RC4 which is also completely broken by the RC4 attacks in SSL 3.0.
  41. ^ Mobile Safari and third-party software utilizing the system UIWebView library use the iOS operating system implementation, which supports TLS 1.2 as of iOS 5.0.[153][154][155]

[编辑]

大多數SSL和TLS編程庫都是自由及开放源代码软件

  • BoringSSL, a fork of OpenSSL for Chrome/Chromium and Android as well as other Google applications.
  • Botan, a BSD-licensed cryptographic library written in C++.
  • CryptoComply: a family of FIPS 140-2 validated encryption modules designed to simplify FIPS 140-2 certification requirements.
  • cryptlib: a portable open source cryptography library (includes TLS/SSL implementation)
  • Delphi programmers may use a library called Indy which utilizes OpenSSL or alternatively ICS which supports TLS 1.3 now.
  • GnuTLS: a free implementation (LGPL licensed)
  • Java Secure Socket Extension: a Java implementation included in the Java Runtime Environment supported TLS 1.1 and 1.2 starting with Java 7. (TLS 1.1/1.2 were initially disabled by default for client on Java 7, but were enabled in January 2017.[163]) Java 11 supports TLS 1.3.[164]
  • LibreSSL: a fork of OpenSSL by OpenBSD project.
  • MatrixSSL: a dual licensed implementation
  • mbed TLS (previously PolarSSL): A tiny SSL library implementation for embedded devices that is designed for ease of use
  • Network Security Services: FIPS 140 validated open source library
  • OpenSSL: a free implementation (BSD license with some extensions)
  • SChannel: an implementation of SSL and TLS Microsoft Windows as part of its package.
  • Secure Transport: an implementation of SSL and TLS used in OS X and iOS as part of their packages.
  • wolfSSL (previously CyaSSL): Embedded SSL/TLS Library with a strong focus on speed and size.
Library support for TLS/SSL
Implementation SSL 2.0
(不安全)
SSL 3.0
(不安全)
TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3
Botan No No[165]
CryptoComply No 默認禁用 yes
(draft version)
cryptlib No 默認禁用 at compile time
GnuTLS No[a] 默認禁用[166] yes
(draft version)[167]
Java Secure Socket Extension No[a] 默認禁用[168]
LibreSSL No[169] No[170]
MatrixSSL No 默認禁用 at compile time[171] yes
(draft version)
mbed TLS (previously PolarSSL) No 默認禁用[172]
Network Security Services No[b] 默認禁用[173] [174] [175] [176]
OpenSSL No[177] 默認啟用 [178] [178] [179]
RSA BSAFE[180] No Yes
SChannel XP / 2003[181] 默認禁用 by MSIE 7 默認啟用 默認啟用 by MSIE 7
SChannel Vista[182] 默認禁用 默認啟用
SChannel 2008[182] 默認禁用 默認啟用 默認禁用 (KB4019276)[39] 默認禁用 (KB4019276)[39]
SChannel 7 / 2008 R2[183] 默認禁用 默認禁用 in MSIE 11 默認啟用 by MSIE 11 默認啟用 by MSIE 11
SChannel 8 / 2012[183] 默認禁用 默認啟用 默認禁用 默認禁用
SChannel 8.1 / 2012 R2, 10 v1507 & v1511[183] 默認禁用 默認禁用 in MSIE 11
SChannel 10 v1607 / 2016[112] No 默認禁用
Secure Transport OS X 10.2–10.8 / iOS 1–4 Yes Yes
Secure Transport OS X 10.9–10.10 / iOS 5–8 No[c] Yes [c] [c]
Secure Transport OS X 10.11 / iOS 9 No No[c]
SharkSSL No 默認禁用
wolfSSL (previously CyaSSL) No 默認禁用[184] yes
(draft version)[185]
Implementation SSL 2.0
(不安全)
SSL 3.0
(不安全)
TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3
  1. ^ SSL 2.0 client hello is supported even though SSL 2.0 is not supported or is disabled because of the backward compatibilities.
  2. ^ Server-side implementation of the SSL/TLS protocol still supports processing of received v2-compatible client hello messages.[186]
  3. ^ Secure Transport: SSL 2.0 was discontinued in OS X 10.8. SSL 3.0 was discontinued in OS X 10.11 and iOS 9. TLS 1.1 and 1.2 are available on iOS 5.0 and later, and OS X 10.9 and later.[187]
  4. [188]

A paper presented at the 2012 ACM conference on computer and communications security[189] showed that few applications used some of these SSL libraries correctly, leading to vulnerabilities. According to the authors

"the root cause of most of these vulnerabilities is the terrible design of the APIs to the underlying SSL libraries. Instead of expressing high-level security properties of network tunnels such as confidentiality and authentication, these APIs expose low-level details of the SSL protocol to application developers. As a consequence, developers often use SSL APIs incorrectly, misinterpreting and misunderstanding their manifold parameters, options, side effects, and return values."

其他用途[编辑]

简单邮件传输协议(SMTP)也可以通過TLS保護,這些應用程序使用公開金鑰認證來驗證端點的身份。

TLS can also be used to tunnel an entire network stack to create a VPN, as is the case with OpenVPN and OpenConnect. Many vendors now marry TLS's encryption and authentication capabilities with authorization. There has also been substantial development since the late 1990s in creating client technology outside of the browser to enable support for client/server applications. When compared against traditional IPsec VPN technologies, TLS has some inherent advantages in firewall and NAT traversal that make it easier to administer for large remote-access populations.

TLS is also a standard method to protect Session Initiation Protocol (SIP) application signaling. TLS can be used to provide authentication and encryption of the SIP signaling associated with VoIP and other SIP-based applications.[來源請求]

过程[编辑]

双向证书认证的SSL握手过程。

以下简要介绍SSL协议的工作方式。客户端要收发几个握手信号:

  1. 发送一个「ClientHello」消息,内容包括:支持的协议版本,比如TLS1.0版,一个客户端生成的随机数(稍后用于生成“会话密钥”),支持的加密算法(如RSA公钥加密)和支持的压缩算法。
  2. 然后收到一个「ServerHello」消息,内容包括:确认使用的加密通信协议版本,比如TLS 1.0版本(如果浏览器与服务器支持的版本不一致,服务器关闭加密通信),一个服务器生成的随机数(稍后用于生成“对话密钥”),确认使用的加密方法(如RSA公钥加密),服务器证书。
  3. 当双方知道了连接参数,客户端与服务器交换证书(依靠被选择的公钥系统)。这些证书通常基于X.509,不过已有草案支持以OpenPGP为基础的证书。
  4. 服务器请求客户端公钥。客户端有证书即双向身份认证,没证书时随机生成公钥。
  5. 客户端与服务器通过公钥保密协商共同的主私钥(双方随机协商),这通过精心谨慎设计的伪随机数功能实现。结果可能使用Diffie-Hellman交换,或简化的公钥加密,双方各自用私钥解密。所有其他关键数据的加密均使用这个「主密钥」。数据传输中记录层(Record layer)用于封装更高层的HTTP等协议。记录层数据可以被随意压缩、加密,与消息验证码压缩在一起。每个记录层包都有一个Content-Type段用以记录更上层用的协议。

TLS[编辑]

TLS利用密钥算法互联网上提供端点身份认证通讯保密,其基础是公钥基础设施。不过在实现的典型例子中,只有网络服务者被可靠身份验证,而其客户端则不一定。这是因为公钥基础设施普遍商业运营,电子签名证书通常需要付费购买。协议的设计在某种程度上能够使主从架构应用程序通讯本身预防窃听干扰消息伪造

TLS包含三个基本阶段:

  1. 对等协商支援的密钥算法
  2. 基于非对称密钥的信息传输加密和身份认证、基于PKI证书的身份认证
  3. 基于对称密钥的数据传输保密

在第一阶段,客户端与服务器协商所用密码算法。当前广泛实现的算法选择如下:

TLS/SSL有多样的安全保护措施:

  • 所有的记录层数据均被编号,用于消息验证码校验。

参考文献[编辑]

  1. ^ "SSL/TLS in Detail". Microsoft TechNet. Updated July 31, 2003.
  2. ^ Thomas Y. C. Woo, Raghuram Bindignavle, Shaowen Su and Simon S. Lam, SNP: An interface for secure network programming Proceedings USENIX Summer Technical Conference, June 1994
  3. ^ THE SSL PROTOCOL. Netscape Corporation. 2007. (原始内容存档于14 June 1997). 
  4. ^ Messmer, Ellen. Father of SSL, Dr. Taher Elgamal, Finds Fast-Moving IT Projects in the Middle East. Network World. [30 May 2014]. (原始内容存档于2014年5月31日). 
  5. ^ Greene, Tim. Father of SSL says despite attacks, the security linchpin has lots of life left. Network World. [30 May 2014]. (原始内容存档于2014年5月31日). 
  6. ^ POODLE: SSLv3 vulnerability (CVE-2014-3566). [21 October 2014]. 
  7. ^ Rescorla 2001
  8. ^ 8.0 8.1 8.2 Polk, Tim; McKay, Terry; Chokhani, Santosh. Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations (PDF). National Institute of Standards and Technology: 67. April 2014 [2014-05-07]. 
  9. ^ Dierks, T. and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.1, RFC 4346. April 2006. 
  10. ^ Joseph A. Salowey; Sean Turner; Christopher A. Wood. TLS 1.3. IETF. 2018-08-10 [2018-08-11] (英语). 
  11. ^ pigsrollaroundinthem. TLS 1.3 下的 SNI 将让审查变得更困难. Solidot. 2018-08-16 [2018-08-27]. 
  12. ^ NSS 3.29 release notes. Mozilla Developer Network. February 2017. (原始内容存档于2017-02-22). 
  13. ^ Enable TLS 1.3 by default. Bugzilla@Mozilla. 16 October 2016 [10 October 2017]. 
  14. ^ Firefox — Notes (60.0). Mozilla. [2018-05-10] (美国英语). 
  15. ^ ProxySG, ASG and WSS will interrupt SSL connections when clients using TLS 1.3 access sites also using TLS 1.3. BlueTouch Online. 16 May 2017 [11 September 2017]. (原始内容存档于12 September 2017). 
  16. ^ wolfSSL TLS 1.3 BETA Release Now Available. info@wolfssl.com. 11 May 2017 [11 May 2017]. 
  17. ^ TLS 1.3 PROTOCOL SUPPORT. info@wolfssl.com. 
  18. ^ TLS 1.3 Draft 28 Support in wolfSSL. info@wolfssl.com. 14 June 2018 [14 June 2018]. 
  19. ^ RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2. Internet Engineering Task Force. [9 September 2013]. 
  20. ^ P. Eronen, Ed. RFC 4279: Pre-Shared Key Ciphersuites for Transport Layer Security (TLS). Internet Engineering Task Force. [9 September 2013]. 
  21. ^ Gothard, Peter. Google updates SSL certificates to 2048-bit encryption. Computing. Incisive Media. [9 September 2013]. 
  22. ^ Sean Turner. Consensus: remove DSA from TLS 1.3. September 17, 2015. (原始内容存档于October 3, 2015). 
  23. ^ RFC 5288
  24. ^ RFC 6655
  25. ^ RFC 6367
  26. ^ RFC 5932
  27. ^ 28.0 28.1 RFC 6209
  28. ^ RFC 4162
  29. ^ On the Practical (In-)Security of 64-bit Block Ciphers — Collision Attacks on HTTP over TLS and OpenVPN (PDF). 2016-10-28 [2017-06-08]. (原始内容存档 (PDF)于2017-04-24). 
  30. ^ NIST Special Publication 800-57 Recommendation for Key Management — Part 1: General (Revised) (PDF). 2007-03-08 [2014-07-03]. (原始内容 (PDF)存档于June 6, 2014). 
  31. ^ Qualys SSL Labs. SSL/TLS Deployment Best Practices. [2 June 2015]. (原始内容存档于4 July 2015). 
  32. ^ RFC 5469
  33. ^ RFC 7905
  34. ^ Http vs https. [2015-02-12]. (原始内容存档于2015-02-12). 
  35. ^ 36.0 36.1 As of December 3, 2018. SSL Pulse: Survey of the SSL Implementation of the Most Popular Websites. Qualys. [December 6, 2018]. 
  36. ^ ivanr. RC4 in TLS is Broken: Now What?. Qualsys Security Labs. [2013-07-30]. (原始内容存档于2013-08-27). 
  37. ^ 引用错误:没有为名为poodle_pdf的参考文献提供内容
  38. ^ 39.0 39.1 39.2 39.3 39.4 Update to add support for TLS 1.1 TLS 1.2 in Windows Server 2008 SP2. [2017-07-19]. 
  39. ^ What browsers support Extended Validation (EV) and display an EV indicator?. Symantec. [2014-07-28]. (原始内容存档于2015-12-31). 
  40. ^ 41.00 41.01 41.02 41.03 41.04 41.05 41.06 41.07 41.08 41.09 41.10 41.11 41.12 41.13 SHA-256 Compatibility. [2015-06-12]. (原始内容存档于2015-07-01). 
  41. ^ 42.00 42.01 42.02 42.03 42.04 42.05 42.06 42.07 42.08 42.09 42.10 42.11 42.12 42.13 42.14 42.15 42.16 42.17 42.18 42.19 42.20 42.21 42.22 42.23 42.24 42.25 42.26 42.27 ECC Compatibility. [2015-06-13]. (原始内容存档于2016-02-17). 
  42. ^ 43.0 43.1 Tracking the FREAK Attack. [2015-03-08]. (原始内容存档于2015-03-06). 
  43. ^ 44.0 44.1 FREAK: Factoring RSA Export Keys. [2015-03-08]. (原始内容存档于2015-03-11). 
  44. ^ Google. Dev Channel Update. 2012-05-29 [2011-06-01]. (原始内容存档于2013-03-02). 
  45. ^ Google. Stable Channel Update. 2012-08-21 [2012-08-22]. (原始内容存档于2012-08-25). 
  46. ^ Chromium Project. Chromium TLS 1.2 Implementation. 2013-05-30. 
  47. ^ The Chromium Project: BoringSSL. [2015-09-05]. (原始内容存档于2015-09-23). 
  48. ^ Chrome Stable Release. Chrome Releases. Google. 2011-10-25 [2015-02-01]. (原始内容存档于2015-02-20). 
  49. ^ SVN revision log on Chrome 10.0.648.127 release. [2014-06-19]. (原始内容存档于2014-06-19). 
  50. ^ 51.0 51.1 ImperialViolet – CRIME. 2012-09-22 [2014-10-18]. (原始内容存档于2015-01-10). 
  51. ^ 52.0 52.1 SSL/TLS Overview. 2008-08-06 [2013-03-29]. (原始内容存档于2013-07-03). 
  52. ^ 53.0 53.1 Chromium Issue 90392. 2008-08-06 [2013-06-28]. (原始内容存档于2013-08-03). 
  53. ^ 54.0 54.1 Issue 23503030 Merge 219882. 2013-09-03 [2013-09-19]. (原始内容存档于2014-02-26). 
  54. ^ 55.0 55.1 Issue 278370: Unable to submit client certificates over TLS 1.2 from Windows. 2013-08-23 [2013-10-03]. (原始内容存档于2013-10-05). 
  55. ^ Möller, Bodo. This POODLE bites: exploiting the SSL 3.0 fallback. Google Online Security blog. Google (via Blogspot). 2014-10-14 [2014-10-28]. (原始内容存档于2014-10-28). 
  56. ^ 57.0 57.1 57.2 An update on SSLv3 in Chrome.. Security-dev. Google. 2014-10-31 [2014-11-04]. 
  57. ^ Stable Channel Update. Mozilla Developer Network. Google. 2014-02-20 [2014-11-14]. (原始内容存档于2014-10-24). 
  58. ^ Changelog for Chrome 33.0.1750.117. Google. Google. [2014-11-14]. (原始内容存档于2014-01-16). 
  59. ^ Issue 318442: Update to NSS 3.15.3 and NSPR 4.10.2. [2014-11-14]. (原始内容存档于2015-03-15). 
  60. ^ 61.0 61.1 61.2 61.3 61.4 Issue 693963003: Add minimum TLS version control to about:flags and Finch gate it. – Code Review. [2015-01-22]. (原始内容存档于2015-04-16). 
  61. ^ 62.0 62.1 62.2 Issue 375342: Drop RC4 Support. [2015-05-22]. (原始内容存档于2015-09-12). 
  62. ^ 63.0 63.1 Issue 436391: Add info on end of life of SSLVersionFallbackMin & SSLVersionMin policy in documentation. [2015-04-19]. (原始内容存档于2015-04-18). 
  63. ^ Issue 490240: Increase minimum DH size to 1024 bits (tracking bug). [2015-05-29]. (原始内容存档于2015-09-12). 
  64. ^ 65.0 65.1 65.2 65.3 65.4 65.5 65.6 65.7 65.8 Intent to deprecate: RC4. [2015-12-21]. 
  65. ^ 66.0 66.1 66.2 66.3 66.4 66.5 66.6 66.7 66.8 An update on SHA-1 certificates in Chrome. 2015-12-18 [2015-12-21]. (原始内容存档于2015-12-18). 
  66. ^ SSLSocket | Android Developers. [2015-03-11]. (原始内容存档于2015-03-18). 
  67. ^ 68.0 68.1 68.2 68.3 What browsers work with Universal SSL. [2015-06-15]. (原始内容存档于2016-03-04). 
  68. ^ 69.0 69.1 69.2 69.3 SSLSocket | Android Developers. [2015-12-17]. (原始内容存档于2016-03-04). 
  69. ^ 70.0 70.1 Android 5.0 Behavior Changes | Android Developers. [2015-03-11]. (原始内容存档于2015-03-09). 
  70. ^ Android 8.0 Behavior Changes. (原始内容存档于2017-12-01). 
  71. ^ 72.0 72.1 72.2 72.3 Security in Firefox 2. 2008-08-06 [2009-03-31]. (原始内容存档于2014-07-14). 
  72. ^ Attack against TLS-protected communications. Mozilla Security Blog. Mozilla. 2011-09-27 [2015-02-01]. (原始内容存档于2015-03-04). 
  73. ^ 74.0 74.1 Introduction to SSL. MDN. [2014-06-19]. (原始内容存档于2014-07-14). 
  74. ^ 75.0 75.1 NSS 3.15.3 Release Notes. Mozilla Developer Network. Mozilla. [2014-07-13]. (原始内容存档于2014-06-05). 
  75. ^ 76.0 76.1 MFSA 2013-103: Miscellaneous Network Security Services (NSS) vulnerabilities. Mozilla. Mozilla. [2014-07-13]. (原始内容存档于2014-07-14). 
  76. ^ Bug 565047 – (RFC4346) Implement TLS 1.1 (RFC 4346). [2013-10-29]. 
  77. ^ Bug 480514 – Implement support for TLS 1.2 (RFC 5246). [2013-10-29]. 
  78. ^ Bug 733647 – Implement TLS 1.1 (RFC 4346) in Gecko (Firefox, Thunderbird), on by default. [2013-12-04]. 
  79. ^ 80.0 80.1 Firefox Notes – Desktop. 2014-02-04 [2014-02-04]. (原始内容存档于2014-02-07). 
  80. ^ Bug 861266 – Implement TLS 1.2 (RFC 5246) in Gecko (Firefox, Thunderbird), on by default. [2013-11-18]. 
  81. ^ 82.0 82.1 82.2 The POODLE Attack and the End of SSL 3.0. Mozilla blog. Mozilla. 2014-10-14 [2014-10-28]. (原始内容存档于2014-10-18). 
  82. ^ Firefox — Notes (34.0) — Mozilla. mozilla.org. 2014-12-01 [2015-04-03]. (原始内容存档于2015-04-09). 
  83. ^ Bug 1083058 – A pref to control TLS version fallback. bugzilla.mozilla.org. [2014-11-06]. 
  84. ^ Bug 1036737 – Add support for draft-ietf-tls-downgrade-scsv to Gecko/Firefox. bugzilla.mozilla.org. [2014-10-29]. 
  85. ^ 86.0 86.1 86.2 Bug 1166031 – Update to NSS 3.19.1. bugzilla.mozilla.org. [2015-05-29]. 
  86. ^ Bug 1088915 – Stop offering RC4 in the first handshakes. bugzilla.mozilla.org. [2014-11-04]. 
  87. ^ Firefox — Notes (39.0) — Mozilla. mozilla.org. 2015-06-30 [2015-07-03]. (原始内容存档于2015-07-03). 
  88. ^ Google, Microsoft, and Mozilla will drop RC4 encryption in Chrome, Edge, IE, and Firefox next year. VentureBeat. 2015-09-01 [2015-09-05]. (原始内容存档于2015-09-05). 
  89. ^ Intent to ship: RC4 disabled by default in Firefox 44. [2015-10-18]. (原始内容存档于2011-01-22). 
  90. ^ RC4 is now allowed only on whitelisted sites (Reverted). [2015-11-02]. 
  91. ^ Firefox — Notes (44.0) — Mozilla. mozilla.org. 2016-01-26 [2016-03-09]. (原始内容存档于2016-03-04). 
  92. ^ Bug 1342082 – Disable TLS 1.3 for FF52 Release. [2017-03-29]. 
  93. ^ Microsoft. Secure Channel. 2012-09-05 [2012-10-18]. (原始内容存档于2012-08-29). 
  94. ^ Microsoft. MS-TLSP Appendix A. 2009-02-27 [2009-03-19]. (原始内容存档于2013-09-27). 
  95. ^ 96.0 96.1 What browsers only support SSLv2?. [2014-06-19]. (原始内容存档于2009-11-23). 
  96. ^ 97.0 97.1 97.2 97.3 SHA2 and Windows – Windows PKI blog – Site Home – TechNet Blogs. 2010-09-30 [2014-07-29]. (原始内容存档于2014-07-16). 
  97. ^ TLS Cipher Suites. Microsoft. (原始内容存档于2017-03-13). 
  98. ^ Archived copy. [2017-07-19]. (原始内容存档于2015-03-11). 
  99. ^ 100.0 100.1 100.2 100.3 100.4 100.5 100.6 100.7 100.8 Vulnerability in Schannel Could Allow Security Feature Bypass (3046049). 2015-03-10 [2015-03-11]. (原始内容存档于2017-03-13). 
  100. ^ 101.0 101.1 101.2 101.3 101.4 101.5 101.6 101.7 101.8 Vulnerability in Schannel Could Allow Information Disclosure (3061518). 2015-05-12 [2015-05-22]. (原始内容存档于2016-10-08). 
  101. ^ 102.0 102.1 102.2 102.3 102.4 HTTPS Security Improvements in Internet Explorer 7. [2013-10-29]. (原始内容存档于2013-10-10). 
  102. ^ Microsoft Support Lifecycle. Microsoft. (原始内容存档于2015-03-10). 
  103. ^ 104.0 104.1 104.2 104.3 104.4 104.5 Windows 7 adds support for TLSv1.1 and TLSv1.2 – IEInternals – Site Home – MSDN Blogs. [2013-10-29]. (原始内容存档于2013-12-26). 
  104. ^ 105.0 105.1 105.2 Thomlinson, Matt. Hundreds of Millions of Microsoft Customers Now Benefit from Best-in-Class Encryption. Microsoft Security. 2014-11-11 [2014-11-14]. (原始内容存档于2014-11-14). 
  105. ^ Microsoft security advisory: Update for disabling RC4 互联网档案馆存檔,存档日期2015-03-11.
  106. ^ 107.0 107.1 107.2 107.3 Microsoft. IE11 Changes. 2013-09-24 [2013-11-01]. (原始内容存档于2013-10-30). 
  107. ^ February 2015 security updates for Internet Explorer. 2015-02-11 [2015-02-11]. (原始内容存档于2015-02-11). 
  108. ^ Update turns on the setting to disable SSL 3.0 fallback for protected mode sites by default in Internet Explorer 11. [2015-02-11]. (原始内容存档于2015-02-14). 
  109. ^ Vulnerability in SSL 3.0 Could Allow Information Disclosure. 2015-04-14 [2015-04-14]. (原始内容存档于2016-10-08). 
  110. ^ Microsoft Edge Team. RC4 is now disabled in Microsoft Edge and Internet Explorer 11. Microsoft. 2016-08-09. (原始内容存档于2016-08-21). 
  111. ^ 112.0 112.1 112.2 112.3 112.4 TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016. Microsoft. 2017-03-21 [2017-03-29]. (原始内容存档于2017-03-30). 
  112. ^ Foley, Mary Jo. Some Windows 10 Enterprise users won't get Microsoft's Edge browser. ZDNet. (原始内容存档于2017-03-20). 
  113. ^ POODLE SSL vulnerability – secure your Windo… – Windows Phone 8 Development and Hacking. XDA Developers. (原始内容存档于2016-09-23). 
  114. ^ 115.0 115.1 What TLS version is used in Windows Phone 8 for secure HTTP connections?. Microsoft. [2014-11-07]. (原始内容存档于2016-03-04). 
  115. ^ Qualys SSL Labs – Projects / User Agent Capabilities: Unknown. (原始内容存档于2017-03-01). 
  116. ^ 117.0 117.1 平台 Security. Microsoft. 2014-06-25 [2014-11-07]. (原始内容存档于2017-03-13). 
  117. ^ Release Notes: Important Issues in Windows 8.1 Preview. Microsoft. 2013-06-24 [2014-11-04]. (原始内容存档于2014-11-04). 
  118. ^ W8.1(IE11) vs RC4 | Qualys Community. [2014-11-04]. (原始内容存档于2014-11-04).  参数|title=值左起第19位存在删除符 (帮助)
  119. ^ Opera 9.0 for Windows Changelog. (原始内容存档于2012-09-10). 
  120. ^ Opera 2 series. [2014-09-20]. (原始内容存档于2014-10-23). 
  121. ^ Opera 3 series. [2014-09-20]. (原始内容存档于2014-10-23). 
  122. ^ Opera 4 series. [2014-09-20]. (原始内容存档于2014-10-23). 
  123. ^ 124.0 124.1 Changelog for Opera 5.x for Windows. [2014-06-19]. (原始内容存档于2014-10-19). 
  124. ^ Changelog for Opera [8] Beta 2 for Windows. [2014-06-19]. (原始内容存档于2005-11-23). 
  125. ^ Web Specifications Supported in Opera 9. [2014-06-19]. (原始内容存档于2014-10-26). 
  126. ^ 127.0 127.1 Opera: Opera 10 beta for Windows changelog. [2014-06-19]. (原始内容存档于2014-10-23). 
  127. ^ About Opera 11.60 and new problems with some secure servers. 2011-12-11. (原始内容存档于2012-01-18). 
  128. ^ 129.0 129.1 129.2 Security changes in Opera 25; the poodle attacks. 2014-10-15 [2014-10-28]. (原始内容存档于2014-10-20). 
  129. ^ 130.0 130.1 130.2 130.3 Unjam the logjam. 2015-06-09 [2015-06-11]. (原始内容存档于2015-06-14). 
  130. ^ Advisory: RC4 encryption protocol is vulnerable to certain brute force attacks. 2013-04-04 [2014-11-14]. (原始内容存档于2015-03-15). 
  131. ^ On the Precariousness of RC4. 2013-03-20 [2014-11-17]. (原始内容存档于2013-11-12). 
  132. ^ 133.0 133.1 133.2 133.3 133.4 Opera 12 and Opera Mail security update. 2016-02-16 [2016-02-17]. (原始内容存档于2016-02-16). 
  133. ^ Dev.Opera — Opera 14 for Android Is Out!. 2013-05-21 [2014-09-23]. (原始内容存档于2015-01-30). 
  134. ^ Dev.Opera — Introducing Opera 15 for Computers, and a Fast Release Cycle. 2013-07-02 [2014-09-23]. (原始内容存档于2014-09-02). 
  135. ^ 136.0 136.1 same as Chrome 26–29
  136. ^ 137.0 137.1 same as Chrome 30 and later
  137. ^ 138.0 138.1 same as Chrome 33 and later
  138. ^ Adrian, Dimcev. Common browsers/libraries/servers and the associated cipher suites implemented. TLS Cipher Suites Project. (原始内容存档于2013-04-17). 
  139. ^ Apple. Features. 2009-06-10 [2009-06-10]. (原始内容存档于2013-04-17). 
  140. ^ Curl: Patch to add TLS 1.1 and 1.2 support & replace deprecated functions in SecureTransport. (原始内容存档于2017-03-01). 
  141. ^ Qualys SSL Report: google.co.uk 互联网档案馆存檔,存档日期2017-03-20. (simulation Safari 5.1.9 TLS 1.0)
  142. ^ Apple Secures Mac OS X with Mavericks Release – eSecurity Planet. 2013-10-25 [2014-06-23]. (原始内容存档于2014-07-08). 
  143. ^ Ristic, Ivan. Is BEAST Still a Threat?. qualys.com. (原始内容存档于2014-10-12). 
  144. ^ 145.0 145.1 Ristić, Ivan. Apple enabled BEAST mitigations in OS X 10.9 Mavericks. 2013-10-31 [2013-11-07]. (原始内容存档于2013-11-07). 
  145. ^ Ristić, Ivan. Apple finally releases patch for BEAST. 2014-02-26 [2014-07-01]. (原始内容存档于2014-07-14). 
  146. ^ About Security Update 2014-005. (原始内容存档于2014-10-24). 
  147. ^ About the security content of iOS 8.1. (原始内容存档于2014-10-23). 
  148. ^ 149.0 149.1 149.2 About Security Update 2015-002. [2015-03-09]. (原始内容存档于2015-03-16). 
  149. ^ 150.0 150.1 About the security content of OS X Mavericks v10.9. [2014-06-20]. (原始内容存档于2014-07-04). 
  150. ^ User Agent Capabilities: Safari 8 / OS X 10.10. Qualsys SSL Labs. [2015-03-07]. (原始内容存档于2015-09-06). 
  151. ^ About the security content of OS X Yosemite v10.10.4 and Security Update 2015-005. [2015-07-03]. (原始内容存档于2015-07-02). 
  152. ^ 153.0 153.1 153.2 Apple. Technical Note TN2287 – iOS 5 and TLS 1.2 Interoperability Issues. 2011-10-14 [2012-12-10]. (原始内容存档于2011-09-07). 
  153. ^ Liebowitz, Matt. Apple issues huge software security patches. NBCNews.com. 2011-10-13 [2012-12-10]. (原始内容存档于2013-04-17). 
  154. ^ MWR Info Security. Adventures with iOS UIWebviews. 2012-04-16 [2012-12-10]. (原始内容存档于2013-04-17). , section "HTTPS (SSL/TLS)"
  155. ^ Secure Transport Reference. [2014-06-23]. (原始内容存档于2014-06-04).  kSSLProtocol2 is deprecated in iOS
  156. ^ iPhone 3.0: Mobile Safari Gets Enhanced Security Certificate Visualization | The iPhone Blog. 2009-03-31. (原始内容存档于2009-04-03). 
  157. ^ Qualys SSL Labs – Projects / User Agent Capabilities: Safari 7 / iOS 7.1. (原始内容存档于2017-03-13). 
  158. ^ schurtertom. SOAP Request fails randomly on one Server but works on an other on iOS7. 2013-10-11 [2014-01-05]. (原始内容存档于2014-01-06). 
  159. ^ User Agent Capabilities: Safari 8 / iOS 8.1.2. Qualsys SSL Labs. [2015-03-07]. (原始内容存档于2016-03-04). 
  160. ^ About the security content of iOS 8.2. [2015-03-09]. (原始内容存档于2015-03-09). 
  161. ^ About the security content of iOS 8.4. [2015-07-03]. (原始内容存档于2015-07-03). 
  162. ^ Oracle. 7093640: Enable client-side TLS 1.2 by default. [2018-08-30]. 
  163. ^ Oracle. JEP 332: Transport Layer Security (TLS) 1.3. [2018-08-30]. 
  164. ^ Version 1.11.13, 2015-01-11 — Botan. 2015-01-11 [2015-01-16]. (原始内容存档于2015-01-09). 
  165. ^ [gnutls-devel] GnuTLS 3.4.0 released. 2015-04-08 [2015-04-16]. (原始内容存档于2015-04-16). 
  166. ^ [gnutls-devel] gnutls 3.6.3. 2018-07-16 [2018-09-16]. 
  167. ^ Java™ SE Development Kit 8, Update 31 Release Notes. [2015-01-22]. (原始内容存档于2015-01-21). 
  168. ^ OpenBSD 5.6 Released. 2014-11-01 [2015-01-20]. 
  169. ^ LibreSSL 2.3.0 Released. 2015-09-23 [2015-09-24]. 
  170. ^ MatrixSSL – News. [2014-11-09]. (原始内容存档于2015-02-14). 
  171. ^ mbed TLS 2.0.0 released. 2015-07-10 [2015-07-14]. (原始内容存档于2015-09-25). 
  172. ^ NSS 3.19 release notes. Mozilla Developer Network. Mozilla. [2015-05-06]. (原始内容存档于2015-06-05). 
  173. ^ NSS 3.14 release notes. Mozilla Developer Network. Mozilla. [2012-10-27]. (原始内容存档于2013-01-17). 
  174. ^ NSS 3.15.1 release notes. Mozilla Developer Network. Mozilla. [2013-08-10]. (原始内容存档于2013-09-22). 
  175. ^ NSS 3.39 release notes. 2018-08-31 [2018-09-14]. 
  176. ^ OpenSSL 1.1.0 Series Release Notes. [2016-10-02]. (原始内容存档于2016-08-25). 
  177. ^ 178.0 178.1 Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]. 2012-03-14 [2015-01-20]. (原始内容存档于January 20, 2015). 
  178. ^ OpenSSL 1.1.1 Is Released. 2018-09-11 [2018-09-14]. 
  179. ^ RSA BSAFE Technical Specification Comparison Tables (PDF). (原始内容存档 (PDF)于2015-09-24). 
  180. ^ TLS cipher suites in Microsoft Windows XP and 2003 互联网档案馆存檔,存档日期2015-01-18.
  181. ^ 182.0 182.1 SChannel Cipher Suites in Microsoft Windows Vista 互联网档案馆存檔,存档日期2015-01-12.
  182. ^ 183.0 183.1 183.2 TLS Cipher Suites in SChannel for Windows 7, 2008R2, 8, 2012 互联网档案馆存檔,存档日期2015-03-19.
  183. ^ [wolfssl] wolfSSL 3.6.6 Released. 2015-08-20 [2015-08-25]. (原始内容存档于2015-10-17). 
  184. ^ [wolfssl] wolfSSL TLS1.3 support. 2017-02-13 [2017-02-13]. 
  185. ^ NSS 3.24 release notes. Mozilla Developer Network. Mozilla. [2016-06-19]. (原始内容存档于2016-08-26). 
  186. ^ Technical Note TN2287: iOS 5 and TLS 1.2 Interoperability Issues. iOS Developer Library. Apple Inc. [2012-05-03]. (原始内容存档于2015-04-03). 
  187. ^ Qualys SSL Labs – Projects / User Agent Capabilities 互联网档案馆存檔,存档日期2015-09-19.
  188. ^ Georgiev, Martin and Iyengar, Subodh and Jana, Suman and Anubhai, Rishita and Boneh, Dan and Shmatikov, Vitaly. The most dangerous code in the world: validating SSL certificates in non-browser software. Proceedings of the 2012 ACM conference on Computer and communications security (PDF). 2012: 38–49. ISBN 978-1-4503-1651-4. (原始内容存档 (PDF)于2017-10-22). 

外部链接[编辑]

参见[编辑]