TLS Attacks and Mitigations

Attacks on HTTPS connections generally fall into 3 categories:

• Compromising the quality of the HTTPS connection, through cryptanalysis or other protocol weaknesses.
• Compromising the client computer, such as by installing a malicious root certificate into the system or browser trust store.
• Obtaining a “rogue” certificate trusted by major browsers, generally by manipulating or compromising a certificate authority.

These are all possible, but for most attackers they are very difficult and require significant expense. Importantly, they are all targeted attacks, and are not feasible to execute against any user connecting to any website.

By contrast, plain HTTP connections can be easily intercepted and modified by anyone involved in the network connection, and so attacks can be carried out at large scale and at low cost.

Readers are recommended to reference the following sources for detailed information regarding TLS Attacks and Mitigations:

• Wikipedia: Attacks against TLS/SSL
• [RFC 7457] Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS)
• Digicert - Server Vulnerabilities