TLS/SSL Considerations

About TLS/SSL

Endpoint Application Control can use Transport Layer Security (TLS) or Secure Sockets Layer (SSL) to help ensure secure communication between the web console and the server.

TLS and its predecessor, SSL, are cryptographic protocols. These protocols help to secure communication between a web console and a server by using "long-term", asymmetric public keys to authenticate each side. Once authenticated, these protocols allow the sides to create the "short-term", symmetric secret keys used to encrypt communication between the sides during the session. It is not possible to use the public keys to reverse-engineer the secret keys.

To perform authentication, TLS/SSL protocols use X.509 certificates and asymmetric cryptography. Supporting X.509 certificates requires a certificate authority (CA) and public key infrastructure to do the following:

  • Generate, sign, and validate certificates

  • Verify the relationship between certificates and sides

Prevent TLS/SSL Man-In-The-Middle Attacks

Using Transport Layer Security (TLS) or Secure Sockets Layer (SSL) can provide an important extra layer of protection. However, to perform authentication, these protocols use X.509 certificates and asymmetric cryptography. Supporting X.509 certificates requires a certificate authority (CA) and public key infrastructure. The CA can be vulnerable to man-in-the-middle (MITM) attacks. To protect against these attacks, use up-to-date versions of TLS and verify that endpoint web browsers display a green address bar when they go to the web console.

Tip:

Almost all current web browsers enable "green address bar" functionality by default. For examples of the green address bar in different browsers, go to https://www.digicert.com/ssl-support/code-to-enable-green-bar.htm.

To display the green address bar on Windows XP endpoints using Internet Explorer 8, SmartScreen Filter must be enabled. To enable it, open Internet Options, go to Advanced, and then select Enable SmartScreen Filter.

About TLS/SSL Implementation in Endpoint Application Control

Endpoint Application Control uses the highest version of Transport Layer Security (TLS) or Secure Sockets Layer (SSL) supported by both the web server and agent endpoint.

During installation, selecting Enable TLS/SSL automatically creates the required certificate.

Topic

Implementation Details

Automatically-created certificate attributes

  • The certificate is self-signed using an internal CA.

  • The certificate contains server information, public key, and private key.

  • The certificate is valid for three years after signing. You can still use the certificate after it expires.

Endpoint Application Control process to establish TLS/SSL communication

  1. The agent endpoint sends its certificate to the web server and requests a secure connection.

  2. The web server responds to the agent endpoint by providing the requested certificate.

  3. The web server and agent endpoint each accept the other side's certificate and then exchange keys. Both sides use Diffie–Hellman key exchange (DHE) if it is available. Otherwise, both sides use RSA key exchange.

  4. The web console and web server communicate using Advanced Encryption Standard (AES) encryption.

    Although RSA encryption is theoretically more secure than AES, it slows down the communication flow. Therefore, it is only used for key exchange. Endpoint Application Control uses AES, a faster alternative, for data transfer.

To learn about importing and using your own certificate with Endpoint Application Control, see Enabling TLS/SSL in the Web Server Screen topic.