-
-
Save pierreozoux/ed1fb9a1387a44f9e80d to your computer and use it in GitHub Desktop.
Difference between STARTTLS and TLS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # So TLS, which is the successor of SSL, is "Transport Layer Security". | |
| # It is a kind of super protocol that initiates an encrypted tunnel between the client and the server, | |
| # and then, you can use your normal verbs from your protocol as it was not encrypted. | |
| # For instance with http. Let's say you want to get a page from ubicast.eu | |
| # go to your terminal, and you can get it with | |
| telnet ubicast.eu 80 | |
| GET / HTTP/1.0 | |
| # and you get the index of the site. | |
| # Basically, you could do the same with openssl to start a TLS connection with ubicast.eu, and then do your normal discussion in HTTP. | |
| openssl s_client -connect ubicast.eu:443 | |
| GET / HTTP/1.0 | |
| # and you get a different index (because, I don't know, but you can verify on your browser :) ) | |
| # But this technique requires a new port to distinguish normal protocal and TLS endpoint. | |
| # indeed, if I discuss HTTP or TLS it is different verbs that are used. | |
| # So that's why you have the port 80 for http, and 443 wich is HTTP over TLS or HTTPS. | |
| # But this anoying to give a new port to distinguish the secure version of the protocol. Like 80 and 443... | |
| # This is not beautiful from an engineering point of view :) | |
| # So they created STARTTLS that is a verb for all protocols :) We could imagine that we had this verb to http protocol. | |
| # And when we you use this verb, it would mean that you want to start a TLS connection. | |
| # So this is jsut a way to keep the normal protocol, and add encryption :) | |
| # you can try by yourself | |
| telnet smtp.gmail.com 587 | |
| helo pierre.ozoux@gmail.com | |
| AUTH LOGIN | |
| STARTTLS | |
| # but you will not be able to do it by hand, it's kind of complicated :) | |
| # but as you can see, they do not allow login without starttls :) | |
| # You can do it also, directly on the SMTP over TLS: | |
| openssl s_client -crlf -connect smtp.gmail.com:465 | |
| helo pierre.ozoux@gmail.com | |
| AUTH LOGIN | |
| # Hope it helped :) | |
| # And to respond to your question, STARTTLS and TLS are vulnerables to heartbleed as it is on the TLS implementation :) | |
| # STARTTLS is just a verb for normal protocol to start a TLS tunnel (as well described by the name :) ) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment