93
Chapter 6
TLS/SSL
Originally known as the Secure Sockets Layer (SSL) when first released by Netscape in 1995, Transport Layer Security
(TLS) became an Internet standard in 1999 and may be the most widely deployed form of encryption used on the
Internet today. As you will learn in this chapter, it is used with many basic protocols on the modern Internet to verify
server identity and to protect data in transit.
The correct use and deployment of TLS is a moving target. Each year, new attacks are suggested against its
encryption algorithms, and new ciphers and techniques are pioneered as a result. TLS 1.2 is the most current version
as of this third edition of Foundations of Python Network Programming, but further versions will doubtlessly be issued
in the years to come. I will try to keep the example scripts stored online in the book’s source code repository updated
as the state of the art advances Thus, be sure that you go to the URL at the top of each script shown in this chapter and
cut and paste from the version of the code that you find there in version control.
This chapter will begin by clarifying what TLS accomplishes and outlining the techniques that it uses to do so.
Then you will look at Python examples, both simple and complex, to learn how TLS can be activated and configured
on a TCP socket. Finally, you will see how TLS is integrated into the real-world protocols that you will learn about in
the rest of the book.
What TLS Fails to Protect
The data passing over a well-configured TLS socket should, as you will see later in this chapter, appear as gibberish to
anyone watching. Furthermore, unless mathematics has failed the designers of TLS, it will be gibberish that is fairly
impressively impenetrable even to a computer—and even to a government agency with a large budget. It should
prevent any eavesdroppers of, say, an HTTPS connection from learning the URL that you request, the content that
comes back, or any identifying information such as a password or cookie that might pass in either direction across the
socket. (See Chapter 9 for more information about HTTP features such as passwords and cookies.)
Nonetheless, you should immediately step back and remember how much about a connection, besides its data,
is not made secret by TLS and will still be observable by any third party.
• The addresses of both your machine and the remote host are visible, as plain bytes, in every
single packet’s IP header.
• The port number of your client and of the server also appears in every TCP header.
• The DNS request that your client made to learn the server’s IP address in the first place
probably passed across the network in the clear.
An observer can watch the size of the chunks of data that pass in each direction across the TLS-encrypted socket.
Even though TLS will try to hide the exact number of bytes, it will still be possible to see in roughly what sized chunks
data passes, as well as the overall pattern of requests and responses.
I’ll illustrate the previous weaknesses with an example. Imagine that you use a secure HTTPS client (such as your
favorite web browser) to fetch https://pypi.python.org/pypi/skyfield/ over a coffee shop’s wireless network.