followers 305 popularity
1
following 9
Groups
joshabbott is not in any groups

Interests

I have been an Internet Marketer for over 7 years.

I own the traffic exchange FiveHits.com, which has over 15,000 members. I also created IntelliBanners, the original banner ad rotator and co-op service.

I am the programmer and co-owner of the new LFMTE Traffic Exchange Script. The LFMTE is designed to be easy-to-use for both owners and their members.
Josh Abbott | joshabbott

The Future Of SSL and HTTPS

Apr 5th 2017 at 9:05 PM

A lot of focus has been on improving the security and privacy of the Internet in recent years.  With Let’s Encrypt recently launching into Public Beta, more web sites are expected to adopt SSL and HTTPS technology.

While this is a good thing, there are still concerns about the security of SSL and HTTPS.  Over the past 5 years, I have been developing the next-generation implementation of SSL and HTTPS, and I am now releasing it under an open-source license.

This software is called Dual SSL, and it’s a library for PHP. Rather than replacing the existing protocol, it adds an additional layer on top of it that plugs some potential security holes in the existing implementations.  Best of all, Dual SSL is already compatible with modern browsers and servers, and can deliver standards-compliant HTML5 web content.

A brief overview of the technology…

HTTPS is a commonly used protocol for providing encryption on the web.  When you do online shopping or banking, and see that little lock icon in your browser, then that site is using HTTPS and SSL.

When I first conceived the idea of Dual SSL back in 2011, HTTPS was considered virtually unbreakable.  A lot has changed since then.  Real-world vulnerabilities such as “Heartbleed” and “Poodle” have made headlines in recent years, and millions of people have been affected by various sorts of data breeches.

There are some weaknesses in HTTPS that makes it potentially vulnerable to eavesdropping or bypassed altogether if there are weaknesses in the software that is hosting that web site.

Dual SSL strengthens the traditional HTTPS protocol in two main ways:

First, online content delivered over Dual SSL is not sent over a single encrypted connection.  In addition to the main web server, there is also a key server that provides a dynamically generated key to decrypt the web content.

For example, a web page may be sent to your browser from a computer in the United States while the key needed to decrypt that data could be sent from a server in Germany.  The key is unique for each session, and destroyed in the process of decrypting the content.

This significantly increases the difficulty of intercepting the encrypted data, storing it, and then later decrypting it using brute force or discovering a vulnerability in the encryption cipher.

Another major benefit added by Dual SSL is a concept that I’ve named Application Layer Containment. In a normal HTTPS connection, web content travels through several layers of software before it is encrypted.  Application Layer Containment encrypts the content soon after it’s generated.

This means if a web site is using a vulnerable version of Open SSL or Apache, hackers shouldn’t be able to intercept data sent over a Dual SSL connection that would otherwise be vulnerable over traditional HTTPS.

With increasing usage of shared and cloud hosting, many content providers do not have full control over the servers hosting their content.  Web sites may not know if the software is up to date, or if their hosting provider might be intercepting their content before it is encrypted.

Application Layer Containment within Dual SSL returns this control back to the content providers.  A layer of encryption is applied to the content key before it even leaves the PHP script, so intercepting it from Apache or Open SSL would only result in encrypted data.

When combined with PHP source code protection software, such as the ionCube Encoder, the content should be protected even from someone who has root access to the operating system or physical access to the server.

Current status of Dual SSL…

At the current time, all of the development, coding, and testing of Dual SSL has been done entirely by me.  While the software is fully functional, I’m sure there are lots of improvements that can be made to the security, reliability, and performance of the software.

To give more developers a chance to test and contribute to the software, I have released both the main Dual SSL library for PHP as well as the software needed to setup a Dual SSL key server under the open-source GNU General Public License.

There is also a proprietary build of Dual SSL with all the settings and key servers preconfigured for the TMS content management system.

All of this can be downloaded for free from my site: https://dualssl.com

---

Written By: Josh Abbott

http://joshabbott.com

10 comments
Please to comment
Sep 13th 2019 at 1:08 AM by tucsontruth
Many super security gurus would argue that CloudFlare is vulnerable to compromise and as a result, so too is the websites on their platform potentially at risk. However setting up SSL locally for back end-use, I've yet to encounter any problems on my 40 some websites.
   
Jan 15th 2019 at 3:29 AM by Hiflyicuairambulance
nice 1
   
Dec 4th 2018 at 1:37 AM by deskanus
Nice article Josh...
   
Oct 25th 2018 at 11:03 PM by Dudish
Thank You for sharing.
   
Oct 12th 2018 at 4:44 AM by javiersalces
Great article Josh, thanks for sharing!
   
Sep 27th 2018 at 6:42 AM by av_guy
sounds like a new approach. well done
   
Sep 26th 2018 at 6:13 AM by factmr
I am really grateful for this article because it has plenty of knowledge and Josh you have described it in a effective way to understand... Thank You
   
Aug 30th 2018 at 3:16 PM by jamesdraper
Great article Josh, thanks for sharing!
   
Aug 7th 2018 at 1:20 AM by aumickmanuela
It's good innovation, but why you don't realize it to general users, you are checking some troubles or funcions?
   
Feb 28th 2018 at 1:43 PM by evolve
Thanks for sharing....
   

sign in

Username
Password
Remember Me


New to IM faceplate? join free!

Lost Password? click here