A lot of focus has been on improving the security and privacy of the Internet in recent years. With Let’s Encrypt recently launching into Public Beta, more web sites are expected to adopt SSL and HTTPS technology.
While this is a good thing, there are still concerns about the security of SSL and HTTPS. Over the past 5 years, I have been developing the next-generation implementation of SSL and HTTPS, and I am now releasing it under an open-source license.
This software is called Dual SSL, and it’s a library for PHP. Rather than replacing the existing protocol, it adds an additional layer on top of it that plugs some potential security holes in the existing implementations. Best of all, Dual SSL is already compatible with modern browsers and servers, and can deliver standards-compliant HTML5 web content.
A brief overview of the technology…
HTTPS is a commonly used protocol for providing encryption on the web. When you do online shopping or banking, and see that little lock icon in your browser, then that site is using HTTPS and SSL.
When I first conceived the idea of Dual SSL back in 2011, HTTPS was considered virtually unbreakable. A lot has changed since then. Real-world vulnerabilities such as “Heartbleed” and “Poodle” have made headlines in recent years, and millions of people have been affected by various sorts of data breeches.
There are some weaknesses in HTTPS that makes it potentially vulnerable to eavesdropping or bypassed altogether if there are weaknesses in the software that is hosting that web site.
Dual SSL strengthens the traditional HTTPS protocol in two main ways:
First, online content delivered over Dual SSL is not sent over a single encrypted connection. In addition to the main web server, there is also a key server that provides a dynamically generated key to decrypt the web content.
For example, a web page may be sent to your browser from a computer in the United States while the key needed to decrypt that data could be sent from a server in Germany. The key is unique for each session, and destroyed in the process of decrypting the content.
This significantly increases the difficulty of intercepting the encrypted data, storing it, and then later decrypting it using brute force or discovering a vulnerability in the encryption cipher.
Another major benefit added by Dual SSL is a concept that I’ve named Application Layer Containment. In a normal HTTPS connection, web content travels through several layers of software before it is encrypted. Application Layer Containment encrypts the content soon after it’s generated.
This means if a web site is using a vulnerable version of Open SSL or Apache, hackers shouldn’t be able to intercept data sent over a Dual SSL connection that would otherwise be vulnerable over traditional HTTPS.
With increasing usage of shared and cloud hosting, many content providers do not have full control over the servers hosting their content. Web sites may not know if the software is up to date, or if their hosting provider might be intercepting their content before it is encrypted.
Application Layer Containment within Dual SSL returns this control back to the content providers. A layer of encryption is applied to the content key before it even leaves the PHP script, so intercepting it from Apache or Open SSL would only result in encrypted data.
When combined with PHP source code protection software, such as the ionCube Encoder, the content should be protected even from someone who has root access to the operating system or physical access to the server.
Current status of Dual SSL…
At the current time, all of the development, coding, and testing of Dual SSL has been done entirely by me. While the software is fully functional, I’m sure there are lots of improvements that can be made to the security, reliability, and performance of the software.
To give more developers a chance to test and contribute to the software, I have released both the main Dual SSL library for PHP as well as the software needed to setup a Dual SSL key server under the open-source GNU General Public License.
There is also a proprietary build of Dual SSL with all the settings and key servers preconfigured for the TMS content management system.
All of this can be downloaded for free from my site: https://dualssl.com