glad you enjoy the videos!

Glad you enjoyed and we appreciate the comment!!

glad you enjoyed it!

glad you enjoyed it!

glad you enjoyed it!

glad you enjoyed it! and, let us know if you have any topics we should address.

glad you enjoyed it!

glad you enjoyed it!

glad you enjoyed it!

glad you enjoyed it!

i'm glad you enjoyed it!

i'm glad you enjoyed it and found it helpful!

glad you enjoyed it!

glad you enjoyed it!

glad you enjoyed the video!

I'm glad it helped!

@@devcentral hey

Thanks!! Appreciate the comment!

glad you enjoyed it!

glad you enjoyed it!

glad you enjoyed it! and, feel free to watch as many times as you need!

Thanks and appreciate the comment (and sub) 🙂

glad you enjoyed it!

glad you enjoyed it!

glad you enjoyed it!

Glad you enjoyed it!

thanks for the comment!!

glad you enjoyed it!

F5 DevCentral looking into your videos one by one n they are too good ... by the way can you do video on TLS 1.2 handshake....👍🏻

@@hamzabashir1791 Hi. We recorded a couple of videos on the TLS handshake. Here they are: kzfaq.info/get/bejne/mduCY5iqxJirqJc.html kzfaq.info/get/bejne/pMWUZNV0vbTWqGQ.html

Thanks for the comment and glad you enjoyed it!

glad you enjoyed it!

I'm glad you enjoyed it!

glad you enjoyed it!

I'm glad you enjoy them!

glad you enjoyed it!

Happy to help!

glad you enjoyed it!

Thanks and we appreciate the comment!

glad you enjoyed it!

glad you enjoyed it!

Glad you enjoyed it!

glad you enjoyed it!

Thanks for the note!!

Hi pickiziziz...great question! The server's public key can be used as a part of the key exchange (if the key exchange algorithm is RSA), but it doesn't have to be used for key exchange. In fact, most servers/browsers now prefer Diffie Hellman key exchange (many times using Elliptic Curve as well) instead of RSA. The server's private key will still be used for authentication purposes (to prove to the browser that the server is the one expected), but the server's private key doesn't have to be used for the key exchange. That's one of the reasons that the cipher suite is agreed on early in the TLS handshake process so that both sides will know what key exchange algorithm to use. I hope this helps!

glad you enjoyed it!

Glad you enjoyed it!

Great question Nicole! The short answer is, yes...all clients could use the same cipher suite. To be clear, though, the fact that the same cipher suite is used by multiple clients does not mean that all those clients use the same key for encryption. Each client will have their own shared (secret) encryption key with the server. The cipher suite simply defines what type of encryption algorithm is used between the client and the server. But the actual key used between the two will be different for each client/server connection. An analogy might be something like this: several people want to drive from their personal house to the bank. Each one has an option on what kind of car to drive (Honda, Chevy, Ford, Toyota, etc). All of the people could theoretically choose to drive a Toyota car, but each car is different even though they are all Toyota (even the same make/model). So, even though you drive a Toyota doesn't mean you can go to another Toyota and take your car key and use the other car. The same is true for cipher suites. You could use the same cipher suite as another client, but that doesn't mean your secret encryption key is the same as theirs. I hope this helps!

Glad you enjoyed it!

They just reverse the video (left to right) after recording, he's writing normally. I had the same thought though at first 😄

@@rosshoyt2030 Makes sense, he was writing REALLY well backwards :D

Here's our LBL Behind the Scenes video: kzfaq.info/get/bejne/i511kq9l3Km0hJc.html

Hi John...sorry about the oversight on posting that list. Here it is: testssl.sh/openssl-iana.mapping.html I hope this helps!

We really appreciate the comment and glad you enjoyed the video!

Great question Sharath! When @strength is used with the DEFAULT cipher list, then the ciphers are ordered on the server according to their strength (for example, 384 bit would be listed before the 256 bit, etc). When a client begins secure communications with the server, the client offers up it's set of cipher suites (already built into the browser..each browser is built slightly different) and then the server goes down its list of ciphers in order and it chooses the first match it can find. Maybe it matches the very top-listed cipher, but maybe not. As long as one of the cipher suites matches, then the server will pick it and that will be the cipher suite used for that secure session. Thanks!

it depend upon how your priorities your ciphers.. if you using Custom Suites.. in DEFAULT one they put the higher key size strengthen top on the order

@@ashuniet The ordering of the cipher suites varies by TMOS version - but in 'DEFAULT' it is *not* normally the strongest suites which are listed first. A number of factors go into the ordering, but to generalize it is a balance between security and performance. (Higher bit cipher suites use more resources, and thus reduce performance of the box.) Using '@STRENGTH' in the cipher suite configuration will force sorting by key size, but this can be deceptive as well. What is more secure, a cipher suite using ECDHE and AES128-GCM or one using RSA and AES256 (CBC). I'd argue that the former is a better choice, but the latter will come first in the list because of the larger key size.

glad you enjoyed it!

Thanks for the info!

At least through TLSv1.2 the cipher suite negotiation happens in the clear, so you can always see which cipher suite is selected. This is not a risk (beyond the use of a weak suite, which is a risk in any case) as the strength of the system is in the secret keys.

Check out Perfect Forward Secrecy or sometimes called Forward Secrecy. Also, note the concept Ephemeral. scotthelme.co.uk/perfect-forward-secrecy/

glad you enjoyed the video!

That one caught my attention as well, the video lost its credibility after this statement was made. These are dangerous statements as it messes up the very foundational concepts of client-server encryption. I think the author is confused.

what author explained here is digital signature signing process.

@@miomio134 Digital signing process is HMAC, whereby content is signed with private key and verified with private key. I'm not sure that's what he explained.

haha! :) Glad it was helpful for you!

Great comment Abhay! I'm working on another video that goes into detail on which TLS cipher suites are strong and which are weak...stay tuned!

I don't think you can generalize that way. Modern malware using encrypted communication is likely to be using the latest functionality - ephemeral key exchange, AES-GCM, etc. Supporting these is just as easy as an older algorithm - authors are using available libraries. Strength isn't a clear linear scale either - it isn't just key size. AES256-CBC has a larger key size than AES128-GCM, but the latter is arguably a better choice in a real world deployment given the growing number of attacks on CBC ciphers. And, for the same key size, GCM is generally a higher performing option (less load). And does your application really need 256-bit keys? There is also the temporal factor - a mid-strength ECDHE key exchange is probably a better option than a high-strength RSA key exchange. The latter is generally used for many sessions and can be recovered later to decrypt everything it was used on. The former is used for one, or few, sessions and so breaking the key recovers less information. Always tradeoffs.

So what are the other way to test whether cipher suite strong and weak... actually I have tested my client browser compatibility in ssl lab website so it shows preferred cipher suite and u said malware uses good strength of communication in my opinion few types of malware uses good encryption standard but not all, I have also read research paper related to this topic so that's why I am sharing my knowledge what I got correct me if I am wrong and if u good source related to this please share it thanks.

There arguably is a cipher suite that could be considered to be the most secure, I suppose. However, forcing all clients and servers to use that presents a few problems: 1. Some servers may not support that specific suite without having to upgrade. The most secure suite is ever-changing. Ideally, all companies will maintain their systems to keep them up to date, but we know that's easier said than done. 2. Many of the larger browsers don't make it easy for you to force it to only use specific suites. You'd have to dig through registry settings, etc. For now, we have to rely on 2 solutions to avoiding the usage of insecure suites: 1. Hope that modern browsers will disable the usage of insecure cipher suites as they roll out new versions of the software. This way, if you try to connect to a server that doesn't support one of the more secure cipher suites, the connection is rejected. 2. Hope that server administrators disable cipher suites that are considered insecure. This way, if the client tries to connect and their browser only supports insecure cipher suites, the connection is rejected.

From Stackexchange: security.stackexchange.com/questions/204429/what-is-a-non-stitched-ciphersuite

thanks!

Thanks WndSks! When I was listing the symmetric encryption algorithms, I slipped a couple of times and said "block" and then followed up with "bulk" to clarify that I was referring to symmetric, bulk encryption algorithms as opposed to asymmetric key exchange algorithms (RSA, DH, etc) or hash algorithms. But, thanks for the reminder that RC4 is, in fact, a stream cipher not a block cipher...an important detail in the case of symmetric algorithms!

Asymmetric algorithms use complex exponential calculations which are slower and more processor intensive than symmetric algorithms. Furthermore, Asymmetric algorithms are much more stringent as to the length of the data they can encrypt. As such, asymmetric encryption is not ideal for encrypting bulk data. This is why asymmetric encryption comes in handy just for the first part of the communication (a.k.a TLS handshake). Having that established, the encrypted traffic flow can happen using symmetric encryption algorithms such as AES, 3DES and SHA, MD5 for authentication. I hope that had shed some light on it.

@@DanielMGarcia69 thanks for the great info...really appreciate the insightful response!!

Basically the expositor is writing on glass (while shining a lot of light on the board), and then flips the video afterwards on postprocessing; they made a video about it on their channel.

Hi Ryan, great question! The cipher suites are designed for each specific version of SSL/TLS, and you can show the version for each cipher suite. For OpenSSL (the most common implementation on the Internet), you can type in: openssl ciphers -V and you will get a listing of all ciphers with the SSL/TLS version included. Here's a link for more info on this: www.openssl.org/docs/man1.0.2/man1/ciphers.html

I got you, thanks so much for the clarification. Been watching your vids alot recently, terrific jobs!!

@@zhengshenyu Thanks! glad you are enjoying the videos!

Nice catch Miles! You can check out this video showing how we do it: kzfaq.info/get/bejne/i511kq9l3Km0hJc.html

whattt?? I didn't see any lyrics there

I caught that too. :D

Ha! Good catch; won't be able to not listen to that when I re-watch later.

The video is inverted.

Such a simple explanation for the writing!! I was watching the video trying to figure it out and I think because I fried my brain I couldn't figure it out!!!