SSL is generally, used to secure the transmission of confidential data between the user’s browser and web server. Netscape developed the first SSL 1.0 technology in 1994 but due to some security weakness, it was never publicly released. Again, Netscape published SSL 2.0 in Feb. 1995 came as a stronger version than SSL 1.0. After two years in Nov. 1996, the third version called SSL 3.0 came into force that was designed by Netscape and Paul Kocher with the elimination of security weakness of previous versions. Now, what is the difference between SSL 2.0 and SSL 3.0, as SSL 1.0 was not released in public.
Difference Between SSL 2.0 and SSL 3.0
As we know that, we can realize our effort only when others appreciate. The same thing happened in SSL technology, after developing SSL 1.0 and 2.0 a requirement of the next version was emerged because of weakness in older versions. Below is the weakness of SSL 2.0, which forced developers to introduce the next version.
SSL 2.0 Weakness
Cipher Suite Attack:
Attacker can easily edit in the cipher suite preference without any detection. It is called “man-in-the-middle” attack. Attacker can intercept messages flowing between a client and web server and insert his own message by changing original message invisibly, and taking charge of the entire control of the conversation.
MAC Construction:
SSL 2.0 has a weak MAC (message authentication code) because MAC uses only 40-bit of encryption in export mode. It uses MD5 hash function that is vulnerable in length extension attacks.
Handshake:
Client can only start a handshake but cannot interrupt in the middle of the session. He cannot change the algorithm and encrypted keys.
Virtual Hosting:
SSL 2.0 uses a fixed domain certificate with a single service, which will not match with the latest features of virtual hosting for web servers. Therefore, most websites left weakened from applying SSL.
Truncation Attack:
SSL 2.0 is open for truncation attack. Attacker can form a TCP FIN without aware of recipient from illegitimate data message. It has no closure alerts for receiving an error message.
Chain Certificate:
SSL 2.0 does not follow chain certificate and non-RSA algorithm. It uses only RSA key exchange, not different key exchange algorithms.
SSL 3.0 Strength
- SSL 3.0 can defend against “man-in-the-middle” attack by keeping the authenticated finished message with including a hash for all the previous handshake messages.
- SSL 3.0 uses HMAC, which is more powerful than MAC. It uses 128-bit of encryption. Attacker cannot alter the record or information even sending on open private network. It also provides key message authentication.
- SSL 3.0 enables Client can interrupt in the middle of handshake and can change the algorithm and keys whenever he wants.
- SSL 3.0 has a general key exchange protocol. It permits the Diffie-Hellman and Fortezza key exchanges and non-RSA certificates.
- SSL 3.0 permits chain certificates for the client and server. It provides certificate hierarchy.
- SSL 3.0 uses SHA-1 hashing algorithm, which is more secure than MD5 algorithm. It supports extra cipher suites. It also uses BSAFE 3.0 that includes a fixing of many attacks and the SHA-1 algorithm.
Summary:
From the above discussion, we can say that SSL 3.0 is better for securing the confidential data over the internet. SSL 3.0 is more powerful protocol than SSL 2.0.
