SSL vs TLS

You may have first heard about TLS because your Apache service needed to be secured using TLS for a PCI scan (Payment Card Industry: PCI scans are a standard to ensure server security for credit card transactions). Or maybe you noticed that your SSL also mentions TLS when you are ordering the certificate. Beyond where you heard the names, the question is, what is this mysterious TLS in relation to SSL and which of the two should you be using?

So what is the difference between SSL and TLS? Surprisingly not much. Most of us are familiar with SSL (Secure Socket Layer) but not TLS (Transport Layer Security), yet they are both protocols used to send data online securely. SSL is older than TLS, but all SSL certificates can use both SSL and TLS encryption. Indeed SSL certificates are appropriately called SSL/TLS certificates, but that becomes a mouthful. Thus the industry has stuck with calling them SSLs. From here on out I will break from convention and call the actual certificate an “SSL certificate” to distinguish the encryption type from the certificate. SSL has its origins in the early 1990s. The mention of Netscape and AOL should date how old these protocols are as they are the first to coin the term SSL.

 

Green Lock On Webpage

If you look up to the upper left corner of this webpage, you may see a very tiny lock and the word “Secure” written in green. While that doesn’t look like much, it plays a critical part of security. The SSL is what your web browser uses to show that data sent from your computer is safe. SSL certificates create a secure tunnel for HTTPS communication. HTTPS stands for Hyper Text Transfer Protocol Secure, differentiating from HTTP, (Hyper Text Transfer Protocol) which has no SSL present. If you see a red lock or a caution sign in the corner of your web browser, that indicates that the connection is not encrypted. Meaning a malicious third party could read any data sent on that webpage.

A secure connection happens via what is called a “handshake” between your browser and the web server. A simplified explanation of this is that the server and your browser agree on a literal “secret” handshake between each other based upon the type of encryption (SSL/TLS) and the SSL certificate itself. This handshake forms its encoding from the interaction of the public and private certificate key. From that point onward they use this secret handshake to confirm the information sent back and forth is from the authentic source.

This handshake and the accompanying SSL certificate helps prevent a man in the middle attack between customers and a server-side business. A man in the middle attack is where a malicious entity intercepts communication between a server and your computer. The man in the middle receives requests from the user and passes along the information to the server and back again. Data between the end user and the server are read, hence “man in the middle” phrase. If attacked, the Man in the Middle technique will show passwords and other sensitive information. As terrifying as that sounds this attack is only possible if there is no SSL certificate on the site.

As you may have heard, Google and FireFox are phasing out non-SSL/TLS encrypted websites. The change will soon show an explicit warning with the browsers for any site that is not covered by an SSL certificate. The browsers will force an acknowledgment that you want to proceed with an insecure website before showing any content.

For business owners who accept online payments, it is even more critical to not only have an SSL certificate but also enforces the latest TLS versions on the server. In a PCI compliance scan, it requires that the domain only use specific TLS versions.

SSL and TLS each have specific versions which relate to the type of encryption that the SSL certificate will use in the previously mentioned handshake.

The SSL versions are:

  • SSL v1
  • SSL v2
  • SSL v3

Never released to the public but still notated is SSL v1; SSL v2 was an improvement upon SSL v1 but still problematic; SSL v3 fixed some of these initial bugs but is open to attacks through vulnerabilities like POODLE or DROWN (read more on those vulnerabilities here). SSL v3 was at the End of Life in 2015, forever ago regarding the internet.

Modern TLS encryptions cover:

  • TLS v1.0
  • TLS v1.1
  • TLS v1.2
  • TLS v1.3

Each of which addresses flaws from one version to the next. The newer encryptions are just that, more modern and more secure ways to encrypt data for security. The later the release, the better the encoding and the more difficult it is to decrypt by malicious third parties. Conversely, the older versions, like with SSL, have vulnerabilities which can be exploited to collect private data. In many ways, you can think of TLS as the newer version of SSL. Some refer to TLS v1.0 as TLS v 1.0/SSL v3.1.

For the interested technophile, as it relates to the handshake example, we break down the first connection process. The first connection deals with the browser, and a “browserhello” is the first exchange in the handshake. The browser then states the version of TLS they accept, say, for example, everything up to TLS v1.1. The server then replies with a “serverhello,” which is the second exchange in the handshake. The server states the version of encryption that is for the rest of the interaction based upon the first connection.

This interaction should force the newest version of SSL/TLS that both the server and browser are capable of handling. Some outdated browsers do not use the latest versions of TLS. The server is also capable of disabling specific TLS/SSL versions, ensuring all the connections to the server are safer. In this way, new servers should disable the use of all SSL versions and even some of the TLS versions. For example, as of September 2018, PCI certification require all SSL versions and TLS v1.0 disabled.

So back to our original question, what is the difference between SSL and TLS? In sum, TLS is the logical progression of SSL and the safer of the two by that fact. Beyond this, they work in the same fashion, but the newer versions use stronger types of encryption.

If you are interested in getting an SSL for your website, check out our blog to help you make an informed decision on what kind of SSL to purchase.

Install Multiple PHP Versions on Ubuntu 16.04

As a default, Ubuntu 16.04 LTS servers assign the PHP 7.0 version. Though PHP 5.6 is coming to the end of life in December of 2018, some applications may not be compatible with PHP 7.0. For this tutorial, we instruct on how to switch between PHP 7.0 and PHP 5.6 for Apache and the overall default PHP version for Ubuntu.

Step 1: Update Apt-Get

As always, we update and upgrade our package manager before beginning an installation. If you are currently running PHP 7.X, after updating apt-get, continue to step 2 to downgrade to PHP 5.6.

apt-get update && apt-get upgrade

Step 2: Install PHP 5.6
Install the PHP5.6 repository with these two commands.

apt-get install -y software-properties-common
add-apt-repository ppa:ondrej/php
apt-get update
apt-get install -y php5.6

Step 3: Switch PHP 7.0 to PHP 5.6
Switch from PHP 7.0 to PHP 5.6 while restarting Apache to recognize the change:

a2dismod php7.0 ; a2enmod php5.6 ; service apache2 restart

Note
Optionally you can switch back to PHP 7.0 with the following command: a2dismod php5.6 ; a2enmod php7.0 ; service apache2 restart

Verify that PHP 5.6 is running on Apache by putting up a PHP info page. To do so, use the code below in a file named as infopage.php and upload it to the /var/www/html directory.

<? phpinfo(); ?>

By visiting http://xxx.xxx.xxx.xxx/infopage.php (replacing the x’s with your server’s IP address), you’ll see a PHP info banner similar to this one, confirming the PHP Version for Apache:

Example of PHP Info page

Continue onto the section PHP Version for Ubuntu to edit the PHP binary from the command line.

Step 4: Edit PHP Binary

Maintenance of symbolic links or the /etc/alternatives path through the update-alternatives command.

update-alternatives --config php

Output:
There are 2 choices for the alternative php (providing /usr/bin/php).
Selection Path Priority Status
------------------------------------------------------------
* 0 /usr/bin/php7.0 70 auto mode
1 /usr/bin/php5.6 56 manual mode
2 /usr/bin/php7.0 70 manual mode
Press to keep the current choice[*], or type selection number:

Select php5.6 version to be set as default, in this case, its the number one option.

You can now verify that PHP 5.6 is the default by running:
php -v

Output:
PHP 5.6.37-1+ubuntu16.04.1+deb.sury.org+1 (cli)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies

Upgrade PHP 5.6 to 7


PHP is a programming language that can run with Apache or Microsoft IIS and works with your server to execute the requests that make up your website. 88% of online sites run on, soon to be vulnerable PHP 5.X technology. At the close of this year, scheduled by Dec 31, 2018 security support will end for our dear old friend PHP 5.6, meaning bugs and security fixes will not be tended to and could lead to security vulnerabilities. 
Each PHP version gets supported actively for two years while the third year only get critical security updates. Luckily, the PHP gods had smiled upon us and extended the life for just a year longer than the typical PHP version before giving us the new year deadline. For all of you developers out there wanting to know exactly what is changing, here’s a helpful migration guide from PHP 5.6 to PHP 7.X.

While the last of PHP 5 closes out with PHP 5.6, this will inevitably leave websites utilizing PHP 5 vulnerable to attacks as well as poor performance. It has substantially reached its infamous End of Life (EOL) title. Switching to the newer PHP 7 versions is not only good for the security, but updating can ultimately save you money. Reducing the cost of doing business by avoiding software incompatibility and compliance issues. If an emotional headache isn’t enough to persuade developers to switch, the benefits will. Benchmarks show PHP 7.x has been tested to run three times faster than PHP5.6!

Let’s see:

  • Faster performance resulting in less memory usage
  • Three times faster page loads*
  • Better for heavy traffic sites
*Performance increase as benchmarked in a testing environment. Other developer’s website performance changes between PHP 5 and PHP 7 may vary.

If you are in a shared environment that manages the OS and framework, then your hosting provider should be sending out notifications of the upcoming change, their plan of action, and cut off dates. Our managed hosting products, such as Storm VPS, Cloud Sites or Managed WordPress, have support teams that can help you switch from PHP 5.X to PHP 7.X easily. Our Managed WordPress product has a compatibility checker built in & one click button to upgrade, yet another reason to love it!


While using WordPress to power your site you can check some vital aspects by going to the
WordPress plugin page and searching for the plugins that you use. Once you find the plugin or themes that you utilize, their spec pages will usually say what PHP version they employ. Also, check out the review tab for comments from users as this section gives useful information. This review tab is helpful for seeing if others have had issues with the plugin or theme and newer PHP versions. It is good practice to look up reviews and see what people have been saying about said plugin. If you don’t see any responses or it hasn’t rated well, then you will want to stray away from it. If you use custom plugins, check with your developer to see how they operate in new PHP versions. The WordPress Compatibility Plugin check will give you a list of plugins and themes that may not mesh well with PHP 7.X.

If you run a mission-critical site its best to do a compatibility checker because blindly upgrading could result in some parts of your page to not function. Checking PHP compatibility, as you would imagine, is a little more in depth but from research online, there is a compatibility checker for VPS servers that you can utilize by downloading the repo from GitHub.

It is worthwhile to note that some plugins may need a PHP module to be installed for the plugin to work. When upgrading the PHP version, you may also need to re-install the PHP module. Fortunately, our support team can assist with installing any PHP module you may need or give the best course of action if the PHP module is not available for your PHP version.

If you are using a Linux VPS the easiest way to check is to ssh into your server and run the following command via your terminal:

php --versionOutput: PHP 7.0.30 (cli) (built: Jun 26 2018 20:34:16)

cPanel:

Note
It’s important to make a backup of your site before migrating to PHP 7.X

Search php, select Multi PHP Manager, will show this screen to show which php version you are using. While on the PHP Version screen you can update the PHP version here by clicking on the check mark next to the domain and selecting the desired PHP version on the right drop down and click Apply.

Search For PHP and Click MulitPHP Manager Icon

How to Check the Version of cPanel / WHM

Pre-Flight Check

  • These instructions are intended specifically for checking your version of cPanel or WHM via the command line or the WHM dashboard.
  • I’ll be working from a Liquid Web Managed CentOS 7 server, and I’ll be logged in as root.

Method #1: Checking the Version of cPanel / WHM by the ‘cpanel’ Command

Using the cPanel command:

/usr/local/cpanel/cpanel -V

11.50.0 (build 27)

Continue reading “How to Check the Version of cPanel / WHM”

How to Check the glibc (GNU libc) Version on Fedora 22

Pre-Flight Check

  • These instructions are intended specifically for checking the installed version of glibc.
  • I’ll be working from a Liquid Web Self Managed Fedora 22 server, and I’ll be logged in as root.

Continue reading “How to Check the glibc (GNU libc) Version on Fedora 22”

How to Check the MySQL Version

In this quick tutorial we’ll learn how to check the MySQL version of a server. Without a doubt MySQL is one of the most popular RDBMS options available, so you’ll find it pretty much everywhere. There can be some pretty staggering differences between MySQL versions, so knowing which version you’re working with is important. Learn here how, to check the version of MySQL your server is using!

Continue reading “How to Check the MySQL Version”