As a proof of concept I wanted to see in how far I could decode some TLS data on the client side. Obviously, this is very complex matter, and even though TLS looks deceptively simple, it isn’t. To make matters worse, PHP isn’t quite helping us making things easy neither.
In the current day and age, using a plain HTTPS connection might not be the most secure way to communicate anymore. Sure, for your purposes and goals we can assume that this communication is safe enough, but cracks are appearing in the security, and we might need to move to better, more secure ways in maybe a shorter period than anyone expected. But how do we do this? We are not crypto-experts, and you probably have no idea how HTTPS works to begin with. Should we find ourselves a secure way to encrypt our data? Should we “invent” new methods that look safe, just because it’s too complex to explain what’s going on?
Today I overheard two colleagues discussing one of my favorite subjects: encryption. The discussion was about that encrypting data (with a normal block cipher) was working perfectly in ECB mode, but not in CBC mode. So, this all leads up to the question: what is ECB and CBC? And when should you use them? Although this post has some PHP code in it, it is applicable for every other language.