Skip to main content
banner image
venafi logo

What Is TLS Encryption and Why You Need It

What Is TLS Encryption and Why You Need It

image of a hand using a track pad on an open laptop with digital icons overlaid in the foreground of the picture
May 26, 2020 | Jay Thakkar


TLS (transport layer security) is a cryptographic protocol that facilitates secure connections over a computer network. The secure connection between two end-points (typically, a server and client) is ensured by encrypting the data-in-transit, which is commonly referred as “TLS/SSL encryption.” It’s a vital technology that has been the bedrock of the internet security since the early days of web.
 

In this post, I’ll explore how TLS encryption came into existence, what functions it performs and how it ensures security and privacy of your data.



 

A Brief History of SSL and TLS

I know it’s confusing that the terms “SSL” and “TLS” are often used to describe the same type of encryption. The easy answer is that SSL (secure socket layer) is the predecessor of the TLS protocol. The terms SSL and TLS are used interchangeably because many prefer using the term “SSL” as it was the original term. SSL was developed by Netscape way back in 1995. Three versions of SSL were released through 1996 but all of them have been found to be vulnerable. This led to SSL’s deprecation and TLS 1.0 was introduced in 1999. Since then, three versions of TLS have been released and it’s become a standard protocol for data security on the internet.

 

Why We Need TLS Encryption for a Secure Internet

All of us transmit a ton of information every day, including sensitive information such as our credit card data, passwords, social security number, email communication, etc. We can send such information without much of worry. Well, TLS encryption is the reason we can do that.
 

When you purchase using your credit card, you type in your credit card details in plain text. If it remains in plain text while it’s on the way from your device to the web server, a hacker can easily intercept and tamper with it. In technical terms, this attack is regarded as “man-in-the-middle” (MiTM) attack. To give a sense of security to users that their privacy will remain intact, there was a need for a technology that thwarts MiTM attacks, and that’s how TLS encryption became an indispensable element in the web security arsenal.

 

How TLS Solves the InfoSec Puzzle

Have you ever tried to solve Rubik’s cube? If you have, you’d know that one needs to solve six sides/colours in order to solve it. Similarly, information security is a puzzle that consists of three major security concerns that one needs to address in order to ensure data security. They are:
 

  1. Data Integrity: Assurance to the user that the data will reach the intended recipient in the exact form that one had sent.
     
  2. Data Privacy: Protection of the data sent by users in such a way that only the intended entity can see it in its original (plain text) format.
     
  3. Authentication: Making sure that the information sent by the user reaches only to the intended recipient.
     

TLS addresses all three concerns by performing two critical functions: encryption and authentication.
 

Through encryption, TLS scrambles the data in such a way that no unauthorized entity can come in between a server and a client, and steal or tamper with the data, thereby, ensuring the privacy and integrity of the user data.
 

The second crucial function that TLS performs is the verification of identity. In essence TLS acts as the machine’s identity. TLS works on asymmetric encryption method that involves identity verification of the recipient and/or the sender, and gives you the assurance that you’re talking to the party that you’re supposed to be talking to. This is a critical function for large organizations who are handling the private data of tens of thousands of customers, partners and employees daily.

 

How TLS Encryption Works

SSL/TLS protocol works on both symmetric and asymmetric encryption method. The symmetric encryption method involves a single cryptographic key that can encrypt as well as decrypt the data. Think of it as locking and unlocking your home entrance-door using a single key.
 

In contrast to the symmetric encryption method, asymmetric encryption uses a pair of cryptographic keys. These keys are known as “public key” and “private key.” Public key, as the name implies, is publicly available. Private key, on the other hand, is supposed to be stored securely on the web server. Both these keys are different but mathematically related to each other. Therefore, the data encrypted using the public key can only be decrypted using the private key related to it. This way, authentication can also be ensured along with encryption.
 

Both symmetric and asymmetric encryption are performed in a process called “TLS handshake.” This process involves a series of steps of communication between a client and a server. First, both validate each other’s identity by verifying public and private key. Once the identity has been authenticated, they create an ephemeral symmetric encryption key that encrypts and decrypts the data.


Here, I’d like to point out two things. First, the handshake process involves many other steps that I’ve not mentioned for the ease of understanding. Second, the handshake process differs—in terms of the steps—for different versions of the SSL/TLS protocols. To give you an example, the handshake process of TLS 1.3 encryption consists of one round of communication while TLS 1.2 encryption involves three. However, the main functions of any SSL/TLS handshake process remain the same in all SSL/TLS versions. If you’d like to know more about SSL/TLS handshakes, then here’s a post that explores that function in greater depth.

 

Applications of TLS Encryption

The TLS protocol can be used in a variety of applications that includes websites, emails (SMTP), VPN, remote connections, SIP-based applications, etc. However, the most widely-known use of TLS encryption is to ensure secure connections between websites and web browsers. Here, TLS is implemented using digital files that are known as “SSL/TLS certificates.” These certificates are supposed to be installed on the web server of a website.
 

Until recently, if you saw any website with a padlock in front if its name in the URL bar, then it means that the website’s web server has been equipped with an SSL certificate and your connection with the website is secure. The reason why I’ve written the word “connections with the website” in italics is because having a padlock doesn’t mean the website is entirely secure. There are other things that you need to consider before giving away your personal data. (Here’s a great post that will help you understand why every SSL is not equal to full-proof security.) NOTE: Browsers use a variety of indications of TLS use that may or may not display the padlock. Some browsers no longer display the padlock, assuming the secure status as the norm and instead only flagging the sites that don’t use TLS certificates.

 

Do You Need TLS Encryption?

If you’re having a website or have your own email server, then you absolutely need to have TLS encryption in place. Just ask Hillary Clinton, not to mention a surprising number of groups within organizations. A website without an SSL/TLS certificate doesn’t only it put its users’ privacy and security at a significant risk, but it also gets flagged off for its lack of security by web browsers. This is not a pretty sight for any website owner. Moreover, e-commerce sites are mandated to use TLS encryption by PCI (payments card industry) standards.
 

Do you know if all of your organization’s web properties are secured by TLS encryption? Whether you’re a multi-billion dollar e-commerce enterprise or a tiny website with a handful of visitors, you need TLS encryption—it’s as simple as that!






 

Related posts

 

Like this blog? We think you will love this.
image of hands typing on a keyboard in the dark
Featured Blog

The Abuse of Root Certificates, Certificate Mis-issuance and Certificate Transparency

First, a bit about root certificates.

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Jay Thakkar
Jay Thakkar

Jay is a freelance cybersecurity writer passionate about educating the Information Technology community. He has previously written for The SSL Store.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat