TLS (transport layer security) is a cryptographic protocol that facilitates secure connections over a computer network. The secure connection between two end-points (typically, a server and client) is ensured by encrypting the data-in-transit, which is commonly referred as “TLS/SSL encryption.” It’s a vital technology that has been the bedrock of internet security since the early days of the web.
In this post, I’ll explore how TLS encryption came into existence, what functions it performs, and how it ensures the security and privacy of your data.
I know it’s confusing that the terms “SSL” and “TLS” are often used to describe the same type of encryption. The easy answer is that SSL (secure socket layer) is the predecessor of the TLS protocol. The terms SSL and TLS are used interchangeably because many prefer using the term “SSL” as it was the original term. SSL was developed by Netscape way back in 1995. Three versions of SSL were released through 1996 but all of them have been found to be vulnerable. This led to SSL’s deprecation and TLS 1.0 was introduced in 1999. Since then, three versions of TLS have been released and it’s become a standard protocol for data security on the internet.
All of us transmit a ton of information every day, including sensitive information such as our credit card data, passwords, social security number, email communication, etc. We can send such information without much of worry. Well, TLS encryption is the reason we can do that.
When you purchase using your credit card, you type in your credit card details in plain text. If it remains in plain text while it’s on the way from your device to the web server, a hacker can easily intercept and tamper with it. In technical terms, this attack is regarded as a “man-in-the-middle” (MiTM) attack. To give a sense of security to users that their privacy will remain intact, there was a need for a technology that thwarts MiTM attacks, and that’s how TLS encryption became an indispensable element in the web security arsenal.
Have you ever tried to solve Rubik’s cube? If you have, you’d know that one needs to solve six sides/colors in order to solve it. Similarly, information security is a puzzle that consists of three major security concerns that one needs to address in order to ensure data security. They are:
TLS addresses all three concerns by performing two critical functions: encryption and authentication.
Through encryption, TLS scrambles the data in such a way that no unauthorized entity can come in between a server and a client, and steal or tamper with the data, thereby, ensuring the privacy and integrity of the user data.
The second crucial function that TLS performs is the verification of identity. In essence, TLS acts as the machine’s identity. TLS works on an asymmetric encryption method that involves identity verification of the recipient and/or the sender and gives you the assurance that you’re talking to the party that you’re supposed to be talking to. This is a critical function for large organizations that are handling the private data of tens of thousands of customers, partners, and employees daily.
SSL/TLS protocol works on both symmetric and asymmetric encryption method. The symmetric encryption method involves a single cryptographic key that can encrypt as well as decrypt the data. Think of it as locking and unlocking your home entrance-door using a single key.
In contrast to the symmetric encryption method, asymmetric encryption uses a pair of cryptographic keys. These keys are known as “public key” and “private key.” The public key, as the name implies, is publicly available. A private key, on the other hand, is supposed to be stored securely on the webserver. Both these keys are different but mathematically related to each other. Therefore, the data encrypted using the public key can only be decrypted using the private key related to it. This way, authentication can also be ensured along with encryption.
Both symmetric and asymmetric encryption are performed in a process called “TLS handshake.” This process involves a series of steps of communication between a client and a server. First, both validate each other’s identity by verifying public and private keys. Once the identity has been authenticated, they create an ephemeral symmetric encryption key that encrypts and decrypts the data.
Here, I’d like to point out two things. First, the handshake process involves many other steps that I’ve not mentioned for ease of understanding. Second, the handshake process differs—in terms of the steps—for different versions of the SSL/TLS protocols. To give you an example, the handshake process of TLS 1.3 encryption consists of one round of communication while TLS 1.2 encryption involves three. However, the main functions of any SSL/TLS handshake process remain the same in all SSL/TLS versions. If you’d like to know more about SSL/TLS handshakes, then here’s a post that explores that function in greater depth.
The TLS protocol can be used in a variety of applications that includes websites, emails (SMTP), VPN, remote connections, SIP-based applications, etc. However, the most widely-known use of TLS encryption is to ensure secure connections between websites and web browsers. Here, TLS is implemented using digital files that are known as “SSL/TLS certificates.” These certificates are supposed to be installed on the webserver of a website.
Until recently, if you saw any website with a padlock in front if its name in the URL bar, then it means that the website’s web server has been equipped with an SSL certificate and your connection with the website is secure. The reason why I’ve written the word “connections with the website” in italics is that having a padlock doesn’t mean the website is entirely secure. There are other things that you need to consider before giving away your personal data. (Here’s a great post that will help you understand why every SSL is not equal to full-proof security.) NOTE: Browsers use a variety of indications of TLS use that may or may not display the padlock. Some browsers no longer display the padlock, assuming the secure status as the norm and instead only flagging the sites that don’t use TLS certificates.
If you’re having a website or have your own email server, then you absolutely need to have TLS encryption in place. Just ask Hillary Clinton, not to mention a surprising number of groups within organizations. A website without an SSL/TLS certificate doesn’t only it put its users’ privacy and security at a significant risk, but it also gets flagged off for its lack of security by web browsers. This is not a pretty sight for any website owner. Moreover, e-commerce sites are mandated to use TLS encryption by PCI (payments card industry) standards.
Do you know if all of your organization’s web properties are secured by TLS encryption? Whether you’re a multi-billion dollar e-commerce enterprise or a tiny website with a handful of visitors, you need TLS encryption—it’s as simple as that!