The modern “trusted Internet” is synonymous with two ubiquitous technologies: Secure Sockets Layer (SSL) and Transaction Layer Security (TLS). This article will refer to both TLS and SSL environment simply as SSL. Cryptographic keys allow for encrypted private conversations between remote parties while digital certificates ensure that servers truly belong to the entities for which they represent online. These components comprise the Public Key Infrastructure (PKI) that makes secure conversations and transactions possible on the inherently insecure public Internet.
What indicators come to mind when you think of the “trusted Internet?” Is it the padlock icon? Or is it perhaps the “https://” designation in the browser address bar? Have you ever really looked at a digital certificate and verified that it is issued by a recognizable certificate authority (CA)? SSL encompasses all of these elements and more.
SSL/TLS certificates play a critical role in secure and encrypted communications between a client and a server. First, the server’s certificate, containing its public key, is used by the client to determine whether the client should accept a trust relationship with the server. If the client accepts or validates the authenticity of the server, then the server certificate is used to establish a secure, encrypted channel for the ensuing session. These protocols are not new. SSL became an Internet standard in 1994, with TLS being added soon thereafter. Both are constructed around a similar architecture using X.509 certificates. Although there are some differences between SSL and TLS, this document refers to the protocol as SSL/TLS, since the two share a common architecture. SSL/TLS is most often represented as HTTPS, but the protocol can be used to secure any TCP-based application. SSL/TLS is also popular for encrypting traffic between email clients and POP or IMAP servers, setting up secure tunnels between IDS sensors and management consoles, and supporting VPNs as a lower-cost alternative to IPSec.
Current SSL 3.0 debuted in 1996 and quickly became the Internet’s primary security mechanism. TLS extends SSL by allowing clients and servers to specify accepted hash and signature algorithms and support additional cipher suites. TLS 1.2 arrived in 2008 and its 2011 enhancement removed backwards compatibility to the less secure SSL 2.0.
Current best security practices by the National Institute of Standards (NIST) recommend utilizing SSL 3.0 with TLS 1.2 for maximum security. Note that even the “most secure” version of SSL/TLS is based on a 2008 specification!