TLS encryption, or Transport Layer Security encryption, is a cryptographic protocol designed to secure communications over a computer network. By encrypting data transmitted between a client and a server, TLS keeps sensitive information, such as login credentials, financial details, and personal data, confidential and protected from eavesdropping, tampering, and forgery. As the successor to SSL (Secure Sockets Layer), TLS has become the standard for internet security, enabling secure web browsing, email communication, and various other online services.
A Brief History of SSL and TLS
I know it’s confusing that the terms “SSL” and “TLS” are often used to describe the same type of encryption. The easy answer is that SSL (secure socket layer) is the predecessor of the TLS protocol. The terms SSL and TLS are used interchangeably because many people still prefer the original term, "SSL."SSL was developed by Netscape way back in 1995. Three versions of SSL were released through 1996 but all of them have been found to be vulnerable. This led to SSL’s deprecation and TLS 1.0 was introduced in 1999. Since then, three versions of TLS have been released and it’s become a standard protocol for data security on the internet.
Why We Need TLS Encryption for a Secure Internet
All of us transmit a ton of information every day, including sensitive information such as our credit card data, passwords, social security number, email communication, etc. We can send such information without much worry. Well, TLS encryption is the reason we can do that.
When you purchase using your credit card, you type in your credit card details in plain text. If it remains in plain text while it’s on the way from your device to the web server, a hacker can easily intercept and tamper with it. In technical terms, this attack is regarded as a “man-in-the-middle” (MiTM) attack. To give a sense of security to users that their privacy will remain intact, there was a need for a technology that thwarts MiTM attacks, and that’s how TLS encryption became an indispensable element in the web security arsenal.
How TLS Solves the InfoSec Puzzle
Have you ever tried to solve Rubik’s cube? If you have, you’d know that one needs to solve six sides/colors in order to solve it. Similarly, information security is a puzzle that consists of three major security concerns that one needs to address in order to guarantee data security. They are:
- Data Integrity: Assurance to the user that the data will reach the intended recipient in the exact form that one had sent.
- Data Privacy: Protection of the data sent by users in such a way that only the intended entity can see it in its original (plain text) format.
- Authentication: Making sure that the information sent by the user reaches only to the intended recipient.
TLS addresses all three concerns by performing two critical functions: encryption and authentication.
Through encryption, TLS scrambles the data in such a way that no unauthorized entity can come in between a server and a client, and steal or tamper with the data, thereby, ensuring the privacy and integrity of the user data.
The second important function that TLS performs is the verification of identity. In essence, TLS acts as the machine’s identity. TLS works on an asymmetric encryption method that involves identity verification of the recipient and/or the sender and gives you the assurance that you’re talking to the party that you’re supposed to be talking to. This is a critical function for large organizations that are handling the private data of tens of thousands of customers, partners, and employees daily.
TLS Machine Identity Management for Dummies
How TLS Encryption Works
A website requires an SSL/TLS certificate for its web server/domain name to enable SSL/TLS encryption. This certificate allows the client and server to establish a secure encryption protocol via the following steps:
- The client makes an initial connection with the server through a secure URL (HTTPS).
- The server presents its certificate and public key to the client.
- The client verifies the authenticity of the certificate with a Trusted Root Certification Authority.
- The client and server jointly determine the most robust encryption method that is mutually supported.
- Using the server’s public key, the client encrypts a session (secret) key and sends it to the server.
- The server uses its private key to decrypt the session key, thus securing the session.
- This session key (symmetric encryption) is employed to encrypt and decrypt the data transferred between the client and server.
- Both the client and server proceed to communicate over HTTPS (SSL/TLS + HTTP), indicated by a lock icon in the web browser’s address bar. HTTPS uses Port 443.
After leaving the website, the encryption keys are discarded. Upon returning, a new handshake process is initiated, and new encryption keys are created.
SSL/TLS protocol works on both symmetric and asymmetric encryption methods. The symmetric encryption method involves a single cryptographic key that can encrypt as well as decrypt the data. Think of it as locking and unlocking your home entrance-door using a single key.
In contrast to the symmetric encryption method, asymmetric encryption uses a pair of cryptographic keys. These keys are known as “public key” and “private key.” The public key, as the name implies, is publicly available. A private key, on the other hand, is supposed to be stored securely on the web server. Both these keys are different but mathematically related to each other. Therefore, the data encrypted using the public key can only be decrypted using the private key related to it. This way, authentication can also be ensured along with encryption.
Both symmetric and asymmetric encryption are performed in a process called “TLS handshake.” This process involves a series of steps of communication between a client and a server. First, both validate each other’s identity by verifying public and private keys. Once the identity has been authenticated, they create an ephemeral symmetric encryption key that encrypts and decrypts the data.
Here, I’d like to point out two things. First, the handshake process involves many other steps that I’ve not mentioned for ease of understanding. Second, the handshake process differs—in terms of the steps—for different versions of the SSL/TLS protocols. To give you an example, the handshake process of TLS 1.3 encryption consists of one round of communication while TLS 1.2 encryption involves three. However, the main functions of any SSL/TLS handshake process remain the same in all SSL/TLS versions. If you’d like to know more about SSL/TLS handshakes, then here’s a post that explores that function in greater depth.
Applications of TLS Encryption
The TLS protocol can be used in a variety of applications that includes websites, emails (SMTP), VPN, remote connections, SIP-based applications, etc. However, the most widely-known use of TLS encryption is to facilitate secure connections between websites and web browsers. Here, TLS is implemented using digital files that are known as “SSL/TLS certificates.” These certificates are supposed to be installed on the webserver of a website.
Until recently, if you saw any website with a padlock in front of its name in the URL bar, then it means that the website’s web server has been equipped with an SSL certificate and your connection with the website is secure. The reason why I’ve written the word “connections with the website” in italics is that having a padlock doesn’t mean the website is entirely secure. There are other things that you need to consider before giving away your personal data. (Here’s a great post that will help you understand why every SSL is not equal to full-proof security.) NOTE: Browsers use a variety of indications of TLS use that may or may not display the padlock. Some browsers no longer display the padlock, assuming the secure status as the norm and instead only flagging the sites that don’t use TLS certificates.
Do You Need TLS Encryption?
If you’re having a website or have your own email server, then you absolutely need to have TLS encryption in place. Just ask Hillary Clinton, not to mention a surprising number of groups within organizations. A website without an SSL/TLS certificate not only puts its users’ privacy and security at a significant risk, but it also gets flagged off for its lack of security by web browsers. This is not a pretty sight for any website owner. Additionally, e-commerce sites are mandated to use TLS encryption by PCI (payments card industry) standards.
Do you know if all of your organization’s web properties are secured by TLS encryption? Whether you’re a multi-billion dollar e-commerce enterprise or a tiny website with a handful of visitors, you need TLS encryption—it’s as simple as that!