Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are cryptographic security protocols. They are used to make sure that network communication is secure. Their main goals are to provide data integrity and communication privacy. The SSL protocol was the first protocol designed for this purpose and TLS is its successor. SSL is now considered obsolete and insecure (even its latest version), so modern browsers such as Chrome or Firefox use TLS instead.
SSL and TLS are commonly used by web browsers to protect connections between web applications and web servers. Many other TCP-based protocols use TLS/SSL as well, including email (SMTP/POP3), instant messaging (XMPP), FTP, VoIP, VPN, and others. Typically, when a service uses a secure connection the letter S is appended to the protocol name, for example, HTTPS, SMTPS, FTPS, SIPS. In most cases, SSL/TLS implementations are based on the OpenSSL library.
SSL and TLS are frameworks that use a lot of different cryptographic algorithms, for example, RSA and various Diffie–Hellman algorithms. The parties agree on which algorithm to use during initial communication. The latest TLS version (TLS 1.3) is specified in the IETF (Internet Engineering Task Force) document RFC 8446 and the latest SSL version (SSL 3.0) is specified in the IETF document RFC 6101.
Privacy & Integrity
SSL/TLS protocols allow the connection between two mediums (client-server) to be encrypted. Encryption lets you make sure that no third party is able to read the data or tamper with it. Unencrypted communication can expose sensitive data such as user names, passwords, credit card numbers, and more. If we use an unencrypted connection and a third party intercepts our connection with the server, they can see all information exchanged in plain text. For example, if we access the website administration panel without SSL, and an attacker is sniffing local network traffic, they see the following information.
The cookie that we use to authenticate on our website is sent in plain text and anyone who intercepts the connection can see it. The attacker can use this information to log into our website administration panel. From then on, the attacker’s options expand dramatically. However, if we access our website using SSL/TLS, the attacker who is sniffing traffic sees something quite different.
In this case, the information is useless to the attacker.
Identification
SSL/TLS protocols use public-key cryptography. Except for encryption, this technology is also used to authenticate communicating parties. This means, that one or both parties know exactly who they are communicating with. This is crucial for such applications as online transactions because must be sure that we are transferring money to the person or company who are who they claim to be.
When a secure connection is established, the server sends its SSL/TSL certificate to the client. The certificate is then checked by the client against a trusted Certificate Authority, validating the server’s identity. Such a certificate cannot be falsified, so the client may be one hundred percent sure that they are communicating with the right server.
Perfect Forward Secrecy
Perfect forward secrecy (PFS) is a mechanism that is used to protect the client if the private key of the server is compromised. Thanks to PFS, the attacker is not able to decrypt any previous TLS communications. To ensure perfect forward secrecy, we use new keys for every session. These keys are valid only as long as the session is active.
TLS Security 2
Learn about the history of SSL/TLS and protocol versions: SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2.
TLS Security 3
Learn about SSL/TLS terminology and basics, for example, encryption algorithms, cipher suites, message authentication, and more.
TLS Security 4
Learn about SSL/TLS certificates, certificate authorities, and how to generate certificates.
TLS Security 5
Learn how a TLS connection is established including key exchange, TLS handshakes, and more.
TLS Security 6
Learn about TLS vulnerabilities and attacks such as POODLE, BEAST, CRIME, BREACH, and Heartbleed.
Frequently asked questions
TLS stands for Transport Layer Security. It is a cryptographic security protocol that is used to securely send information over the Internet. It guarantees that nobody can read sensitive information and it guarantees that the sender of the information is not forged.
Find out how TLS works.
SSL stands for Secure Sockets Layer. It is a predecessor to TLS. All versions of SSL are insecure. Neither you nor any applications should ever use SSL. It is mentioned only for its historical significance.
Read about the history of SSL and TLS.
HTTPS is a secure version of the HTTP protocol. It is an extension of the HTTP protocol that implements TLS. It lets you securely access websites and web applications. With HTTPS you can be sure that nobody reads your sensitive information and you can be sure that you accessing the real website and not a forged one.
Read about HSTS – how to make your website or web application accept only HTTPS connections.
If you communicate without TLS, someone may easily perform a man-in-the-middle attack and intercept your communication. They can, for example, learn your passwords or steal your session cookie so that they can impersonate you. That is why many websites and web applications allow only communication using TLS (HTTPS).
Read more about man-in-the-middle attacks.
Get the latest content on web security
in your inbox each week.
THE AUTHOR
Agathoklis Prodromou
Web Systems Administrator/Developer
Akis has worked in the IT sphere for more than 13 years, developing his skills from a defensive perspective as a System Administrator and Web Developer but also from an offensive perspective as a penetration tester. He holds various professional certifications related to ethical hacking, digital forensics and incident response.
