SSL, TLS, HTTPS. These three acronyms seem almost interchangeable, yet many are unsure of exactly what they mean. In an age where internet security is becoming more critical than ever before, it is important to understand the distinction between these three terms.
What is SSL, TLS, HTTPS and how do they relate to internet security?
Secure Sockets Layer (SSL) is an encryption protocol, that creates a secure channel for communication between the client (your computer) and the server. SSL went through three versions before being retired and succeeded by TLS.
Transport Layer Security (TLS) is the successor to SSL. TLS built on and improved what SSL was. TLS is still commonly referred to as SSL, but to be clear the SSL protocol itself is no longer allowed and has been deprecated. Most modern browsers have support for the latest version of TLS (v1.3), however Internet Explorer is not among these and is no longer considered to be a secure and compliant browser, its use should be minimised to ensure one’s business is as secure as possible, and PCI DSS compliant.
HTTPS is the implementation of TLS transferring HTTP data.
All of this together allows clients and servers to communicate in a way that is designed to prevent eavesdropping, tampering or message forgery. One can identify sites with HTTPS enabled, by the green padlock at the beginning of the address bar.
Why does this internet security exist?
The main goal of TLS is to provide privacy and data integrity by establishing a secure connection between two parties. By standardising the protocol, programmers are able to develop applications that implement and benefit from TLS without knowledge of one another’s code. The extensibility provided by the TLS protocol prevents the need for new protocols and subsequently new weaknesses being made available.
By constantly extending the existing protocol, the secure foundation is laid and built upon. TLS makes use of optional session caching to reduce the need for unnecessary CPU usage, that is needed with most cryptographic operations. This means some initial encrypted negotiations take place to establish the encryption keys for the rest of the session.
How does this internet security work?
Imagine a treasure chest with a lock on it. This lock is special because it has two keyholes, each with their own key. The first keyhole can only be used to lock the chest. The second keyhole can only be used to unlock the chest.
The key that locks is available to everyone and we can call it the Public Key.
The key that unlocks is only held by the intended receiver of the chest and we call it the Private Key.
These two keys belong in a pair.
As soon as a chest is locked with a certain Public Key, it can only ever be opened with the corresponding Private Key.
So let’s say you want to have a private and secure conversation with me. We can do this by sending these chests back and forth.
1. You say: “Hi, I want to send something. I think a chest should be used.”
2. I say: “Awesome, I’d like to receive something. I agree that a chest will be used. Here’s a certificate proving I am who I say I am, along with the Public Key you’ll need for the chest.”
3. You go off and verify the certificate I gave you with a trusted authority. If everything is legitimate, you lock some information in a chest and send it to me.
4. I open the chest with my Private key. A bit of back and forth chest sending then happens to create a new set of keys that will be used for the rest of the conversation.
5. The new keys are now used to send chests back and forth securely.
This “chest sending protocol” is basically the TLS protocol and the process described is called the handshake. TLS merely defines the “language” in which the given protocol is spoken in. A secret cypher language defined by the newly-created public/private keys. TCP is the transmission, it defines how the language is transmitted. HTTP is the what being discussed. In this sense, if you were talking about cats over the phone – TLS would be English, TCP would be the phone line, and cats would be HTTP. Sticking with the chest analogy, TLS is the keys, TCP is the chest, HTTP is the contents of the chest.
In reality, this is what happens:
1. Client Hello
The client sends all the information that the server needs to communicate with the client. The version number, cipher settings and session-specific data.
2. Server Hello
The server sends all the information that the client needs to communicate with the server. The version number, cipher settings, session-specific data and certificate.
3. Authentication and Pre-Master Secret
The client authenticates the server certificate with a certificate authority and gets the server’s public key. The client then creates the pre-master secret that will be used for the session; encrypts the pre-master secret with the server’s public key and sends it to the server.
4. Decryption and Master Secret
The server uses its private key to decrypt the pre-master secret that was received. Both the server and client work together to generate the master secret.
5. Encryption with Session Key
The client and server exchange messages to inform that future messages will be encrypted with the newly generated keys. Certificate Authorities are responsible for issuing the digital certificates that are used in the handshake. The certificates are used to verify the identity and provide the public key that will be used in the handshake.
Certificates are not dependent on SSL or TLS. Certificates merely facilitate proof of identity during the TLS handshake; they are not in any way responsible for the formation or configuration or cypher of the TLS-enabled connection. Most vendors refer to certificates as “SSL certificates”. You might assume that “SSL Certificates” have to be deprecated in favour of “TLS Certificates”, but this is not the case. Certificates are merely used to verify one’s identity and are not dependant on the protocol being used.
When do you use this internet security?
If data moves in both directions between a client and server, TLS should be implemented. That means if one submits any information to a website it should be using HTTPS.
Google uses HTTPS as a ranking signal in their algorithms. This means improved SEO rankings for websites that make use of HTTPS. Although there are many other ways to improve SEO on your website, HTTPS will definitely help.
Lastly, if you want to show that you take internet security seriously, the green padlock in the URL bar signals that your site can be trusted with its user’s data.