SSL/TLS

The Internet is an environment comprised of an incredibly diverse number of devices communicating with one another. Protocols like TCP/IP and HTTP enable and support any device to connect to the Internet and communicate to other devices also connected. 

HTTP (Hypertext Transfer Protocol) is the most common protocol used for viewing webpages. In standard HTTP, all data is sent over the Internet in clear text leaving it vulnerable for anyone who is eavesdropping to see. To overcome this, HTTPS, or the Secure Hypertext Transfer Protocol, employs two security protocols (SSL and TLS) to provide authentication, privacy, and integrity. A key feature of these two security protocols is that they allow negotiations to take place between two peers (e.g. client and server).

There are many different cryptographic implementations, and with the number of devices that communicate with one another using the Internet, some of these cryptographic routines will be incompatible between two peers. SSL and TLS allow any two peers to agree on a subset of shared cryptographic routines to create a secure communication channel between them.

Secure Sockets Layer (SSL) is the secure communications protocol that protects large areas of the Internet by securing transmissions over TCP/IP. SSL protects data by enabling effective public key encryption which provides authentication between client and server as well. The initial negotiation, or handshake, of the SSL protocol begins with a user’s browser requesting an SSL certificate from the target server; once it receives the certificate, the user’s browser will verify it using a Certificate Authority, and finally the client and server will agree on a shared session key and type of encryption method to be used for all future communications during this session.

Transport Layer Security (TLS) is the successor to SSL. Like SSL, TLS can be implemented on top of other protocols (TLS + HTTP = HTTPS).  TLS also conducts a handshake process to kick off a secure communication session. The TLS handshake authenticates both parties and establishes the encryption method as well as the session key. While SSL and TLS are very similar, there are two key differences between them: TLS uses stronger encryption algorithms and it can operate on different available ports. Despite TLS replacing SSL in 1999, it is still common for people to use the term SSL when speaking about this handshake layer. However, it is important to note that nowadays TLS is the protocol most likely to be used.

Leave a Reply

Your email address will not be published. Required fields are marked *