SSL & HTTPS

What is TLS? Understanding Transport Layer Security and HTTPS

Robert-George
Robert-George
6 min read
What is TLS? Understanding Transport Layer Security and HTTPS

When you visit a website, you’ll notice a small padlock icon displayed next to the URL in your web browser. This padlock signifies that you are using a technology called TLS.

Transport Layer Security (TLS) is one of the most important security protocols on the internet. It helps protect data transmitted between the client and the server so that sensitive information such as account passwords, credit card numbers and private messages are not intercepted by attackers.

In this article we will discuss what TLS is, how it works and why it is important to ensure that the internet is secure.

What is TLS?

TLS stands for Transport Layer Security. It is a cryptographic protocol designed to provide both authentication, confidentiality, and integrity between two communicating computer applications.

In more simple terms it ensures data:

  • Is not read by attackers
  • Cannot be changed by attackers
  • You are speaking to who you think you are speaking to

TLS succeeded a protocol called SSL (Secure Sockets Layer) which is why people today often still refer to a "SSL certificate" when it's really a TLS certificate on modern websites.

Why is TLS so important?

Without the encryption provided by TLS, data could easily be read by unauthorized third parties on the web.

For instance, if you log into your bank account through an insecure public Wi-Fi network, someone could easily sniff your login details. If TLS is in place, even a user on the same network cannot easily read any traffic between your computer and the server.

Information commonly secured by TLS includes:

  • Login credentials
  • Payment information
  • Private messages
  • Emails
  • API calls
  • File transfers

How does TLS work?

TLS uses a process called a handshake between two communicating systems (your browser and a website) to determine the encryption algorithm, generate keys, and agree upon the security of their connection.

Simplified process:

  1. Client Hello-The client (your browser) sends a "hello" message, proposing encryption algorithms, and also sends some random bytes called a challenge to establish a shared secret for later.
  2. Server Hello-The server (website) selects the agreed upon encryption protocol, also sends some random bytes (challenge) and also sends its certificate which it generates when it is first set up. The client now needs to authenticate this certificate.
  3. Client verifies server certificate-Your browser then checks to ensure that the certificate sent by the server:
    a. Is issued by a Certificate Authority (CA) that it trusts.
    b. Has not expired.
    c. Matches the domain that it's communicating with.
    If the certificate is not validated by your browser then the connection will fail.
  4. Key Exchange-If the certificate is valid the client and server can then send over cryptographic information so they can both create the same secret key (this is used for encryption/decryption after the handshake).
  5. Secure Session Established-The client and server then start sending encrypted data with a session key for encrypting their data.

TLS Encryption explained:

TLS has two different methods of encryption:

Asymmetric encryption: This method uses a public key to encrypt data and a private key to decrypt data. The public key can be given out to anyone to encrypt data that only the person with the private key can decrypt. The handshake process uses this to generate the session key.

Symmetric encryption: Once a session key is generated the client and server will use it to encrypt and decrypt data between each other from this point onwards because it is significantly faster than using asymmetric encryption which makes data transfer efficient.

TLS certificates

A TLS certificate is a small piece of data stored on a web server. It binds a domain name to an organization name and/or an IP address and public key, helping to establish trust between the client and server. When a server presents a certificate to a client, and the client trusts it, you can assume that the website owner has undergone an identity verification process by the issuing certificate authority and that your data is transmitted to the intended server.

TLS Vs SSL: What is the difference?

Many people use SSL and TLS interchangeably. But they are not the same thing.

What are the main differences between SSL and TLS?

Feature SSL TLS Status Deprecated Current standard Security Insecure More secure Performance Slower Faster Usage Obsolete Nearly universal

Most of the web relies on the secure current standard which is TLS but it still commonly gets referred to as an SSL certificate.

Common TLS Versions

There are many different versions of TLS, and these will vary depending on the websites configuration.

TLS 1.0 & TLS 1.1 are now very dated.
TLS 1.2 is the minimum for current web browsing but even then some configurations will include older versions that they shouldn't be.
TLS 1.3 is the latest version and should be the primary version used by any secure websites. TLS 1.3 offers much faster handshake speeds and more robust encryption.

What is HTTPS?

HTTPS is simply HTTP running over TLS. Hypertext Transfer Protocol Secure (HTTPS) encrypts communications between your web browser and the website you are visiting.

If you visit https://yourwebsite.com it indicates that the connection between your computer and the website server is secured using TLS. Without TLS the same website would be served over HTTP and the communication between you and the website server would be unencrypted and thus visible.

Attacks TLS helps to prevent:

MITM attacks-An attacker intercepts communication between your computer and a web server and impersonates you. TLS encryption prevents this as you'll see unreadable data rather than transmitted information.
Data tampering-An attacker alters information during transmission so you get the wrong details. TLS checks the integrity of data so that if it's altered it will be detected.
Credential theft-Login details can be intercepted with unsecured communication so TLS prevents this.
Session hijacking-If an attacker gains access to your session they may be able to mimic you.TLS security helps to make this much more difficult.

How to check if a website is using TLS:

You can tell if a website is using TLS by checking if the URL starts with "https://". You should also see a small padlock icon in the address bar on your web browser. You can often click on the padlock to view more details about the website's TLS certificate.

Best Practices for websites:

Ensure your website is configured to use TLS 1.3.
Avoid using TLS 1.0/1.1.
Use an up-to-date, trusted Certificate Authority to generate your certificate.
Enable automatic certificate renewal to prevent expiry issues.
Monitor your certificate regularly.

Final words

TLS is a crucial element of secure online communication, and it plays a vital role in protecting sensitive data exchanged between users and websites. Understanding its purpose, operation, and importance is essential for both users and website owners to ensure a safe and trustworthy internet experience.