WHAT IS SSL & TLS?
WHAT IS SSL & TLS?
Cryptographic security protocols include Secure Sockets Layer (SSL) and Transport Layer Security (TLS). They are used to ensure the security of network communication. Their primary objectives are to ensure data integrity and communication privacy. TLS is the successor of the SSL protocol, which was the first protocol built for this purpose. SSL is currently deemed antiquated and unsafe (even in its most recent version). Thus contemporary browsers like Chrome and Firefox utilize TLS instead.
Web browsers often utilize SSL and TLS to secure connections between web apps and web servers. TLS/SSL is also used by many other TCP-based protocols, such as email (SMTP/POP3), instant messaging (XMPP), FTP, VoIP, VPN, and others. When a service employs a secure connection, the letter S is usually attached to the protocol name, such as HTTPS, SMTPS, FTPS, or SIPS. The OpenSSL library is used in the majority of SSL/TLS implementations.
SSL and TLS are frameworks that employ a wide range of cryptographic techniques, including RSA and other Diffie–Hellman algorithms. During the initial contact, the parties agreed on the algorithm to utilize. The most recent TLS version (TLS 1.3) is described in the IETF document RFC 8446, while the most recent SSL version (SSL 3.0) is stated in the IETF document RFC 6101.
What Is the Difference Between TLS and SSL?
TLS (Transport Layer Security) and SSL (Secure Socket Layers) are both cryptographic technologies that encrypt data and authenticate connections when transporting data over the Internet.
For example, if you accept credit card payments on your website, TLS and SSL can assist you in securely processing that data so that hostile actors cannot gain access to it.
The difference between TLS and SSL is detailed below.
TLS, on the other hand, is simply a more current version of SSL. It addresses several security flaws in previous SSL protocols.
Before delving into the technicalities, it’s vital to grasp the fundamentals of SSL and TLS.
SSL 2.0 was originally made available in February 1995. (SSL 1.0 was never publicly released because of security flaws). Although SSL 2.0 was made public, it had security issues and was swiftly superseded by SSL 3.0 in 1996.
The initial version of TLS (1.0) was introduced in 1999 as an update to SSL 3.0. There have been three further TLS releases since then, the most recent being TLS 1.3 in August 2018.
Both public SSL versions have been deprecated and contain known security issues at this time (more on this later).
Here is a complete list of SSL and TLS releases:
SSL 1.0 – never made public owing to security concerns.
SSL 2.0 was introduced in 1995. In 2011, it was deprecated. There are known security problems.
SSL 3.0 was introduced in 1996. In 2015, it was deprecated. There are known security problems.
TLS 1.0 was launched in 1999 as a replacement for SSL 3.0. Planned deprecation in 2020.
TLS 1.1 was introduced in 2006. Planned deprecation in 2020.
TLS 1.2 was introduced in 2008.
TLS 1.3 – introduced in 2018.
How Do TLS and SSL Protect Data
Here’s a high-level overview of how SSL and TLS function.
When you install an SSL/TLS certificate on your web server (often called a “SSL certificate”), it includes a public key and a private key that authenticate your server and allow it to encrypt and decrypt data.
When a visitor comes to your website, their web browser will seek an SSL/TLS certificate. The browser will next execute a “handshake” to validate your certificate and verify your server. If the SSL certificate is not genuine, your users may get the “your connection is not private” error, causing them to leave your website.
When a visitor’s browser detects that your certificate is legitimate and authenticates your server, it establishes an encrypted link between itself and your server to securely transmit data.
This is also where HTTPS (HTTP over SSL/TLS) comes into play.
HTTP, and more recently HTTP/2, are application protocols that are critical for transporting data across the Internet.
That information is subject to attacks when transmitted through plain HTTP. However, when you use HTTP over SSL or TLS (HTTPS), you encrypt and authenticate the data as it is being transmitted, making it secure.
This is why you can safely handle credit card information over HTTPS but not over HTTP, and why Google Chrome is promoting HTTPS usage so aggressively.
UK Cyber Security Group Ltd is here to help
Please check out our Cyber Essentials Checklist
Please check out our Free Cyber Insurance
If you would like to know more, do get in touch as we are happy to answer any questions. Looking to improve your cybersecurity but not sure where to start? Begin by getting certified in Cyber Essentials, the UK government’s scheme that covers all the technical controls that will provide the protection that you need to help guard against criminal attacks. Or just get in touch by clicking contact us