Transport Layer Security (TLS) is a security protocol used to prevent hackers from being able to steal the data you enter into websites. In short, TLS ensures that when you log in to your bank account, your password is protected from uninvited eyes.
Whether you know it or not, you’ve likely encountered TLS at some point during your adventures on the web. For example, anytime you see a lock icon show up in your address bar next to the URL you’re visiting, you’re using a TLS certificate.
But while almost everyone has used TLS at some point, few truly understand their inner workings — or even know that they’ve been using them.
In this article, we’re going to dissect TLS. Here, we’re going to give you a short history of how TLS came to be, how TLS certificates work, what their use cases are, and their pros and cons. By the end, you’ll be one step closer to browsing the web and transmitting data safely.
In the early days of the internet, secure transmission of data was practically non-existent. Unfortunately, this lack of security made online activities and services that we now take for granted, such as ecommerce, online banking, and email borderline impossible without being exposed to cybercriminals.
The good news now is that business security has come a long way, including the security measures of SSL and TLS that we will discuss now. Since the average cost of a cyberattack on small-to-medium sized business is over $2 million, this is not something that can be ignored.
In 1994, the tech industry had come to fully realize the importance of a secure data transfer protocol, and Netscape unveiled Secure Sockets Layer (SSL) 1.0 to fulfill this need. While the first iteration was never officially released due to security flaws, the internet community quickly appreciated the need for such encryption. SSL 2.0 was released in 1995, then followed up by SSL 3.0, the current version, in 1996.
Just three years later in 1999, TLS was released as an upgrade to SSL 3.0, but flew somewhat under the radar until 2011, until the Internet Engineering Task Force (IETF) released a document saying that SSL 2.0 was no longer safe. A few years later, they extended this warning to SSL 3.0, effectively ending SSL’s usage for many applications and ushering in the new era of TLS.
TLS was eventually adopted as the preferred security protocol, and in essence it can be thought of as an evolved version of SSL that provides improved security. In fact, TLS was originally named SSL 3.1, but the name didn’t stick. The current version of TLS is TLS 1.3, which was released in August 2018.
TLS is a security protocol that encrypts the data being transmitted between two parties over the internet. It primarily performs two functions: it protects your data from intrusive eyes, and it verifies who you’re communicating with (that’s where TLS certificates come in).
To provide these services, TLS largely relies on a technology called public key cryptography. It provides two keys to the encrypted data: a public key and a private key. The data can be encrypted using the public key, but it can only be decrypted (i.e., “read”) with the private key. This way, the public key can be distributed publicly so that anyone can send encrypted data, but only the receiver with the private key can decrypt the data.
While TLS is the overarching security protocol, TLS certificates are a bit more specific. Essentially, a TLS certificate is a digital certificate that provides proof that you’re communicating with the server, person, or domain that you think you are. You can think of them as IDs: when you navigate to a website that uses TLS, you’ll ask for its ID (i.e., its TLS certificate). You then have to decide yourself whether you trust the site or not. To do this, validate the certificate through getting a self-signed certificate copy and then verify the electronic certificate with the one that you requested.
TLS certificates are issued by an authority called a Certificate Authority, or CA. When you connect to a website, the CA signs the certificate and verifies that it belongs to the domain name that you’re trying to access. Public key cryptography is employed to verify that the CA did in fact sign the certificate. When the TLS certificate is verified and accepted, it’s called a TLS handshake, just like shaking someone’s hand after you’ve seen their ID.
Although TLS is most commonly used to encrypt the data that’s sent between web servers, that’s not the only way it’s used. TLS is vital to securing many of the services we use each day, such as email and messaging.
Each of the major email providers that focus on security incorporate TLS into their security protocols and require both the sender and receiver to use TLS. If either does not and a secure connection can’t be created, this will send emails over an unsecured connection, leaving them open to hackers.
To ensure that your data is as safe as can be, you’ll need to take further precautions, such as using a virtual private network when connecting to a public wi-fi router. Many of the top VPN providers use TLS as part of their encryption standards, which will make your internet definitely more secure than with unencrypted connections.
Ultimately, even though TLS may not be a totally foolproof technology, it can do much to help boost security overall. There is, however, a risk that utilizing TLS can negatively impact a site’s load times. When TLS is used, more data must be sent back and forth between visitors and the site, which can make it load slower if not configured properly. Both the encryption and handshake processes can cause this issue, but luckily, they can both be optimized to ensure the site loads smoothly.
TLS certificates are an important security technology that has essentially turned into a necessity, and not only for security but also for attracting more visitors to your site or blog. Already major search engines such as Google have announced that they will be rewarding sites that include TLS certifications. As the internet continues to grow, we will likely see new and improved protocols emerge.
Samuel Bocetta is a former security analyst for the DoD, having spent 30-plus years bolstering cyber defenses for the Navy. He is now semi-retired and educates the public about security and privacy technology. Much of his work involved penetration testing Navy ballistic systems. He analyzed networks looking for entry points, then created security-vulnerability assessments based on findings. He also helped plan, manage and execute sophisticated “ethical” hacking exercises to identify vulnerabilities and reduce the risk posture of enterprise systems.