Transport Layer Security

As the internet evolved and more sensitive data was exchanged between different web applications, securing internet communications became a critical concern. A vital cryptographic protocol that improves data security on the modern web is Transport Layer Security (TLS). This article provides an overview of TLS, and its benefits, and highlights key differences between TLS and the older SSL protocol from which it evolved.

What is TLS?

Transport Layer Security (TLS) is a type of security protocol that establishes an encrypted link during client-server transactions. Aside from encrypting messages between clients and servers to ensure confidentiality, TLS also provides authentication and integrity to ensure that communicating parties are who they claim to be and that the contents of their communications haven’t been altered.

The most noticeable use of TLS in everyday life is when you use a web browser (client application) that communicates with a website (hosted on a server). By communicating with a secure website, people can pay for goods or services without worrying about their info being stolen. Another common example of TLS is when you use an email client application (e.g., Outlook) to communicate securely with an email server.

The TLS protocol initially came into use as an upgrade from the related secure sockets layer (SSL) protocol back in 1999. However, it was only in 2014 that bodies such as The Internet Engineering Steering Group (IESG) and The Internet Architecture Board (IAB) recommended making encryption the norm for internet traffic.

Even in the nascent days of internet adoption, there was widespread recognition among researchers and those overseeing the architectural implementation of the Internet that some categories of information would need added protection while traversing between different applications. With digital transformation strategies increasing the number of services available online, the amount of sensitive information transmitted on the internet exploded.

Millions of people pay for goods online with payment card information, input passwords to log in to different apps and send emails containing sensitive information every day. Without a technological solution like TLS, all of this information would remain in plain text while it’s exchanged. Hackers could insert themselves between communicating parties and easily intercept sensitive data (this is a “man-in-the-middle” (MiTM) attack).

How Does TLS Work?

The presence of TLS is familiar to many internet users in the form of a lock symbol in browser address bars when visiting websites. Warnings in most modern web browsers inform people when the site they’re visiting either doesn’t use TLS, has an out of date certificate or some other potential security issue.

The fact that modern websites load in the blink of an eye belies the quite complicated cryptographic process that’s happening for TLS to secure internet communications. The current version of TLS is 1.3, and it was first released in 2018. Here is a brief summary of how TLS works:

• A complex routine known as a TLS handshake begins when a client starts communicating with a server (e.g., somebody navigates to a website).
• The original server that hosts a webpage or web application has a certificate installed on it that is used to prove its identity (authenticate) during the handshake. (The certificate is still known as an SSL certificate, probably because the old protocol’s name stuck.)
• There is a specification and agreement of cipher suites to be used during the session. The suite specifies a key exchange algorithm, a bulk encryption algorithm and a message authentication code (MAC). Both the client and server need to agree on this cipher suite, otherwise, the connection terminates (in other words, both must support that particular cipher suite).
• Session keys are then generated by both client and server to encrypt communications for the duration of the session.
• Any further data exchanged uses a type of encryption known as authenticated encryption with associated data (AEAD) to ensure both confidentiality and integrity.

TLS vs SSL

One key difference between TLS and its predecessor (SSL 3.0) is the ability to mutually authenticate. In SSL, only the server can authenticate with the client (one-way authentication). But with TLS, it’s possible to authenticate both ways.

Mutual authentication is obviously less user-friendly for normal applications because it requires users to install an SSL certificate and use the relevant app or visit a site on only one device. That’s why most normal apps authenticate the user (client) at the application level through something like username-password credentials, two-factor or multi-factor authentication (MFA).

There are a number of other minor differences, the most important being that the list of cipher suites in TLS is considered more secure. Support for the original SSL specifications has been disabled in all modern browsers due to a number of security flaws and replaced by TLS.

Benefits of Using TLS

From company websites to email servers to web applications, implementing TLS provides the following benefits.

Keep Sensitive Data Private

The most important benefit of TLS is that it keeps data in transit over a network private. In a world where the cost of data breaches stretches into millions per incident and stringent compliance regulations govern the protection of personal customer/user information, businesses can’t afford risking a breach of this information.

Data is kept confidential in TLS using two types of encryption. Asymmetric (public key) encryption establishes a secure session between two communicating parties while symmetric encryption provides confidentiality to data in transit during the session.

Strengthen User Trust

The average visitor to a website or user of a web application is more conscious than ever of the importance of strong cybersecurity practices. While people do still fall prey to visiting malicious websites and giving away their sensitive information, user trust is imperative for any business with a web presence.

The prevalence of warnings on modern web browsers about insecure websites makes it imperative to get an SSL certificate and use TLS to secure communications. It’s simply not a good look for any business when a potential client or customer sees a large warning telling them that your site is potentially not secure.

With web applications, it’s more difficult for users to understand whether or not the app is using encrypted communications. But it’s still obviously important to use TLS on web apps unless you want to risk a potential data breach from hackers intercepting sensitive user information.

Closing Thoughts

Make sure your business follows the recommended best practices for TLS deployment and you’ll go a long way toward securing data in motion. Remember though that sophisticated threat actors have more tools at their disposal than just trying to intercept data packets moving across the internet. Many modern cyberattacks occur in the cloud, on the network, and on your endpoints. And that’s why you should focus on taking a proactive approach that includes continuous cyber threat monitoring and rapid incident response to deal with today’s threat landscape.