TLS/SSL Overview
Last updated
Was this helpful?
Last updated
Was this helpful?
(Secure Sockets Layer) and (Transport Layer Security) are both protocols used to secure internet communication. SSL was the original, but it has largely been replaced by TLS due to security improvements.
By creating a secure, protected "tunnel" across the Internet, they encrypt data to keep it private and secure while it's being transmitted between a client (like a web browser) and a server (like a website). TLS is the newer (SSL renamed by IETF), more secure version that's widely used today. The 2 terms are often used interchangeably.
HTTPS - HTTP secured by an SSL/TLS
SSL VPN for private corporate network
SSL VPN via public VPN provider
The purpose of SSL/TLS is to protect the data that can be captured.
Confidentiality - data accessible only by client and server - Encryption
Integrity - data is not modified between client and server - Hashing
Authentication - client/server are who they say they are - PKI
The data put on the wire is still passing through someone else's network.
Anti-Replay - prevents attackers from reusing intercepted data to gain unauthorized access. It provides sequence numbers built in to integrity and authentication mechanism.
Non-Repudiation - ensures parties can't deny their involvement in a transaction or communication.
The key players of the SSL/TLS ecosystem are:
Client - entity initiating the TLS handshake, e.g. web browser, apps, IoT, etc
optionally authenticated at the SSL layer (rarely provides a certificate)
Server - entity receiving the TLS handshake, e.g. web server, etc
always authenticated (the user has to know what server he is talking to)
Certificate Authority (CA) - governing entity that issues digital certificates to servers
trusted by client and server
provides Trust Anchor - if the client trusts the CA, it can trust what the CA trusts
: , , , , , , ...
Security must be balanced with Accessibility, based on the usage case.
SSL v3.0 (declared insecure as of Oct 2014 due to POODLE attack), as a complete redesign of SSL v2.0 is the foundation of the following TLS versions (TLS 1.0, 1.1, 1.2).
TLS v1.0
almost identical to SSL v3.0
Vulnerability: BEAST attack on CBC ciphers
protocol deprecated on March 2021
TLS v1.1
deprecated EXPORT grade ciphers
protection against CBC attacks
protocol deprecated on March 2021
improved security of key generation
support for AEAD ciphers (Authentication Encryption with Associated Data)
secure, recommended
major changes from prior TLS/SSL versions, favors security and simplicity
shorted handshake
forward secrecy required
0-RTT resumption
AEAD ciphers required
Protocol ownership transferred to
