TLS is the successor to Secure Sockets Layer (SSL) and works by using a combination of symmetric and asymmetric cryptography to secure a connection between two machines, typically a server and a client. During the TLS handshake process, the protocols agree on the encryption standards to be used, authenticate the server (and optionally the client), and establish a secure channel over which to communicate.
The protocol is crucial in protecting sensitive data transfers, such as credit card transactions, emails, and personal information, ensuring that hackers and cyber criminals cannot easily intercept or modify the data in transit. As a fundamental security measure, TLS is employed by the vast majority of secure websites, as indicated by the HTTPS (HyperText Transfer Protocol Secure) in web addresses.
Here is an example of a scan using the sslscan tool on the sencode.co.uk website. In this case, the website is configured to only use TLS v1.2 and 1.3. Which as of writing are considered secure. It’s also notable that the supported server ciphers do not contain any insecure CBC ciphers.
Testing SSL server sencode.co.uk on port 443 using SNI name sencode.co.uk SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 disabled TLSv1.1 disabled TLSv1.2 enabled TLSv1.3 enabled TLS Fallback SCSV: Server supports TLS Fallback SCSV TLS renegotiation: Session renegotiation not supported TLS Compression: Compression disabled Heartbleed: TLSv1.3 not vulnerable to heartbleed TLSv1.2 not vulnerable to heartbleed Supported Server Cipher(s): Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253 Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253 Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253 Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519 DHE 253 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 2048 bits
- Encryption: TLS provides encryption for data in transit, making it unreadable to eavesdroppers.
- Authentication: Uses certificates to verify the server’s identity and, optionally, the client’s identity.
- Integrity: Ensures that data is not altered or corrupted during transmission.
- Handshake Protocol: Establishes the connection’s properties before the actual data exchange begins.
- Real-World Example: A user shopping online enters their payment details on a checkout page. TLS encrypts this information, protecting it as it travels from their browser to the merchant’s server.
- Hypothetical Scenario: An individual securely logs into their online medical records portal with TLS encryption, guaranteeing that their confidential health information remains private during transmission.
- SSL (Secure Sockets Layer): The predecessor to TLS, is also a protocol for encrypting Internet traffic.
- HTTPS (HyperText Transfer Protocol Secure): An extension of HTTP secured with TLS for secure communication over a computer network.
- Public Key Infrastructure (PKI): A system for the creation, storage, and distribution of digital certificates that are used to verify that a particular public key belongs to a certain entity.
Learn better by watching a video? Here is a YouTube video explaining the concept by the wonderful Computerphile.