Contact Us Today 01642 716680

TLS

Definition: Transport Layer Security (TLS) is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. TLS provides encrypted communication between web applications and servers, preventing eavesdropping, tampering, and message forgery.

TLS is the successor to Secure Sockets Layer (SSL) and works by using a combination of symmetric and asymmetric cryptography to secure a connection between two machines, typically a server and a client. During the TLS handshake process, the protocols agree on the encryption standards to be used, authenticate the server (and optionally the client), and establish a secure channel over which to communicate.

The protocol is crucial in protecting sensitive data transfers, such as credit card transactions, emails, and personal information, ensuring that hackers and cyber criminals cannot easily intercept or modify the data in transit. As a fundamental security measure, TLS is employed by the vast majority of secure websites, as indicated by the HTTPS (HyperText Transfer Protocol Secure) in web addresses.

Here is an example of a scan using the sslscan tool on the sencode.co.uk website. In this case, the website is configured to only use TLS v1.2 and 1.3. Which as of writing are considered secure. It’s also notable that the supported server ciphers do not contain any insecure CBC ciphers.

Testing SSL server sencode.co.uk on port 443 using SNI name sencode.co.uk

SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   enabled
TLSv1.3   enabled

TLS Fallback SCSV:
Server supports TLS Fallback SCSV

TLS renegotiation:
Session renegotiation not supported

TLS Compression:
Compression disabled

Heartbleed:
TLSv1.3 not vulnerable to heartbleed
TLSv1.2 not vulnerable to heartbleed

Supported Server Cipher(s):
Preferred TLSv1.3  128 bits  TLS_AES_128_GCM_SHA256        Curve 25519 DHE 253
Accepted  TLSv1.3  256 bits  TLS_AES_256_GCM_SHA384        Curve 25519 DHE 253
Accepted  TLSv1.3  256 bits  TLS_CHACHA20_POLY1305_SHA256  Curve 25519 DHE 253
Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve 25519 DHE 253
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384     DHE 2048 bits
Accepted  TLSv1.2  256 bits  ECDHE-RSA-CHACHA20-POLY1305   Curve 25519 DHE 253
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve 25519 DHE 253
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256     DHE 2048 bits

Key Characteristics:

  • Encryption: TLS provides encryption for data in transit, making it unreadable to eavesdroppers.
  • Authentication: Uses certificates to verify the server’s identity and, optionally, the client’s identity.
  • Integrity: Ensures that data is not altered or corrupted during transmission.
  • Handshake Protocol: Establishes the connection’s properties before the actual data exchange begins.

Examples:

  • Real-World Example: A user shopping online enters their payment details on a checkout page. TLS encrypts this information, protecting it as it travels from their browser to the merchant’s server.
  • Hypothetical Scenario: An individual securely logs into their online medical records portal with TLS encryption, guaranteeing that their confidential health information remains private during transmission.

Related Terms:

  • SSL (Secure Sockets Layer): The predecessor to TLS, is also a protocol for encrypting Internet traffic.
  • HTTPS (HyperText Transfer Protocol Secure): An extension of HTTP secured with TLS for secure communication over a computer network.
  • Public Key Infrastructure (PKI): A system for the creation, storage, and distribution of digital certificates that are used to verify that a particular public key belongs to a certain entity.

Learn better by watching a video? Here is a YouTube video explaining the concept by the wonderful Computerphile.

What is the OWASP Top 10: Download our flash cards to find out.

Inside you will find a description of the most common web vulnerabilities.

Contact us

Get a free, no obligation quote from one of our expert staff.

      Looking for reliable Penetration Testing? Use the contact form below and request a quote today.