What Is TLS/SSL?
Privacy and security importance are gaining everyday. For this reason, I will try to give information about TLS and SSL with this article.
Before TLS and SSL, let’s talk about the OSI reference model.
The OSI model was developed starting in the late 1970s. OSI reference model is a structure that standardizes communication between two computers. The model partitions the flow of data in a communication system into seven abstraction layers, from the physical implementation of transmitting bits across a communications medium to the highest-level representation of data of a distributed application.
What is SSL (Secure Socket Layer)?
SSL can be defined as a security protocol developed by Netscape, which provides personal privacy and reliability, allows communication between the server and the client to be encrypted for the integrity and confidentiality of information (data protection) during the information transfer on the network, thus ensuring the protection of privacy and integrity. For example, an SSL certificate protects the personal data of your visitors who are subscribed to your website’s newsletter or the credit card information of your customers who shop on your site. In summary, SSL certificate secures your website, allowing you to gain the trust of your visitors.
The strength of the encryption method used in the data stream depends on the key length used. Key length is very important for protecting information. For example; It is extremely easy to decode a transmission over 8 bits. Bit refers to a number of binary counting system. A bit can have 2 different values, either 0 or 1. 8 bits contain only 2⁸ = 256 possible different keys. A computer can reach a conclusion by examining these 256 different possibilities sequentially. 40 bit and 128, 256, 1024 bit encryption are used in SSL protocol. There are 2128 different keys in 128 bit encryption and it takes a great cost and time to decrypt this password. A malicious person must spend 67 years after investing 1 million dollars to crack the 128-bit password. As can be seen from this example, the SSL (Secure Sockets Layer) security system provides complete and precise protection.
The information contained in an SSL certificate is:
- Certificate holder name
- Serial number and expiration date of the certificate
- A copy of the certificate holder’s public key
- Digital signature of the issuing authority
SSL Features
SSL, which encrypts the transactions between the server and internet browser used and prevents malicious use by third parties, is based on a standard algorithm. With the SSL certificate that will be given to you, the https protocol will now be used at the beginning of the website you have. This will mean that you are now providing a reliable service. Other important features of SSL are as follows: It verifies this process by recording the dates and times of the transmitted documents, especially the shopping made on the site, and thus enables the creation of a document archive. Apart from this, it allows the transaction to be made after making sure that the person sending the data and the receiving party are reliable in transactions made over the internet.
How Does SSL Work?
Step 1: The client sends a secure connection request (https) to the server on the computer network that it wants to connect to. This is done over port 443, which is called the SSL port, with the default settings enabled. A different port number may be used depending on the server configuration.
Step 2: Next, the server sends the SSL certificate to the client. The client then checks the validity of this certificate using the online verification services provided by the institution that issued this certificate. In addition, the web browser used during the connection checks the credibility of the institution producing this certificate by comparing it with the institutions predefined in the browser. At this stage, the server shares its public key with the client via its SSL certificate.
Step 3: If all checks are verified, the client sends the single-use connection key (“session key” or “encryption key”) to the server encrypted with the server’s public key.
Step 4: The server decrypts it using its private key and obtains the one-time connection key, establishing a secure SSL connection with the client. Thus, all communication between these two devices continues securely during the connection.
SSL Certificate Types (Based on Verification Type)
- DV (Domain Validation) SSL
They are certificates with a low level of validation, that only validate the server name and are provided in minutes. - OV (Organizational Validation) SSL
It contains the information of the company that owns this domain name depending on the server name and all of this information is checked and verified by the company producing the certificate. The name of the institution, whether the institution is active, whether the applicant works in the institution, whether the application is received by the institution, whether the application is owned or controlled by this institution, and the accuracy of all contact information are individually verified during the production process of such SSL certificates. It is much safer than DV certification. The approval process takes 1–2 days. - EV (Extended Validation) SSL
These are the certificates that have the highest security level and provide the physical, legal and commercial existence of the certified company as well as very comprehensive corporate verification processes. They are the most expensive SSL certificates due to the many and detailed verifications made by certificate manufacturers. With such certificates, if the user connects to a site with an EV SSL certificate on the browser, a green color display that is a trusted site will appear in the address bar. Below is a screenshot of EV SSL.
SSL Certificates by Area of Use (Domain Type)
- Standard SSL Certificates
SSL certificates signed for only 1 domain without subdomains. - Multi Domain SSL Certificates
These are the certificates that allow multiple domains to be signed with a single certificate. In general, multi-domain certificates are delivered to the user with 2 domain options in addition to 1 main domain by default. In other words, these certificates can be used for 3 domains at the first purchase without any extra charge. In addition, the number of domains encrypted with a single certificate can be increased to an average of 100 by purchasing additional domains by paying the fee per domain determined by the certificate provider. - Wildcard SSL Certificates
It is the type of certificate that enables all subdomains of the domain where the certificate is used to be signed. It is installed as * .domain.com. Wildcard SSL certificates do not have a subdomain limit.
What is TLS (Transport Layer Security)?
TLS is a cryptographic protocol that provides end-to-end communications security over networks and is widely used for internet communications and online transactions. It is an IETF standard intended to prevent eavesdropping, tampering and message forgery. Common applications that employ TLS include Web browsers, instant messaging, e-mail and voice over IP.
Many businesses use TLS to secure all communications between their Web servers and browsers regardless of whether sensitive data is being transmitted. TLS’s predecessor, secure socket layer (SSL) was developed by Netscape in 1995. SSL version 1.0 and 2.0 contained many security flaws that prompted a complete redesign of the protocol. In 1996, Netscape released SSL version 3.0 which was the basis for TLS1.0. In 1999, the PCI Council suggested the eventual deprecation of SSL as TLS 1.0 was a significant upgrade to SSL 3.0.
So why has TLS replaced SSL?
- TLS authentication (message authentication) process.
- TLS supports newer and more secure algorithms.
- TLS and SSL cannot work together.
TLS Features
- It provides secure communication between browsers and servers.
- It encrypts the data over the key using the asymmetric cryptography algorithm.
- It is supported by most of the IP protocols such as HTTPS, SMTP, POP3, FTP in data encryption.
In our daily life, we are unaware of VPN connections over the network, VoIP (voice over IP), instant messaging, etc. It enables such operations to be performed securely in web browsers or applications.
TLS Layers;
- TLS Record Protocol
The Transport Layer Security (TLS) Record protocol secures application data using the keys created during the Handshake. The Record Protocol is responsible for securing application data and verifying its integrity and origin. It manages the following:
— Read messages for transmit.
— Fragment messages into manageable chunks of data.
— Compress the data, if compression is required and enabled.
— Calculate a MAC.
— Encrypt the data.
— Transmit the resulting data to the peer.
- TLS Handshake Protocol
The Handshake Protocol performs the authentication of the server and users. Before Handshake Protocol dta communication, encryption algorithms and encryption keys are allowed, while Record Protocol ensures the security of the connection. The TLS Handshake Protocol involves the following steps:
— The client sends a “Client hello” message to the server, along with the client’s random value and supported cipher suites.
— The server responds by sending a “Server hello” message to the client, along with the server’s random value.
— The server sends its certificate to the client for authentication and may request a certificate from the client. The server sends the “Server hello done” message.
— If the server has requested a certificate from the client, the client sends it.
— The client creates a random Pre-Master Secret and encrypts it with the public key from the server’s certificate, sending the encrypted Pre-Master Secret to the server.
— The server receives the Pre-Master Secret. The server and client each generate the Master Secret and session keys based on the Pre-Master Secret.
— The client sends “Change cipher spec” notification to server to indicate that the client will start using the new session keys for hashing and encrypting messages. Client also sends “Client finished” message.
— Server receives “Change cipher spec” and switches its record layer security state to symmetric encryption using the session keys. Server sends “Server finished” message to the client.
— Client and server can now exchange application data over the secured channel they have established. All messages sent from client to server and from server to client are encrypted using session key.
Publication dates of SSL and TLS Protocols
- SSL 1.0 — never publicly disclosed due to security issues.
- SSL 2.0 — released in 1995.
- SSL 3.0 — released in 1996. There are known security issues. It was retired in 2015.
- TLS 1.0 — released in 1999 as an upgrade to SSL 3.0. It plans to be phased out in 2020.
- TLS 1.1 — released in 2006. It plans to be retired in 2020.
- TLS 1.2 — released in 2008.
- TLS 1.3 — released in 2018.
TLS vs. SSL: What Is The Difference?
- SSL
— It was released in 1999.
— SSL, the minor version is 0 and the major version is 3.
— Supports Fortezza (algorithm).
— SSL use HMAC algorithm excepts that the padding bytes concatenation.
— SSL supports 12 various alert codes.
— It is faster than TLS as authentications are not carried out intensively.
— The SSL versions are less secure.
— Ad hoc Message authentication.
— Complex Certificate verification. - TLS
— SSL v2.0 was first released in 1995 and v3.0 in 1996. SSL v1.0 was not released to the public.
— TLS, the minor version is 1 and the major version is 3.
— Does not support Fortezza.
— TLS makes use of the same algorithm the padding bytes concatenation.
— TLS Supports all the alert codes defined in SSL 3 with the exception of no certificate.
— It is little slower due to the two-step communication process i.e. handshaking and actual data transfer.
— TLS v2.0 is susceptible to both BEAST & POODLE attacks and hence it is more secure.
— Standard Message authentication.
— Simple Certificate verify.
To sum up, SSL / TLS a kind of digital security technology that can be encrypted between a website and an internet browser. SSL / TLS is absolutely necessary that payment or user information and passwords will be transmitted.
Thank you for your time, I hope it was useful for you.
