SSL and TLS

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are cryptographic security
protocols. They are used to make sure that network communication is secure. Their main goals are
to provide data integrity and communication privacy. The SSL protocol was the first protocol
designed for this purpose and TLS is its successor. SSL is now considered obsolete and insecure
(even its latest version), so modern browsers such as Chrome or Firefox use TLS instead.

SSL and TLS are commonly used by web browsers to protect connections between web
applications and web servers. Many other TCP-based protocols use TLS/SSL as well, including
email (SMTP/POP3), instant messaging (XMPP), FTP, VoIP, VPN, and others. Typically, when
a service uses a secure connection the letter S is appended to the protocol name, for example,
HTTPS, SMTPS, FTPS, SIPS. In most cases, SSL/TLS implementations are based on the
OpenSSL library.

SSL and TLS are frameworks that use a lot of different cryptographic algorithms, for example,
RSA and various Diffie–Hellman algorithms. The parties agree on which algorithm to use during
initial communication. The latest TLS version (TLS 1.3) is specified in the IETF (Internet
Engineering Task Force) document RFC 8446 and the latest SSL version (SSL 3.0) is specified in
the IETF document RFC 6101.

Privacy & Integrity

SSL/TLS protocols allow the connection between two mediums (client-server) to be encrypted.
Encryption lets you make sure that no third party is able to read the data or tamper with it.
Unencrypted communication can expose sensitive data such as user names, passwords, credit card
numbers, and more. If we use an unencrypted connection and a third party intercepts our
connection with the server, they can see all information exchanged in plain text. For example, if
we access the website administration panel without SSL, and an attacker is sniffing local network
traffic, they see the following information.

The cookie that we use to authenticate on our website is sent in plain text and anyone who
intercepts the connection can see it. The attacker can use this information to log into our website
administration panel. From then on, the attacker’s options expand dramatically. However, if we
access our website using SSL/TLS, the attacker who is sniffing traffic sees something quite
different.
In this case, the information is useless to the attacker.

Identification

SSL/TLS protocols use public-key cryptography. Except for encryption, this technology is also
used to authenticate communicating parties. This means, that one or both parties know exactly
who they are communicating with. This is crucial for such applications as online transactions
because must be sure that we are transferring money to the person or company who are who they
claim to be.

When a secure connection is established, the server sends its SSL/TSL certificate to the client. The
certificate is then checked by the client against a trusted Certificate Authority, validating the
server’s identity. Such a certificate cannot be falsified, so the client may be one hundred percent
sure that they are communicating with the right server.

TLS Is the Modern Encryption Standard (SSL is Older)

In a nutshell: TLS is the encryption everyone uses these days. SSL is antiquated. When people
say SSL, they mean TLS!

SSL/TLS Means “Secure Sockets Layer” and “Transport Layer Security”

Transport Layer Security and Secure Sockets Layer (SSL) are both network protocols that allow
data to be transferred privately and securely between a web server and a web browser.

Technically, TLS consists of two parts:

1. The TLS handshake layer manages which cipher (the type of encryption algorithm) will be used,
the authentication (using a certificate specific to your domain name and organization), and the
key exchange (based on the public-private key pair from the certificate). The handshake process
is performed only once to establish a secure network connection for both parties.
2. The TLS record layer gets data from the user applications, encrypts it, fragments it to an
appropriate size (as determined by the cipher), and sends it to the network transport layer.
TLS establishes an encrypted, bidirectional network tunnel for arbitrary data to travel between two
hosts. TLS is most often used in conjunction with other Internet protocols such as HTTPS, SSH,
FTPS, and secure email.

TLS/SSL consists of two layers within the application layer of the Internet Protocol Suite
(TCP/IP).

In 1999, TLS replaced the older SSL protocol as the encryption most everyone uses. This change
was made mostly to avoid legal issues with the Netscape company, which created SSL, so that
the protocol could be developed as an open standard, free for all.

HTTP vs. HTTPS

HTTPS is the HTTP protocol embedded within the TLS protocol. HTTP takes care of all the web
surfing mechanics, and TLS takes care of encrypting the data sent over the network and verifying
the identity of the server host using a certificate.

More and more web servers are also going HTTPS-only, not just for security reasons, but for
other practical arguments:

• Some browser vendors now require HTTPS for certain browser features (e.g., geo-location).
And Google and Firefox intend to phase out non-encrypted HTTP in their browsers. So, the
browser community is pushing for HTTPS as the standard.
• Users expect a trust- and safety-indicating URL bar (e.g., the padlock icon) without any security
warnings, especially on eCommerce sites and other sites with privacy-sensitive data.

It may increase your search engine ranking, too, though this has yet to be confirmed by Google.
Pros and Cons

Benefits abound for those using encryption to protect their site’s (and customers’) sensitive data.
This is especially true of eCommerce and healthcare-related sites.

Pros: SSL/TLS Security

Your site’s traffic benefits from TLS security in two ways:

1. Prevent intruders from tampering with the communication between your website and web
browsers. Intruders can be malicious attackers or benign invaders like ISPs or hotels that inject
ads into pages. Sensitive data, such as the user’s login credentials, credit card details, and email
info, must never be revealed over the network.
2. Prevent intruders from passively listening to communications with your server. This is a
somewhat elusive, but growing, security threat.

The importance of these pros can’t be overstated — especially for eCommerce sites that depend
on getting and retaining user trust for sales.

Cons: SSL/TLS “Handshake”

As great as it sounds, TLS has a few drawbacks:

1. TLS will add latency to your site’s traffic.

2. The handshake is resource-intensive. It uses asymmetric encryption to establish a session key,
which then allows the client and server to switch to a faster symmetric encryption.
3. TLS will add complexity to your server management. You will need to get a certificate installed
on your web server and maintain the validity of that certificate. Nowadays, there are automated
tools for (domain-validated) certificate management.
4. MaxCDN found a 5ms latency when testing encrypted connections compared to unencrypted
connections. Tests showed a peak increase in CPU usage of about 2% as well. However, “even
with dozens of parallel requests and hundreds of sequential requests, CPU usage never
exceeded 5%.”

As for the performance of the whole connection, MaxCDN concluded: “Encryption does add a
step in the initial connection process. The overhead for ongoing connections is negligible when
compared to unencrypted connections.”

With the upcoming HTTP/2 standard, setting up a TLS connection will be significantly faster,
due to its parallel design (fewer network round trips required for data exchanges).

Additionally, although the HTTP/2 standard itself does not require the use of encryption, most
client implementations (Firefox, Chrome, Safari, Opera, IE, Edge) have said they will only
support HTTP/2 over TLS, which makes encryption de facto mandatory.