What is SSL?by Iwan Price-Evans on Security • March 1, 2022
When using standard HTTP to submit data across the public Internet all of the data is sent in plain text. This makes the data vulnerable because a hacker that could be anywhere on the Internet can listen in as that data is being transferred and steal the information.
This is why HTTPS, or Secure Hypertext Transfer Protocol, was developed. HTTPS is HTTP with a security feature. This security feature is called SSL, or Secure Socket Layer.
SSL 2.0 was created by Netscape and published in 1995. In 1996 a complete redesign of the protocol was published as SSL version 3.0. In 1999 TLS version 1.0 was defined as an upgrade of SSL version 3.0.
SSL encrypts HTTP data ensuring the security of all the data that's been transferred over the Internet between client devices and servers.
The HTTPS protocol makes the data impossible to read and it does this by using encryption algorithms to scramble the data that's being transferred.
SSL/TLS encryption is the term commonly used to refer to secure HTTP or HTTPS but in fact, SSL has been replaced by TLS.
What is TLS?
SSL is the predecessor of TLS. TLS stands for Transport Layer Security. This is a cryptographic protocol that provides secure communication over a computer network.
TLS 1.0 was developed to replace SSL. It was first published in 2006 as TLS 1.1, then TLS 1.2 was published in 2008, and TLS 1.3 was published with huge improvements in 2018.
TLS is used widely on the web. All HTTPS websites are secured with TLS, often referred to as HTTP over TLS. Similarly, email and file transfers are secured by TLS secure protocols. Email uses the SMTPS protocol, also known as SMTP over TLS, and file transfers use FTPS, also known as FTP over TLS.
Is SSL still supported?
TLS 1.2 and TLS 1.3 are now the only supported versions; all previous SSL and TLS versions have been deprecated because of known vulnerabilities.
What is an SSL certificate?
For a website to apply SSL/TLS encryption it must have an SSL certificate, which is actually a TLS certificate. The certificate, which is stored on the webserver, acts as an ID card to prove that the website is genuine and not fake.
Each certificate stores the website’s unique ID referred to as a public key. The public key is used by a website visitor’s device to establish a secure connection with the webserver. The webserver has a private key that is secret to the webserver. The data sent by the visitor has been encrypted using the public key and the webserver uses its secret private key to decrypt this data.
SSL / TLS certificates have a grading system that allows organizations to improve their security. These are alphabetical grades, which range from F to A+, and are a way of measuring security configuration quality.
An A+ SSL grade is given when the server configuration is determined to be exceptional. F is given when the server is determined to be vulnerable. Certificates that fail the grading, or are untrusted, can be graded with N/A (no rating at all), M (the server doesn’t use encryption), and T (the certificate can’t be trusted).
Why is SSL / TLS important?
SSL / TLS gives us three things:
- Authentication - verifying the identity of the communicating parties with asymmetric encryption which are normally clients and servers. TLS ensures that users access a genuine website and not a fake one.
- Confidentiality - TLS protected the exchanged data from unauthorized access by securing it with symmetric encryption algorithms.
- Integrity - TLS recognizes any alteration of data during transmission by checking the message authentication code.
When should you use SSL / TLS?
Websites must use SSL / TLS to secure online transactions and communications from potential interception. It's vital to protect data transmissions such as:
- Ecommerce transactions
- Banking payments or transfers
- Secure email or chat message communication
- File transfers such as large file uploads and downloads
- System logins
- Technical system access such as database connections and system administration.