You often read about SSL certificates and how important they are for your site, but do you know that they are already a history? They were replaced with TLS a long time ago. So, should you use TLS encryption for your site? Let’s see.
What is TLS?
TLS stands for Transport Layer Security, and it is one of the most popular security protocols that serves to encrypt data, authenticate it and guarantee its integrity.
The main purpose of TLS is to secure the two-way communication between a client from one side and a server on the other.
TLS is the protocol that completely replaced the SSL (Security Socket Layer) protocol. It’s been a long time since the SSL protocol was safe enough, but people are still searching for it, so you will hear it for some years more.
Hosting companies offer “SSL certificates”, and actually, they are offering TLS certificates.
The SSL was deprecated in 2015 and replaced with its natural progression called TLS. The newer one, 1.3, has better encryption, is faster, and fixes multiple vulnerabilities. It started originally as the SSL 3.1, but the name was changed on purpose, so it was clear that it was not related to the previous developer Netscape.
What does TLS do?
The TLS does three things – Encryption, Authentication, and the third is Integrity.
- Encryption. It uses a combination of two keys – private for signing and public for decryption. The goal is to have all the communication encrypted so nobody except the right entity can read it.
- Authentication. It also checks the two sides of the communication and authenticates that they are truly those who should be communicating. It lowers the risk of a man-in-the-middle attack, pretending to be another and stealing the information or redirecting the traffic.
- Integrity. The TLS also serves to prove that nobody modified the data from the communication on the way. Modify data could be very dangerous.
How does TLS work?
Let’s make a breakdown of the Transport Layer Security process:
- The client sends a “Hello” message, defining which protocol and its version will be used for the communication (TLS 1.0, 1.1, 1.3)
- A Server sends a “ServerHallo” message, agreeing on the encryption method. It sends the cryptographic algorithm agreement, the ID of the session, the digital certificate of the server, and its public key.
- A check of the server for authenticity. The client will contact the certificate authority to verify the server. At this point, the client will check if the server is really who it says it is.
- Now it is time for the client key exchange. It will send a shared secret key that was previously encrypted with the server’s public key.
- Then the client confirms firth “finished” message, which was signed with the secret key.
- The server also needs to finish with another message.
- Now the two sides, client and server, can have a symmetrically encrypted communication with the shared secret key.
When do we use Transport Layer Security?
We use TLS with the TLS handshake in communication like:
- VoIP telephony for calls over the Internet.
- Email communication for securing the message.
- Messaging like Messenger, Whatsapp, Viber, etc. Also, other chat applications.
- Safe communication on a website, especially e-commerce sites where personal data and bank data are at risk.
- Secure access to a remote host.
TLS is an encryption method that we can use to secure our communication. It is easy to use and works better than the previous SSL protocol.