SSL and TLS Protocols: What are they?
Whether you’ve just had a penetration test, vulnerability scan or have heard these three letter acronyms bounded around either at work or read online, you’ve bound to have heard the term at some stage over the last few years.
But what are they? And are they important? Do you need to install them, or do they just work? This article is going to answer all these questions.
But first, lets find out how this all came about. Way back when the internet was still relatively new and early on in its existence, one of the dominant companies at the time, Netscape, realised that the internet needed security, especially when you conduct online payments, which were rare at the time, they need to be protected. Netscape upon realising this, developed the first iteration of online security, namely SSL. The first version of SSL had more issues that it resolved and shortly released SSL version 2. This version was released way back in 1995.
SSL did its job for many years, however as more and more online trading started and privacy became more paramount, something had to be done. This is where TLS came in, in essence a more up to date version of SSL with more features and was released in 2006.
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the main security protocols which are used between a web browser and a web server. These protocols ensure that the traffic between both ends, when successfully established secure the communication between both endpoints.
When you are using your browser and you visit a website and you are using the prefix of ‘HTTPS://’ and you see a padlock sign next to the website address, this tells you that there is a secure connection between the browser and website and that communication is encrypted.
However, you also need to be careful, as just because there may be a padlock visible, it may not be all that it seems. Malicious websites also can use SSL/TLS on their malicious websites which can be used to fool unsuspected users into disclosing money or sensitive information.
With recent versions of web browsers, you are now informed of any websites which are not secure, this is done by placing a ‘Not secure’ sign in place of a pad lock sign. So, when you are paying for something or submitting sensitive information, always look out to see whether there is a secured connection and a padlock displayed.
You may be thinking, are SSL and TLS solely used between a web browser and website? The answer to this is no, it can be used between any type of endpoint, as long as they support the industry standards. For example you can use SSL/TLS for email, VoIP, FTP, remote access and many other protocols which can be found on the internet.
Why is SSL/TLS important?
As you have read in this article, SSL and TLS were initially created to help protect information when being submitted or browsed across the internet, without these additional security protocols anyone could potentially view and intercept the traffic for which they were not intended.
By using secure protocols, and making them an industry standard that everyone needs to use, it is helping to ensure that your information is protected. From entering payment information to submitting your personal information, all sites should ensure that communication is encrypted.
As part of these security protocols, you are ensuring that confidentiality integrity and authenticity of information is being protected, this means that if you have a trusted established connection between two endpoints, the information being sent should be correct. However, send the same information over untrusted connections, then it is possible to manipulate or intercept this same information.
Evolution of the protocols
As we briefly touched, SSL was the first iteration of attempting to encrypt and secure information between a device and a web server, but as years went on, TLS took over. Now it is recommended that you disable SSL all together and rely upon TLS, version 1.2 or above. This is because there are now known security vulnerabilities and weaknesses in both SSL and the earlier versions of TLS.
If you work with PCI DSS, it has been deemed that TLS 1.0 is to be considered obsolete and insecure within all business operations. Recent web browsers will also attempt to utilise TLS 1.2 or above if it is accepted and only falling back to lower versions, if the more recent versions fail to establish a valid connection.
You can disable SSL and older version of TLS within Windows (both server and the client) through using several registry entries, we have a YouTube video which walks you through the process and can be found here: https://www.youtube.com/watch?v=oh2gfGYoytw
For web servers that Nginx, you can get information via https://www.digicert.com/kb/ssl-support/nginx-disabling-ssl-v3.htm#:~:text=Nginx%3A%20How%20to%20Disable%20the%20SSL%20v3%20Protocol,You%20have%20successfully%20disabled%20the%20SSL%20v3%20protocol.
Hopefully this article gives you some insight as to what SSL and TLS are, why its good for the internet and what to look out for. Unfortunately, as discussed, even though a site may have a padlock and ‘HTTPS://’ in the address, this may not be what it looks like, so always be vigilant and check to make sure that the sight you want is what you are going to.