5 Things You Need to Know About TLS and SSL

Posted by Steve on in Hosting Tips

Online security is paramount to a website’s success. You’ve heard the buzzwords: online privacy, cybercrime, malware, phishing, censorship, DDoS attacks, and so on. These issues periodically pester online users, some more than others, of course.

An essential to shielding yourself and your site against these security vulnerabilities is the end-to-end encryption of the communication data between computers (PC, phone, etc.) and web servers.

We live in an increasingly digitally connected world, where the Transport Layer Security (TLS) network protocol is of the utmost importance to safeguarding folks from digital harm.

The TLS protocol is used by the HTTPS protocol (among others) to encrypt and authenticate the computers involved in any communication on the web.

1. TLS Is the Modern Encryption Standard (SSL is Older)

In a nutshell: TLS is the encryption everyone uses these days. SSL is antiquated. When people say SSL, they mean TLS!

SSL/TLS Means “Secure Sockets Layer” and “Transport Layer Security”

Transport Layer Security and Secure Sockets Layer (SSL) are both network protocols that allow data to be transferred privately and securely between a web server and a web browser.

Technically, TLS consists of two parts:

  1. The TLS handshake layer manages which cipher (the type of encryption algorithm) will be used, the authentication (using a certificate specific to your domain name and organization), and the key exchange (based on the public-private key pair from the certificate). The handshake process is performed only once to establish a secure network connection for both parties.
  2. The TLS record layer gets data from the user applications, encrypts it, fragments it to an appropriate size (as determined by the cipher), and sends it to the network transport layer.

TLS establishes an encrypted, bidirectional network tunnel for arbitrary data to travel between two hosts. TLS is most often used in conjunction with other Internet protocols such as HTTPS, SSH, FTPS, and secure email.

In 1999, TLS replaced the older SSL protocol as the encryption most everyone uses. This change was made mostly to avoid legal issues with the Netscape company, which created SSL, so that the protocol could be developed as an open standard, free for all.

HTTP vs. HTTPS

HTTPS is the HTTP protocol embedded within the TLS protocol. HTTP takes care of all the web surfing mechanics, and TLS takes care of encrypting the data sent over the network and verifying the identity of the server host using a certificate.

More and more web servers are also going HTTPS-only, not just for security reasons, but for other practical arguments:

  • Some browser vendors now require HTTPS for certain browser features (e.g., geo-location). And Google and Firefox intend to phase out non-encrypted HTTP in their browsers. So, the browser community is pushing for HTTPS as the standard.
  • Users expect a trust- and safety-indicating URL bar (e.g., the padlock icon) without any security warnings, especially on eCommerce sites and other sites with privacy-sensitive data.

It may increase your search engine ranking, too, though this has yet to be confirmed by Google.

2. Differences Between the SSL, SSL v3, and TLS Protocols

Several versions of SSL and TLS have been released over the years:

  • 1995: SSL v2 was the first public release of SSL by Netscape.
  • 1996: SSL v3 was a new version that fixed several security design flaws of SSL v2. By 2004, v3 was considered insecure due to the POODLE attack.
  • 1999: TLS v1.0 was released with an SSL fallback mechanism for backwards-compatibility.
  • 2006: TLS v1.1
  • 2008: TLS v1.2 is the current TLS standard and is used in most cases.
  • TLS v1.3 is currently still only a working draft specification.

Most applications, such as browsers, are compatible with some of the older SSL protocol versions, too, although SSL is slowly being phased out in favor of the better TLS security.

3. Pros and Cons

Benefits abound for those using encryption to protect their site’s (and customers’) sensitive data. This is especially true of eCommerce and healthcare-related sites.

Pros: SSL/TLS Security

Your site’s traffic benefits from TLS security in two ways:

  1. Prevent intruders from tampering with the communication between your website and web browsers. Intruders can be malicious attackers or benign invaders like ISPs or hotels that inject ads into pages. Sensitive data, such as the user’s login credentials, credit card details, and email info, must never be revealed over the network.
  2. Prevent intruders from passively listening to communications with your server. This is a somewhat elusive, but growing, security threat (also confirmed by the Snowden leaks).

The importance of these pros can’t be overstated — especially for eCommerce sites that depend on getting and retaining user trust for sales.

Cons: SSL/TLS “Handshake”

As great as it sounds, TLS has a few drawbacks:

  1. TLS will add latency to your site’s traffic.
  2. The handshake is resource-intensive. It uses asymmetric encryption to establish a session key, which then allows the client and server to switch to a faster symmetric encryption.
  3. TLS will add complexity to your server management. You will need to get a certificate installed on your web server and maintain the validity of that certificate. Nowadays, there are automated tools for (domain-validated) certificate management.
  4. MaxCDN found a 5ms latency when testing encrypted connections compared to unencrypted connections. Tests showed a peak increase in CPU usage of about 2% as well. However, “even with dozens of parallel requests and hundreds of sequential requests, CPU usage never exceeded 5%.”

As for the performance of the whole connection, MaxCDN concluded: “Encryption does add a step in the initial connection process. The overhead for ongoing connections is negligible when compared to unencrypted connections.”

With the upcoming HTTP/2 standard, setting up a TLS connection will be significantly faster, due to its parallel design (fewer network round trips required for data exchanges).

Additionally, although the HTTP/2 standard itself does not require the use of encryption, most client implementations (Firefox, Chrome, Safari, Opera, IE, Edge) have said they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.

4. Types of TLS/SSL Certificates

As of late, the entire web seems to be trending toward HTTPS. Certificates can be requested from Certificate Authorities, of which there are many providers. Read up on the various certificate options available in our article on choosing an SSL certificate, or read on as we briefly cover the three main types below.

Extended Validation (EV)

EV certificates come with the green address bar — a recognized symbol of trust on the Internet. EV certificates are the premier TLS certificates. Sites for which security and consumer trust are essentials, such as large eCommerce sites, should seriously consider an EV cert.

These certificates are, however, the most expensive because an extended organizational verification process is done based on these issuing criteria

ation process is done based on these issuing criteria.

Organization Validation (OV)

OV certificates do not come with the green address bar but activate a number of browser trust indicators. An OV certificate requires a business be verified by the Certificate Authority. The organization’s name will be listed on the certificate, which reinforces the trust.

OVs are used by corporations, governments, and other entities that want to provide an extra layer of confidence to their visitors. OV certificates are especially important for eCommerce websites if an EV certificate is unattainable for whatever reason.

Domain Validation (DV)

DV certificates offer industry-standard encryption (at the same level as the other certificate types), but not much else. Aside from its low (or even free) cost, another benefit of a Domain Validated (DV) certificate is it can be issued in mere minutes because the Certificate Authority only has to validate that you own the domain you wish to secure — which is often an automated process.

5. hostforlifeasp.net Offer FREE SSL/TLS Certificates

Now that you know what is required to secure your site using HTTPS, the TLS certificate options available, and the trust expectations of Internet users, you’re free to start implementing encryption best practices on your own site. We will deliver friendly, security-qualified, and 24/7 customer support, please visit our site directly top get FREE SSL Certificate.

.