Computerhelp4all logo Articles AboutTopicsQuizzesComputer Questions & AnswersComputer Terms & DefinitionsActivitiesContact

What Is TLS?

What Is TLS

Date First Published: 26th June 2022

Topic: Cybersecurity

Subtopic: Security Mechanisms & Technologies

Computer Terms & Definitions

Difficulty: Medium

Difficulty Level: 6/10

Learn more about what TLS is in this article.

Stands for Transport Layer Security. TLS is a security protocol used to enable secure transmission of data over a network. It accomplishes this by translating sent data from plaintext into ciphertext. If any third party intercepts the sent data, all they will be able to see is a mix of random characters, numbers, and symbols, which is almost impossible to decrypt.

Whilst TLS is mostly used to encrypt data that is transmitted over the World Wide Web and enables HTTPS over port 443, it is also used to encrypt other communications, such as email, file transferring and VoIP. For example, Secure File Transfer Protocol (SFTP), a protocol that uses secure shell encryption to provide security when sending files uses TLS.

The aim of TLS is to protect web applications against data breaches and to ensure that data can only be seen by the intended recipient. Most websites use TLS encryption, even if they do not have any pages where users enter sensitive information and it is becoming a much more common practice. Most modern web browsers are making non-HTTPS sites clearer to visitors and may display a 'not secure' warning in the address bar. Never enter any sensitive information on sites that do not use the padlock.

TLS also provides additional features, such as:

  • Authentication – Verifies the identity of clients sharing data and that they are who they claim to be.
  • Integrity – Verifies that no information is lost or interfered with during transmission.
Note: Info Icon

Websites that are secured by TLS can be identified in the URL. If it starts with https://, it means that it is secured as the extra ‘s’ in HTTP stands for secure. If it is http://, it only uses regular HTTP with no encryption.

How Does TLS Work?

A TLS certificate, also known as an SSL certificate must be installed on the origin server in order for a website or application to use TLS. A TLS certificate is issued by a certificate authority to the owner of a domain name, which contains details about the certificate, such as the private key, validity period, the signature hash algorithm, and more.

TLS connections are performed using a TLS handshake. Whenever a connection is established that uses TLS to encrypt data, the TLS handshake starts between the client and the server. During the TLS handshake, the client and the server:

  • Establishes a cipher suite for each communication session, which is a set of algorithms that specify details about the shared encryption keys or session keys that will be used during that session.
  • Sets the matching session keys over an unencrypted channel. This is accomplished over a technology called public-key cryptography.
  • Authenticates the identity of the server using the TLS certificate of the server.
  • Specifies which version of TLS to use.
  • Signs data with a message authentication code once it is encrypted and authenticated. The message authentication code can be verified by the recipient to ensure data integrity.

Disadvantages Of TLS

Even though TLS is useful for securing data sent through protocols, it does have a number of disadvantages. These include:

  • Due to TLS operating at the transport layer (Layer 4) and the application layer (layer 7) of the OSI model rather than the network layer (Layer 3), it is necessary for each communication flow between the client and server to establish its own TLS session to gain authentication and data encryption.
  • Attackers have been focusing on discovering TLS exploits that can be used to compromise data security and integrity due to the popularity of TLS.
  • Not all applications support TLS.

History and Versions

The first version of TLS was introduced in 1999 by the IETF. It came from a previous encryption protocol called SSL which was developed by Netscape. The name of the protocol was changed to indicate a change of ownership. TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0 and the successor to SSL. Because SSL and TLS are so closely related, it is common to refer to TLS as SSL/TLS.

In April 2006, TLS 1.1 was defined in RFC 4346 as an update from TLS Version 1.0. This version added protection against cipher-block chaining attacks and support for IANA registration of parameters. Around 2020, support for TLS 1.0 and 1.1 was deprecated and most web servers and mail servers use TLS 1.2 or TLS 1.3. This version along with TLS 1.0 was backwards compatible with SSL.

In August 2008, TLS 1.2 was defined in RFC 5246. This version replaced the MD5-SHA-1 combination in the finished message hash with SHA-256 and added enhancements in the client’s and server’s ability to specify which hashes and signature algorithms they accept. TLS Extensions definition and AES cipher suites were added. This version also dropped backwards compatibility with SSL.

In August 2018, TLS 1.3 was defined in RFC 8446. This version drops support for MD5 and SHA-224 cryptographic hash functions, weak elliptic curves, and less secure features, such as compression, renegotiation, and non-PFS key exchange. It also adds support for the sending of multiple OCSP responses.


Feedback

  • Is there anything that you disagree with on this page?
  • Are there any spelling, grammatical, or punctuation errors on this page?
  • Are there any broken links or design errors on this page?

If so, it is important that you tell me as soon as possible on this page.


Comments