Date First Published: 26th June 2022
Subtopic: Security Mechanisms & Technologies
Difficulty Level: 6/10
Learn more about what TLS is in this article.
Stands for Transport Layer Security. TLS is a security protocol used to enable secure transmission of data over a network. It accomplishes this by translating sent data from plaintext into ciphertext. If any third party intercepts the sent data, all they will be able to see is a mix of random characters, numbers, and symbols, which is almost impossible to decrypt.
Whilst TLS is mostly used to encrypt data that is transmitted over the World Wide Web and enables HTTPS over port 443, it is also used to encrypt other communications, such as email, file transferring and VoIP. For example, Secure File Transfer Protocol (SFTP), a protocol that uses secure shell encryption to provide security when sending files uses TLS.
The aim of TLS is to protect web applications against data breaches and to ensure that data can only be seen by the intended recipient. Most websites use TLS encryption, even if they do not have any pages where users enter sensitive information and it is becoming a much more common practice. Most modern web browsers are making non-HTTPS sites clearer to visitors and may display a 'not secure' warning in the address bar. Never enter any sensitive information on sites that do not use the padlock.
TLS also provides additional features, such as:
Websites that are secured by TLS can be identified in the URL. If it starts with https://, it means that it is secured as the extra ‘s’ in HTTP stands for secure. If it is http://, it only uses regular HTTP with no encryption.
A TLS certificate, also known as an SSL certificate must be installed on the origin server in order for a website or application to use TLS. A TLS certificate is issued by a certificate authority to the owner of a domain name, which contains details about the certificate, such as the private key, validity period, the signature hash algorithm, and more.
TLS connections are performed using a TLS handshake. Whenever a connection is established that uses TLS to encrypt data, the TLS handshake starts between the client and the server. During the TLS handshake, the client and the server:
Even though TLS is useful for securing data sent through protocols, it does have a number of disadvantages. These include:
The first version of TLS was introduced in 1999 by the IETF. It came from a previous encryption protocol called SSL which was developed by Netscape. The name of the protocol was changed to indicate a change of ownership. TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0 and the successor to SSL. Because SSL and TLS are so closely related, it is common to refer to TLS as SSL/TLS.
In April 2006, TLS 1.1 was defined in RFC 4346 as an update from TLS Version 1.0. This version added protection against cipher-block chaining attacks and support for IANA registration of parameters. Around 2020, support for TLS 1.0 and 1.1 was deprecated and most web servers and mail servers use TLS 1.2 or TLS 1.3. This version along with TLS 1.0 was backwards compatible with SSL.
In August 2008, TLS 1.2 was defined in RFC 5246. This version replaced the MD5-SHA-1 combination in the finished message hash with SHA-256 and added enhancements in the client’s and server’s ability to specify which hashes and signature algorithms they accept. TLS Extensions definition and AES cipher suites were added. This version also dropped backwards compatibility with SSL.
In August 2018, TLS 1.3 was defined in RFC 8446. This version drops support for MD5 and SHA-224 cryptographic hash functions, weak elliptic curves, and less secure features, such as compression, renegotiation, and non-PFS key exchange. It also adds support for the sending of multiple OCSP responses.
If so, it is important that you tell me as soon as possible on this page.