What Is Transport Layer Security & How Does It Work?
Transport layer security (TLS) is a protocol established by the Internet Engineering Task Force (IETF) in 1999. TLS is used to protect many activities, including email, voicemail messages, and voice over IP. But the protocol is typically discussed in terms of web browsing.
What Is Transport Layer Security?
Agreements drive the internet. Your device must make contact with another, and they must decide how they interact and behave. Those rules are protocols, and TLS is one of them.
The TLS protocol has three main functions:
- Identify. Ensure that people are connecting with valid partners.
- Protect. Shield data in transit from third parties.
- Verify. Ensure that data hasn't been adjusted during transit.
TLS is concerned with privacy, and that's a big issue for most connected companies. For example, Anthem lost the records of 80 million current and former members because hackers tapped into servers and found information that wasn't encrypted. Since the hackers could read the files, they stole them.
Any time you connect with a server, you exchange information. You might:
- Offer your username and password.
- Fill in your mailing address.
- Tap in your banking details.
- Provide your Social Security number.
Hackers would love to get any of these pieces. TLS blocks their common strategies, such as:
- Swapping. TLS protocols ensure that you're connecting with a verified server, not an imposter.
- Reading. Encrypted data is gibberish and worthless until it's decoded.
- Changing. Verification ensures hackers can't alter critical details as you communicate.
TLS protocols outline how your device and the server accomplish these goals.
How Does TLS Work?
Encryption protects data as it passes from one place to the next. But encryption is both cumbersome and time-consuming. If servers had to scramble everything, and they had to prove their authority each time, your browsing experience would slow to a crawl. TLS simplifies the process.
A handshake kicks off the TLS process. Your browser and the destination server:
- Agree. They define which TLS version they'll use during their connection.
- Choose. A so-called "cipher suite" defines how data will be encrypted. The parties agree on those terms.
- Authenticate. The browser requests and verifies a security certificate from the destination server.
- Complete. After negotiations, the two parties exchange session keys and begin transferring data.
Your browser and the destination site need time to complete this process. Unfortunately, web visitors are impatient. For example, about half of all mobile users will click away from sites that take more than three seconds to load.
Newer versions of TLS are lightweight, and they can speed up handshakes. Connecting with this technology is quick and easy.
What Makes TLS Different?
Plenty of security protocols exist, and it's easy to confuse one for another. Terminology doesn't help, as some people use protocol names interchangeably.
Consider TLS and SSL. The secure sockets layer (SSL) protocol is a precursor to TLS. Taher Elgamal created SSL while he worked at Netscape, and decades later, he told reporters that he remained proud of his work and the security it offered.
Developers used SSL for years, and they became accustomed to the acronym. Some seemed resistant to dropping it. For example, the security certificates parties exchange during the TLS process are called "SSL certificates."
You can't use both TLS and SSL. They are both security protocols. But TLS replaces SSL.
TLS is also used interchangeably with HTTPS. If you've seen bloggers claim, for example, that a website uses TLS because the website starts with "HTTPS," you've encountered this confusion.
HTTPS is a secure form of HTTP, and it's built on the foundation of TLS. The two are complementary, and they both work to enhance security. But they're not the same protocol, and they aren't competitors.
TLS Changes Version by Version
Developers continue to tinker with TLS as they look for new and better ways to protect information.
TLS versions include:
- TLS 1.0. Described by RFC 2246 in the late 1990s, the protocol is based on SSL 3.0 as crafted by Netscape. The authors say the differences between the two are "not dramatic," but TLS offered stronger security than SSL.
- TLS 1.1. Released by IETF in 2006, this version strengthens security and patches known flaws.
- TLS 1.2. Released by IETF in 2008, this version is even stronger, and some companies continue to use it today.
- TLS 1.3. Released in 2017, this version is the latest available from IETF.
In 2018, modern browsers stopped supporting early versions of TLS, as executives were concerned about hacker prowess. The TLS protocols were widely available, and thieves knew just how to break through barriers and push past boundaries. Data was no longer secure, and officials wanted to push companies to embrace newer protocols.
Sites still using old versions now greet visitors with a warning that says, "This site is not secure."
Should You Use the TLS Protocol?
If you don't use the TLS protocol, others can read sensitive information in transit. All of your usernames, passwords, credit card information, and more are at risk as they pass from your device to the server and back.
If you're interested in protecting your website visitors, using TLS protocols seems both reasonable and straightforward. But TLS does come with a few flaws.
TLS has long been associated with so-called "man in the middle" attacks in which a hacker sits between a server and a device. Typically, that means a hacker takes over the handshake and forces the two parties to agree on a less safe version of TLS. With that complete, the hacker can exploit vulnerabilities in the older version and take over the conversation.
Newer TLS protocols don't allow for this kind of maneuver. They are considered safe now, but hackers are studying the protocols closely. It's likely they will look for new ways to break through the protocols.
How to Implement TLS
Getting started with TLS is relatively easy. You will need a so-called SSL security certificate from a verified authority.
Typically, web hosting companies handle these issues for you. Web hosting companies also remind you to renew the certificate periodically. Skipping that renewal step means losing your status as a secure site.
With your certificate in place, you're ready to begin protecting data. Find out how asymmetric encryption, part of the TLS protocol, works in this blog post.
Anthem's Stolen Customer Data Not Encrypted. (February 2015). CNET.
It's Time to Upgrade to TLS 1.3 Already, Says CDN Engineer. (June 2017). CSO.
Google: 53 Percent of Mobile Users Abandon Sites that Take Over 3 Seconds to Load. (September 2016). Marketing Dive.
Inventor: SSL Not to Blame for Security Woes. (May 2009). CNET.
The TLS Protocol, Version 1.0. (January 1999). Internet Engineering Task Force.
Browsers to Block Access to HTTPS Sites Using TLS 1.0 and 1.1 Starting This Month. (March 2020). ZD Net.
TLS Basics. The Internet Society.
Encrypted Traffic Reaches a New Threshold. (November 2018). Network Computing.