What Is Transport Layer Security & How Does It Work?
Transport layer security (TLS) is a protocol established by the Internet Engineering Task Force (IETF) in 1999. TLS is used to protect many activities, including email, voicemail messages, and voice over IP. But the protocol is typically discussed in terms of web browsing.
What Is Transport Layer Security?
Agreements drive the internet. Your device must make contact with another, and they must decide how they interact and behave. Those rules are protocols, and TLS is one of them.
The TLS protocol has three main functions:
- Identify. Ensure that people are connecting with valid partners.
- Protect. Shield data in transit from third parties.
- Verify. Ensure that data hasn't been adjusted during transit.
TLS is concerned with privacy, and that's a big issue for most connected companies. For example, Anthem lost the records of 80 million current and former members because hackers tapped into servers and found information that wasn't encrypted. Since the hackers could read the files, they stole them.
Any time you connect with a server, you exchange information. You might:
- Offer your username and password.
- Fill in your mailing address.
- Tap in your banking details.
- Provide your Social Security number.
Hackers would love to get any of these pieces. TLS blocks their common strategies, such as:
- Swapping. TLS protocols ensure that you're connecting with a verified server, not an imposter.
- Reading. Encrypted data is gibberish and worthless until it's decoded.
- Changing. Verification ensures hackers can't alter critical details as you communicate.
TLS protocols outline how your device and the server accomplish these goals.
How Does TLS Work?
Encryption protects data as it passes from one place to the next. But encryption is both cumbersome and time-consuming. If servers had to scramble everything, and they had to prove their authority each time, your browsing experience would slow to a crawl. TLS simplifies the process.
A handshake kicks off the TLS process. Your browser and the destination server:
- Agree. They define which TLS version they'll use during their connection.
- Choose. A so-called "cypher suite" defines how data will be encrypted. The parties agree on those terms.
- Authenticate. The browser requests and verifies a security certificate from the destination server.
- Complete. After negotiations, the two parties exchange session keys and begin transferring data.
Your browser and the destination site need time to complete this process. Unfortunately, web visitors are impatient. For example, about half of all mobile users will click away from sites that take more than three seconds to load.
Newer versions of TLS are lightweight, and they can speed up handshakes. Connecting with this technology is quick and easy.
What Makes TLS Different?
Plenty of security protocols exist, and it's easy to confuse one for another. Terminology doesn't help, as some people use protocol names interchangeably.
Consider TLS and SSL. The secure sockets layer (SSL) protocol is a precursor to TLS. Taher Elgamal created SSL while he worked at Netscape, and decades later, he told reporters that he remained proud of his work and the security it offered.
Developers used SSL for years, and they became accustomed to the acronym. Some seemed resistant to dropping it. For example, the security certificates parties exchange during the TLS process are called "SSL certificates."
You can't use both TLS and SSL. They are both security protocols. But TLS replaces SSL.
TLS is also used interchangeably with HTTPS. If you've seen bloggers claim, for example, that a website uses TLS because the website starts with "HTTPS," you've encountered this confusion.
HTTPS is a secure form of HTTP, and it's built on the foundation of TLS. The two are complementary, and they both work to enhance security. But they're not the same protocol, and they aren't competitors.
TLS Changes Version by Version
Developers continue to tinker with TLS as they look for new and better ways to protect information.
TLS versions include:
- TLS 1.0. Described by RFC 2246 in the late 1990s, the protocol is based on SSL 3.0 as crafted by Netscape. The authors say the differences between the two are "not dramatic," but TLS offered stronger security than SSL.
- TLS 1.1. Released by IETF in 2006, this version strengthens security and patches known flaws.
- TLS 1.2. Released by IETF in 2008, this version is even stronger, and some companies continue to use it today.
- TLS 1.3. Released in 2017, this version is the la