Every day we entrust the internet with our most private information. Credit card details, bank transactions, private messages, addresses, and phone numbers all get sent over the internet. But what exactly is protecting us? The answer is TLS. In this post, we explain what TLS is, how it's used, and why you need it.
What is TLS?
On the one hand, news like this can make us all feel a bit silly. On the other, it’s hugely empowering to know we can always stay one step ahead of cyber criminals – even if our only weapon is a good password.
How does TLS work?
TLS provides a secure, private connection between a client (e.g., a web browser) and a server (e.g., nordpass.com). In a matter of seconds, communication between the two parties will be verified, authenticated, certified, and encrypted. The final result of TLS is known as 'secure symmetric encryption.' However, a secret handshake is the best way to understand the process.
The client sends a 'hello' message to the server: The message indicates which TLS version the client supports. It also specifies the cipher suites supported and a sequence of random numbers known as client random bytes.
(The random bytes guarantee the 'freshness' of the handshake. The randomness helps to prevent attackers from simulating a string of numbered sessions beforehand and picking the relevant one for you. Both sides will produce a random sequence as verification – more on this below).
The server sends a 'hello' message back: The reply message contains the server's TLS/SSL certificate, the chosen cipher suite, and another random sequence of numbers. The certificate activates the HTTPS protocol, and the padlock symbol appears next to the URL.
The client authenticates the server: The client verifies the server's TLS/SSL certificate with the authority that issued it. That confirms the server's identity and proves that the client is communicating with the actual owner of the domain.
The client creates a 'premaster secret': The client gets a public key from the server's TLS/SSL certificate. The key is used to encrypt another random sequence of numbers, called the premaster secret. It can only be decrypted with a private key held by the server.
The server uses its private key to decrypt the premaster secret.
A session key is created: By now, there are three sets of random number sequences in play (1: client random, 2: server random, and 3: premaster secret). The client and server use all 3 to generate a session key. A session key is a protective measure – it's a unique key used only once to protect and secure that session only. A new session key is created each time you visit the site.
The client announces it's ready: The client sends a 'finished' message, encrypted with the exclusive session key.
The server announces it's ready: The server does exactly the same thing.
The handshake is complete: Communication between the client (e.g., Safari) and the server (e.g., nordpass.com) is secured with TLS encryption and protected from attackers.
Does TLS prevent hackers?
TSL is both secure and reliable: A 'shared secret' is negotiated between two parties – and protected using multiple layers of single-use codes and keys. This way, eavesdroppers and attackers cannot possibly guess or see your data.
Multi-layer encryption scrambles your data, turning it into random gibberish. Even if a passive attacker were listening in to your data, they wouldn't be able to read the communication.
Where is TLS used?
TLS is most commonly used for:
Internet communications. Email, instant messaging apps, and Voice over IP apps like Skype.
Online transactions. Financial apps like PayPal, Western Union, and online banking websites. TLS is frequently used in online shopping – signified by the green padlock in your browser.
What is the difference between TLS and SSL?
TLS is an improved version of SSL.
In 1994, SSL (secure sockets layer) was invented to encrypt data, provide client and server authentication, and protect data transmitted over insecure networks. Within a year, it skyrocketed to becoming the best way to secure data in emails, web browsers, and VoIP. However, SSL was found to contain a significant security flaw.
In 2013, Google expressed a major concern with the security of SSL 3.0. Since SSL uses a mixture of plain text and encrypted text, it allowed hackers to read passwords and reveal users' account information on websites. Any website that uses SSL is vulnerable to this kind of attack – termed POODLE.
TLS was designed to fix the flaws within SSL, and naturally, TLS was adopted by businesses worldwide. The best way for businesses to avoid website security issues is to ensure that their site and its hosting server only support the latest version of TLS.
Why do we need TLS?
HTTP stands for HyperText Transfer Protocol and is the basis for any website. Websites beginning with HTTPS use a secure, private connection – the S in HTTPS stands for secure.
TLS or SSL is the underlying security technology behind HTTPS.
TLS wraps online connections in encryption, which makes your data unreadable to hackers. Without TLS, every online connection could potentially be intercepted. Anyone could read our messages, online calls could be intercepted, and our credit card details would be in plain sight to attackers. The best part of being protected by TLS? You don't even realize it's happening.