TLS, SSL and HTTPS are terms that are very common nowadays when we talk about security. Unfortunately, many do not fully understand what these terms really mean and would just label these as a security kind of thing.
Introduction – What is TLS, SSL & HTTPS?
What is TLS, SSL & HTTPS? – In this article, we will try to understand what SSL, TLS and HTTPS really is. This would not be an introductory level type of article. We will go into details and try to fully understand the concepts.
Secure Sockets Layer or SSL is a security protocol that allows the authenticity and integrity of two communicating parties by keeping the communication channel secure and safe.
Sounds easy yeah? Believe me, the fundamental concept of SSL is a lot more complex.
Now, let’s break it down to details.
What does Security Protocol means?
First of all, what is a protocol? A protocol is a set of rules or instructions that determines how to act in a given situation.
A Security Protocol, or also known as cryptographic protocol is an agreed sequence of actions or operations between two or more communication parties.
In simpler terms, when two or more parties want to communicate to each other, they have to follow this actions/operations or security protocol to ensure the security of the communication.
So, how does SSL/Security Protocol keeps the communication secure?
SSL or Security Protocol keeps the communication between two or more parties/devices/computers safe by providing a secure channel for the communication.
Also, please keep in mind when we said communication, its not like when you talk to your friend on the phone. Communication here is the flow of data transfer between the communicating parties.
A Security Protocol will encrypt the data before it transfer to the receiving party. It also helps to keep thing secure by being able to determine that the receiving party is the correct party.
Understanding what TLS is
Transport Layer Security or TLS is an evolved better version of Secure Sockets Layer.
Since TLS is an evolved version of Secure Sockets Layer, logically TLS provides a more secure protocol compared to SSL.
It is also worth noted that since TLS comes from SSL, these two terms have been used interchangeably (SSL/TLS). However these two terms are not the same, they might be similar but not the same.
The first version of TLS (TLS 1.0) was released in 1999. Since then, TLS has release 3 newer versions, 1.1, 1.2, and 1.3. Version 1.2 is the widely used version at the moment.
How is TLS different than SSL?
Transport Layer Security is different than SSL in terms of the
handshake process or also known as
Other than that, TLS differ than SSL in terms of encryption algorithm, encryption strength, message authentication, cipher suites, alert message, record protocol and many more.
Unfortunately, we would not be discussing these difference in this article but we will talk about the SSL/TLS handshake process.
SSL/TLS Handshake Process
Before we go further, we just want to clarify one thing.
Before we have TLS, we first have SSL. It was called SSL handshake process before but ever since TLS comes about, it was changed to TLS handshake. However, the name ‘SSL’ is still widely used.
On a high-level of SSL/TLS Handshake.
- SSL/TLS Handshake starts or kick off when two parties tries to communicate to each other through session that uses TLS encryption. For example, a web browser tries to establish communication to a web server. (akin to a situation where you open your Chrome browser(web browser) and go to rasyue.com (web server))
- During this kick off of the handshake, the early stage involves the two parties exchanging messages to verify each other, determine which TLS version to use, determine which cipher suite to use, authentication and finally generate session keys.
Let’s go into details on this
Steps in SSL/TLS Handshake Process
- Client Hello – For example, a web browser send as Hello message to the web browser. This message contains the cipher suite and TLS that the browser supports.
- Server Hello – The web server replies back with its Hello message which contains the SSL certificate, the chosen cipher suite and a random byte string known as server random.
- Client Key Exchange – When client/browser receives the SSL certificate, the browser then authenticates the certificate. The client then sends another message which is encoded with the certificate public key.
- The server reads the message which the server decodes using its private key.
- A session key is created, both client and server send “finished” message which is encoded with session key.
- TLS handshake process completed. Both parties continue to communicate using the session keys for secure communication.
This is pretty much what happens during the SSL/TLS handshake. Nothing too crazy on the surface.
Understanding HTTP and HTTPS
Before we talk about HTTPS, let’s talk about HTTP first.
Hypertext Transfer Protocol or HTTP is an application-level protocol for distributed, collaborative, hypermedia information systems. This is the groundwork for communication for the World Wide Web or the Internet that we know today.
HTTP allows the transfer of data or information in many forms like plain text, image, HTML, etc between a web server and a computer.
What type of protocol is HTTP?
HTTP is an application layer protocol or the 7th layer of the OSI (Open System Interconnection) model.
How does HTTP works?
HTTP is also known as a request-response protocol, since HTTP transmit hypertext messages between web browsers and web servers.
HTTP utilizes TCP or Transmission Control Protocol to transfer information between web browsers/client and web servers.
Unfortunately, we won’t be talking about TCP as it is not in this article context. We will write a separate article on TCP later on.
So, what is HTTPS then?
HTTPS or Hypertext Transfer Protocol Secure is simply a secure version of HTTP that utilizes the SSL/TLS protocol for encryption and authentication.
HTTPS allow us to transmit sensitive data like personal data, bank credentials, credit card information, etc securely over the internet. This is because the data will be encrypted during the transmission.
Simple to understand? It’s only just the surface. There are a lot more to learn about HTTP/HTTPS but we think we should stop here and talk about it another day.
We hope that this article will be able to provide you with the answers that you are looking for today.
On a side note, if you are looking to buy a SSL certificate for your website or online store or anything that requires a SSL certificate. Take a look below (affiliate link below).Protect your Business with an SSL certificate . Order now for only $8.88/year at Namecheap!
Also, read my review on Namecheap if you are looking for cheap but good SSL certificate provider.
See you on the next article!