What is SSL/TLS?
What is SSL/TLS?
SSL and TLS are standard security protocols used for secure network communication. SSL(Secure Socket Layer) was first created in 1996 by Netscape. After noticing its security flaws, TLS(Transport Layer Security) was created as an updated replacement. The most recent release was TLS 1.3 in 2018. Today the terms SSL and TLS tend to be used interchangeably.
Websites that require security or personal information like passwords, bank details, etc., will always have a URL starting with HTTPS and not HTTP. HTTPS indicates the site is secure because it has an SSL/TLS certificate. These certificates allow the client to authenticate the server and establish a secure, encrypted connection.
Websites that have an HTTP-only connection exchange data in plain clear text. This means potentially personal information travels across the public internet unencrypted. Attackers that intercept network traffic and filter them for data can see all your information exposed and readily available to exploit. For this reason, HTTP-only sites receive much lower SEO rankings.
So how do SSL/TLS certificates work? The client initiates a connection by sending a 'Hello' message. This contains the supported TLS version, supported cipher suites, and a random string called the client random.
The server then responds with its own 'Hello' message containing the cipher suite, another random string called the server random, and its TLS certificate.
The client then authenticates the server. Using a key in the severs TLS certificate, the client encrypts a string called the premaster secret and sends it to the server.
The premaster secret can only be decrypted by a private key on the server. Once decrypted, the server generates session keys from the client random and the server random that were sent in the 'Hello' messages. Session keys are exchanged, and the encrypted session is established.
The TLS connection uses irreversible encryption algorithms to scramble all the data being passed between the client and the server, protecting it.
On today's internet, HTTPS is an essential security practice. It is now standard practice for all websites to use HTTPS even if the site does not use personal data. Using sites with HTTP only is a significant deterrent for users, and search engines penalize HTTP-only websites in SEO rankings to discourage their use.