Security

TLS and SSL for beginners

An Introduction to Asymmetric Cryptography.

Welcome to the beginner’s guide to TLS and SSL. We’ll take a deep dive into the applications of Asymmetric or Public key cartography.

What is Asymmetric Cryptography?

Public-key cryptography was introduced in early 1970. Together with it came the idea that instead of using a single key to encrypt and decrypt a piece of information, two separate keys should be used: encryption and decryption. This means that the key used to encrypt the information isn’t relevant to the question of decrypting that information. It is also known as Asymmetric cryptography.

This is a novel concept, and to further elaborate on it would require the use of very intricate calculus, so we’ll save that discussion for another time.

What are TLS and SSL?

TLS stands for Transport Layer Security, whereas SSL is an abbreviation for Secure Socket Layer. Both are Public Key cryptography applications, and together, they’ve made internet users able to carry out communications over the internet.

What exactly these two are is explained below.

How’s TLS Different from SSL?

TLS and SSL both utilize the asymmetric approach to encryption to secure communications over the internet (handshakes). The core difference between the two is that SSL resulted from commercial innovation, and therefore a property to its parent company, which is Netscape. In contrast, TLS is an Internet Engineering Task Force Standard, a slightly updated version of SSL. It was named differently to avoid copyright issues and potentially a lawsuit.

To be precise, TLS does come with some attributes that separate it from SSL. In TSL, handshakes are established without security and are strengthened by the STARTTLS command, which isn’t the case in SSL.

TSL is considered an improvement on SSL because it allows handshakes that are typically unsafe or insecure to be upgraded to secured status.

What Makes TLS Connections Safer than SSL?

There’s been intense competition going on in the markets of Computer security. SSL 3.0 couldn’t keep up with the internet and was rendered obsolete in 2015. There are several reasons behind this, mainly to do with the vulnerabilities that couldn’t have been rectified. One such susceptibility is SSL’s compatibility with ciphers that are capable of withstanding modern cyberattacks.

The vulnerability remains with TLS 1.0, as an intruder might force an SSL 3.0 connection upon the client and then exploit its vulnerability. This is no longer the case with TLS’s new upgrade.

What Measures Can We Take?

If you’re on the receiving end, you just keep your browser updated. Nowadays, all the browsers come with built-in support for TLS 1.2, which is why maintaining security isn’t that difficult for the clients. However, users should still take precautions when they see red flags. Virtually all warning messages from your browsers are pointing at such red flags. Modern web browsers are exceptional at detecting if something shady’s going on at a website.

The server admins hosting websites have bigger responsibilities on their shoulders. There’s a lot you can do in this regard, but let’s start displaying a message when a client is using outdated software.

For instance, those using Apache machines as servers should try this out:

$ SSLOptions +StdEnvVars
$ RequestHeader set X-SSL-Protocol %{SSL_PROTOCOL}s
$ RequestHeader set X-SSL-Cipher %{SSL_CIPHER}s

If you’re using PHP, search for $_SERVER within the script. Should you come across anything that indicates that TLS is outdated, a message will be displayed accordingly.

To better strengthen your server security, there are free utilities out there that test system for susceptibilities to TLS and SSL shortcomings. Some of them can even better configure your server. If you like that idea, check out Mozilla SSL Configuration Generator, which basically does all the work for you to set your server up to minimize TLS risks and such.

If you want to test your server for SSL susceptibilities, check out Qualys SSL Labs. It runs an automated configuration that is both comprehensive and intricate if you’re detail-oriented.

In Summary

All things considered, the weight of responsibility lies on everybody’s shoulders.

With the advent of modern computers and techniques, cyberattacks have become ever more impactful and large-scale with time. All internet users must have adequate knowledge of the systems protecting their online privacy and take necessary precautions while communicating over the internet.

In any case, you’re always much better off using open-source as they’re safer, free, and can get the job done.

About the author

Younis Said

I am a freelancing software project developer, a software engineering graduate and a content writer. I love working with Linux and open-source software.