Basic Server Security – What Are SSL/TLS And Why Are They Important
If you’ve been working with websites or servers for a while, you’ll likely have seen references to SSL certificates and TLS. In this part of our Basic Server Security series we’ll be looking at what they are and why they are important to your server.
Security risks
One of the features of the early internet is that it was viewed as a very trusting place. As such, many of the communications protocols used online provided no method to authenticate the server you are communicating with, or to prevent anyone intercepting your communications and reading them. This meant that when navigating to a website, not only could you not determine whether the server you were connecting to was the one you thought you were connecting to, but also that anyone that could intercept what you were sending to it (such as passwords) could easily read them in plain text.
SSL saves the data
The Secure Sockets Layer (SSL) protocol was originally devised by Netscape as a way of resolving these deficiencies. It provided for a cryptographically signed certificate that could be issued to a server that could be used to identify itself, and prove that it should be serving web pages for the domain you were connecting to. In addition, it provided a method by which a web browser and a web server could encrypt the data transferred between them meaning that if someone did intercept the network traffic between them that the data collected would be useless to them.
Upgrade to TLS
Transport Layer Security (TLS) was developed as an upgrade to SSL. It was released in 1999 and built on the foundations that SSL created. Due to the fact that the same certificates were used for both SSL and TLS, and that the same software libraries dealt with both forms of security, the term SSL is often used to refer to both SSL and TLS, although the SSL protocols themselves have been found to be broken and have been unsuitable for use for a number of years. The certificates used are still normally referred to as SSL certificates. Configuring servers and applying them also references SSL, despite the fact that most software will only use TLS for communication unless it’s out of date.
Securing everyday internet use with SSL/TLS
Now let’s look at how this works. The owner of a domain name will normally apply for a certificate from a certificate authority (CA), either directly or through a third party. Many hosting providers offer discounts for their customers for certificates versus them buying them directly from a certificate authority.
Most CAs offer multiple levels of certificate from basic domain validation (where the applicant has to prove they have control of the domain) up to extended validation certificates, where not only do they check control of the domain name, but also the existence of the owning organization, its registration status with government bodies, and finally that its identity matches up with any official records.
Extended validation certificates are normally used by businesses trading online as it provides an extra level of reassurance for customers. From a user’s perspective, a website with a basic certificate will show in a web browser with a green padlock in the browser bar. Extended certificates also show the company name alongside the padlock. It is also possible to create self-signed certificates without using a CA. These provide no evidence that the server is allowed to use the certificate, but if it is accepted by the end user will still allow for communications to be encrypted.
When a web browser connects to a server using HTTPS (HyperText Transfer Protocol Secure) the server will first present its certificate as a way of authenticating itself. The certificate will be signed by the issuing CA, and the web browser will then use the CA’s public key to decrypt the signature to ensure that the certificate is valid, provided that the web browser trusts the issuing CA. If it is, the browser will then trust the site. Then, provided that the domain the certificate is for matches the domain the browser is trying to reach, and that the certificate hasn’t passed the date of expiry, the web browser will then continue to connect to the website and negotiate encrypting traffic with no further input from the user. If any of these conditions aren’t met the web browser will alert the user of the problem so that they can choose whether to continue or not. As they aren’t issued by a trusted CA, self-signed certificates will fail this test, and as such they are mostly used for development environments and testing rather than for publicly accessible sites.
SSLs for every purpose
The use of SSL/TLS isn’t limited to just websites. These days, email clients can use them when connecting to mail servers and FTP servers. VPN technologies also make use of the technology. This means that if you run multiple services from a single domain then the SSL certificate can be shared between all the services.
These days the likes of Google and Mozilla are pushing for the use of HTTPS to become the default for all websites in the interests of making the web a safer place for all users. Services like Let’s Encrypt support this by making it possible for any publicly accessible web server to gain a basic domain validation certificate for free. If you are putting a website or service online, it’s strongly recommended that you make use of SSL/TLS technologies to secure your service for your clients.