SSL, TLS And Their Role In Security On The Internet
When the internet was first devised, it was envisioned as a tool to connect universities, research establishments, and the military. As computers were so expensive at the time, the number of internet users were limited. This also meant that little emphasis was placed on public security with regard to the technologies being developed. All data was sent in plain text, meaning that anyone who intercepted information could also read it. Security wasn’t a major concern since all of the systems were connected to trusted sources.
As the internet grew and became accessible to more people, it became apparent that, in the interests of security, methods needed to be implemented to secure communications. SSL (Secure Sockets Layer) technology was developed by Netscape as a means to secure communications and was part of the HTTPS (HyperText Transmission Protocol Secure) specification they created. The system was designed to achieve two goals. First, to help identify the server to which the browser was communicating, and second, to keep the data transmitted between the server and the browser secret and secure.
Signed Certificates
The first objective was achieved through the use of signed certificates. The owner of a domain name could apply for a certificate from a trusted certificate authority who would perform checks on the owner of the site before issuing the certificate. By sharing this certificate when a browser connects, this enabled the browser to verify that the server it was talking to was correct, by verifying the legitimacy of the signature on the certificate.
Encryption
The second goal was attained through the use of encryption algorithms to prevent anyone who managed to intercept the data sent from reading it. A two-step process is used for this. First, an exchange of public keys allows the browser and the server to negotiate encryption methods and a symmetric key to use for further communications. Once this is done, the rest of the data transfer takes place using the agreed symmetric key encryption system. Each time the browser and server start a connection, they renegotiate their encryption methods and set a new symmetric key. The encryption means that an attacker intercepting multiple communications between the browser and the server will need to deduce multiple keys to read the data sent.
Transmission Layer Security (TLS)
Over time, flaws with the SSL system meant that updates were required which led to a replacement TLS in 1999. TLS has since had multiple updates, recently reaching version 1.3. Most of the updates have also involved removing older and insecure encryption methods as weaknesses were also detected in these. In the interests of backward compatibility with older systems, newer versions allowed the browser and server to fall back to older versions or TLS/SSL when required. The SSL 3.0 version from 1996 was available for use until 2015 after the POODLE attacks demonstrated how an attacker could force a connection between a browser and server to downgrade to insecure SSL encryption methods when both supported the current TLS 1.2.
While SSL was first designed by Netscape for use with web browsers, the technology has been repurposed for many other systems. These days you can find TLS in use providing security for email, Virtual Private Networks (VPNs), Voice Over Internet Protocol (VOIP) and chat services. Specific software implementations exist, such as OpenSSL that allows developers to gain the security advantages of TLS for their applications without needing to write all the code for it themselves. This has helped TLS become one of the most common methods of securing communications on the internet.