Good day everyone! I will be explaining why we need to understand the importance of the internet, data encryption and what exactly SSL and TLS are and why you need to know today in the cyber world with many vulnerabilities that are outside.
Firstly, I will give the overview of what is SSL and what is TLS for better understanding and then will go over the SSL / TLS versions. It is recommended to have a clear understanding of SSL and TLS, its versions and the timeline of the releases and updates. Only with this understanding, you will be able to judge on where you are in your network and where you need to upgrade to.
Before we move to the explanation of SSL and TLS, you need to understand the internet, how data is transferred over the internet, why encryption is needed. Then later the versions of SSL/TLS. Now lets start with the internet.
Internet can be mentioned as a bunch of different routers that hand data off to one another. These routers are physically connected via wires and are all over the world. On either sides of the internet, there is client and the server you are speaking to. These routers are owned by many different internet service providers (ISPs). ISPs can be AT&T, Verizon, Comcast, Spectrum, etc. These ISPs are in charge of maintaining these routers which are going to hand data off to one another. When you request data from the other end, you are putting data on the wire and that flows through various routers maintained by various ISPs all the way across the internet till it reaches the other side. So the time the put the data on the wire, you no longer have control over what happens to that data. This data is literally in the hands of all these different ISPs as it passes across the internet. Data transfer can be websites, file transfers, etc. Most common data transferred over the internet is websites.
How is the website data transferred?
Websites are usually written in HTML (Hyper Text Markup Language) and it transferred in HTTP (Hyper Text Transfer Protocol). So when the client requests for a website devopspal.com from their web browser, it then goes over the ISPs via routers and reaches the server, then server sends the HTML data via HTTP protocol to the client through various routers of different ISPs, and then client uses a web browser to display the requested site in an user-interface that gets converted from HTML data to proper visual format.
All of this data over HTTP that was transferred from the client to the server and the response back from server to client is NOT encrypted. So any data that does not require confidential data and the static website that just display the data can be OK to use HTTP protocols for the website as they are public for everyone. It is always recommended to have secured static website even though there is no confidential information in it in order to show trust to the end user.
Why encryption is needed?
The websites that use confidential data such as login credentials required, bank information, passwords, etc, and when these details are entered in the website and sent from client to server, then that confidential information is visible to the outside world. Anyone in this path between the client and server can have access to the data and this is the reason many browsers will display errors, “not-secured” and warning messages for the http websites. This is where SSL and TLS come into picture which resolves the encryption mechanism for the data transferred over the internet. SSL and TLS creates a secured tunnel across the internet and thus the client and server can share information safely and this is HTTPS which stands for Hyper Text Transfer Protocol Secured. HTTPS is a HTML webpage that is transferred with HTTP protected by SSL. Likewise SSL and TLS can also protect other data transfers apart from websites. SSL VPN is used to protect data transferred from client to corporate network and vice versa. Almost all the corporate companies use SSL VPN to connect client systems to their network to work remotely and securely. The client connects to the corporate firewall using SSL VPN which builds a secured tunnel between the client and the firewall, and thus the client get all the access securely to corporate resources when outside of network.
There are several public VPNs as well, which is a type of VPN connection that can be accessed openly or publicly by end users. We will discuss about public VPNs in a later post.
What is SSL?
SSL stands for Secure Sockets Layer. SSL was created by the company Netscape in 1994 to bring security to the internet. This SSL adds secured tunnel to the protocols used such as HTTPS, SSL VPN and it is used to keep the internet connection secured, safeguarding sensitive data that is being sent and received between the client and the server over the internet. This prevents hackers or criminals from reading and modifying any data that is transferred, including confidential data and personal details. Examples can be a banking website where client and banking server share data. Another example can be server to server with personal information in an application.
What is TLS?
TLS stands for Transport Layer Security. In 1999, the IETF took maintenance of the SSL protocol. IETF stands for Internet Engineering Task Force. They are responsible for maintaining many internet protocols. When IETF took over the SSL protocol, they renamed it as TLS and this is the reason there are two different terms. We can consider both the SSL and TLS referring to the same protocol with different versions of same protocol. In today’s world, we mostly use the new version which is the TLS but some still use the old term SSL.
SSL/TLS versions and which is most secured today:
There are several versions of SSL and TLS and there are developments on each newer version to have better encryption. New version were created to fix the flaws of the older versions. So it is always recommended to use newer versions. Better understanding is needed for using the right version of SSL/TLS. There are major versions and minor versions for each release SSL/TLS version and based on these, you should opt the right one for your use case scenario. After SSL 3.0, it was renamed as TLS 1.0 by IETF with same security levels as SSL 3.0. The world today technically uses TLS terminology.
TLS 1.2 and TLS 1.3 are considered the most secured versions that are recommended to be used today!
Understanding these topics is recommended so that you can apply the latest protocols to be secured by having proper updated information. These versions change often when the new encryptions methods kick in and keeping yourselves updated on these versions will give better security. I will be posting more on the SSL/TLS versions to better understand the differences along with various ciphers. Servers and applications should always have the latest versions and should be updated in all platforms to securely and peacefully.
Thank you reading the post and I hope you gained some knowledge today on the internet and security.