Transport layer security (TLS) is a protocol that provides communications security over a computer network. TLS is the successor of Secure Sockets Layer (SSL). It encrypts and decrypts data being transferred over networks, such as the Internet, thereby securing messages sent from one webserver to another web server or an e-mail client and vice versa.
How transport layer security works
When using TLS, the sender references a unique public key stored on a digital certificate issued by a recognized certification authority. The receiver’s browser then accesses its copy of the sender’s public key via an X.509v3 certificate commonly called a digital certificate. The encrypted connection uses two different keys: “A secret key shared by the sender and receiver, used to exchange an encryption key. A public key known to everyone with whom you wish to communicate.”
The benefits of TLS
TLS provides a distinct advantage over SSL: it is an open standard. Any web browser can use it. It’s also faster than SSL and provides additional security.
Other benefits of Transport Layer Security include:
- It verifies the identity of a website to keep information secure.
- It identifies individual users on a shared network, such as Wi-Fi hotspot by verifying device IDs.
- It may be used to provide security for credit card transactions and other communications where authentication or privacy are required.
The downsides of transport layer security
- Transport Layer Security is complex as it requires a server and client to undergo a process before an encrypted connection can be established.
- TLS may cause compatibility issues for web browsers and servers. Web browsers must have valid digital certificates issued by well-known certification authorities installed on the machine in order to communicate with the server. The authentication process may lead to browser slowdowns.
- The overhead associated with TLS can cause problems for some servers that have limited processing power, small memory allotments or other limitations.
- TLS is not compatible with some protocols designed to work in non-secured communications environments including FTP, Trivial File Transfer Protocol (TFTP), Network File System (NFS) and some streaming media protocols.
- Lastly, TLS can be expensive to implement because it requires additional hardware for encryption, decryption and the upkeep of digital certificates.
Who needs to use TLS and why
Transport Layer Security is integral to organizations that need secure communications over an unencrypted network. SSL technology, now replaced with TLS due it its open nature, was once widely used by companies to protect websites and emails containing sensitive information about their businesses including business plans, financial data and other confidential material.
Additionally, TLS can provide added security for mobile devices as well as protect credentials used to access remote network resources such as virtual private networks (VPNs), remote access servers and wireless access points.
Transport Layer Security does not require any specific hardware or software and once it has been set up on a computer, an application can automatically secure communication between two machines using TLS.
Frequently asked questions about transport layer security
Why should I use transport layer security?
As of 2015, all websites running with security certificates must use TLS and vulnerable older versions of Transport Layer Security (such as SSL) can no longer be used by web-based service providers. TLS also helps prevent eavesdropping of messages or tampering with any information being transferred between computers. It is clear that TLS is necessary wherever sensitive data needs to be transmitted securely across networks such as the internet or when credit card details are being sent online.
What versions of TLS are supported by secure websites?
Currently, the most commonly used Transport Layer Security version is 1.2 and this is supported by the majority of browsers. Version 1.0 has been superseded by TLS 1.1 which was then followed by TLS 1.2 in 2008 and TLS 1.3 in 2018. This latest version includes a number of improvements including better encryption algorithms and faster operations on 3DES (Triple DES) ciphers which provide greater security against attacks involving brute force decryption methods and also complies with new international standards for cryptography such as AES (Advanced Encryption Standard). Most modern browsers support at least TLS 1.0 while many servers now use the more advanced protocols SSL 2 or SSL 3 so one issue that website owners need to be aware of is the need to support older protocols for browsers that still use them.
Is transport layer security mainly used for e-commerce operations?
No, Transport Layer Security can also be used in other areas such as:
- E-mail communications allowing secure exchange of messages and digital content (such as files) between email servers and clients.
- Online banking where encryption is a key requirement to protect personal data being transferred during online transactions.
- WIFI network security where wireless networks are increasingly popular but must be protected from potential threats such as hackers or unauthorised access.
- VPN connections which provide remote users with secure access to private networks (via public internet).
Is transport layer security secure?
Yes, encryption using TLS is considered to be one of the most secure methods possible although there have been some vulnerabilities identified over recent years such as BEAST and Heartbleed. In addition, a potential issue has been highlighted in relation to Perfect Forward Secrecy (PFS) which aims to improve security by using different public keys for each connection and was made mandatory for web-based service providers in October 2016. Despite these problems though, Transport Layer Security remains a highly effective method of securing online transactions and other sensitive data that needs to be sent across the internet or any other open network.
What are some practical examples where TLS/SSL is used?
The following list provides an overview of some common applications that use TLS/SSL:
- Web browsers can connect securely to internet servers using Hyper Text Transfer Protocol (HTTP) over Transport Layer Security (TLS).
- Email servers can communicate with each other by using Simple Mail Transport Protocol (SMTP) which is also protected by TLS.
- Servers running a virtual private network accept requests from remote users and initiate encrypted sessions between the computers forming part of the private network.
- Virtual Private Network connections are secured before access is granted to sensitive data on company networks or personal information on home networks.
- Sensitive web data including credit card details and passwords for online accounts can be transmitted securely via HTTPS which provides additional authentication methods such as digital certificates.
- Secure Sockets Layer (SSL) is a predecessor of TLS and can be used for encrypting whole web pages.
- Secure Shell (SSH) which provides encrypted remote access to computers running Unix-based operating systems.
What are some potential problems encountered when transport layer security is used?
Although the use of encryption protects data during transmission, there are still many ways that hackers can gain entry into a computer or network including keyloggers, spyware and phishing attacks. Other issues involve human error such as losing wireless devices containing private keys or forgetting passwords needed to access encrypted data meaning that regular backups should always be performed in case lost data needs to be recovered.
The need for up-to-date protection against threats means that Transport Layer Security needs to be supported on both the server and client-side. For example, encryption protocols such as SSLv2 and SSLv3 have now been deprecated by many browsers because of their vulnerability to certain types of attacks.