In this post, I want to provide more insight into SSL/TLS. Talking about “SSL” can be very confusing and sometimes one person is talking about a protocol while the other is talking about a certificate.
This can lead to conversations in which people completely misunderstand each other.
With this post, I hope to create more clarity about SSL and TLS protocols in combination with the different types of security certificates that currently exist. Hopefully, you will be able to grasp the full picture after this post. It took a while for me as well, to be honest.
HTTPS
HTTPS stands for Hypertext transfer protocol secure and is the secure version of HTTP. HTTP is the primary protocol that is used to send data between a browser and a website. The difference between the two protocols is that HTTPS is encrypted. Because of this encryption, HTTPS increases the security of data that is being transferred between sender and receiver. This is very important when a user transmits sensitive data, for instance by logging into a bank account, an email service, or an online shopping account.
Any modern website that uses login credentials should use HTTPS but nowadays it is more or less mandatory for every website. If a website is not secure (even a simple blog), people just don’t visit the site anymore.
In modern web browsers like Chrome, Edge, Safari, Firefox, etc., websites that don’t use HTTPS are marked differently than those that use HTTPS. HTTPS websites have a green padlock in the URL bar to signify that the webpage is secure and that it uses encryption for the transfer of data. All non-HTTPS are flagged as “not secure” by those browsers.
Fun fact: my browser was not secure as well when I started with this blog and I was immediately notified by a friend of mine. After adjusting the settings with my provider, SSL was set up properly and the site was secure. But simply that notification by this friend shows that people are really aware of these red flags and that “insecure” sites are being ignored.
As stated before, HTTPS uses an encryption protocol to encrypt communications in order to create a more secure transfer of information from sender to receiver. This protocol is called “TLS”. TLS stands for Transport Layer Security and has been replacing the still well-known SSL (Secure Socket Layer). People are still talking a lot about SSL (which can be confusing) but when someone talks about modern security protocols and says “SSL”, they actually talk about a TLS protocol (unless they talk about history).
To put some extra confusion in this: protocols are not the same as certificates.
Differences between TLS and SSL protocols
The thing that TLS and SSL have in common is that both protocols use encryption between sender and receiver.
The difference between the different versions of the protocol may not be huge, but if you compare SSL 3.0 (the last SSL version) with TLS 1.3 (the last TLS version), there would be a big gap between the two. At its core, the concept is the same through every version. The only difference is that both protocols do the job of encrypting the connections in a different way.
SSL version 1 was never released, version 2 was released but with some major flaws, SSL version 3 was a re-release of version 2 (to fix these flaws – with limited success) and TLS version 1 was an improvement on SSL version 3. TLS 1.2 brought some significant changes and TLS 1.3 refined and streamlined the whole process.
ISSL and TLS simply refer to the handshake that takes place between a client and a server. The handshake itself does not provide encryption, but simply agrees to a shared secret and the type of encryption to be used. An SSL handshake uses a port to make the connections. This is called an explicit connection. Port 443 is the default port for HTTPS.
TLS, on the other hand, starts its connections via a protocol. This is called an implicit connection. The very first step of the handshake: the act that initiates it. This is called a client hello. With TLS, this is sent over an insecure channel and the connection switches to port 443 (or your designated port) once the handshake has started.
Traditionally, several rotations are made with the handshake, during which the authentication and key exchange take place. With SSL, this is an additional latency for the connections. That’s where the myth originated that SSL/HTTPS slows down your website. Each new iteration of the protocol has worked to reduce the latency added by the handshake. TLS 1.2 proved that HTTPS was actually faster than HTTP due to its compatibility with HTTP/2.
TLS 1.3 has refined the handshake even further. It can now be run with a single round trip and allows the resumption of the Zero round trip (0-RTT). Part of the way this was done was by reducing the number of strings it supports from four algorithms to two.
Now it’s just a bulk encryption (symmetric/session) algorithm and a hashing algorithm. The key exchange and digital signature negotiations have been removed. The key exchange is now performed using a Diffie-Hellman family, allowing both perfect forward secrecy by default and allowing the client and server to provide their share of the shared secret on their first interaction. The first interaction is now also encrypted, closing the door to a potential attack vector.
Below overview shows the history of both certificates:
SSL 1.0 – never released for public use due to security vulnerabilities.
SSL 2.0 – released in 1995. Expired in 2011. Has security vulnerabilities.
SSL 3.0 – released in 1996. Expired in 2015. Has security vulnerabilities.
TLS 1.0 – released in 1999 as an upgrade from SSL 3.0. Planned depreciation in 2020.
TLS 1.1 – released in 2006. Planned depreciation in 2020.
TLS 1.2 – released in 2008.
TLS 1.3 – released in 2018
SSL/TLS certificates
An SSL certificate is a digital certificate that provides authentication for a website and enables an encrypted connection. These certificates communicate to the client that the web service host demonstrated ownership of the domain to the certificate authority at the time of certificate issuance.
SSL certificates are a commonly used (commercial) term but it actually refers to the TLS protocol. If you have an SSL certificate you are using the TLS protocol. Nowadays it has become more and more common to use the term SSL/TLS certificate to avoid a bit of confusion so I will use SSL/TLS from now on in this post.
An SSL/TLS certificate ensures that the providers/server hosts claim to be who they are and also indicates secure connections between personal devices and websites. Understanding SSL/TLS certificates are important for website trust and to help protect customers from becoming a victim to scammers, especially because there are different types of certificates. so keep in mind that websites can use different SSL/TLS certificates which means different levels of security.
SSL/TLS certificate types
An SSL/TLS certificate proves that information is secured by encryption and there are three different SSL/TLS certificates. Each type provides a different level of security. The levels of security differ greatly among the types of certificate. This is why it is important to understand what kind of SSL/TLS certificate a site is using when performing a financial transaction or doing anything involving personal user data.
Domain validated (DV)
DV certificates only verify who owns the site. It is a simple process where the Certificate Authority (CA) will send an email to the website’s registered email address in order to verify its identity. No information about the company is required. Be aware that DV certificates have the lowest level of trust and are commonly used by cybercriminals (!) because they are easy to obtain and can make a website appear more secure than it is.
Organizationally validated (OV)
To receive an OV certificate, a CA must validate certain information, including the organization, physical location, and its website’s domain name. This process typically takes a couple of days. OV certificates have a moderate level of trust and are a good option for public-facing websites that deal with less sensitive transactions.
Extended Validation (EV)
This type of certificate is a must-have for websites that handle sensitive information. It has the highest level of security and is the easiest to identify. In order to issue an EV certificate, the CA performs an enhanced review of the applicant to increase the level of confidence in the business. The review process includes an examination of corporate documents, confirmation of applicant identity, and checking the information with a third-party database. Users can know if a website holds an EV certificate if the browser’s URL bar contains a padlock and the company name is listed in green.
Securing your online session
Now that you know what an SSL/TLS certificate is, how security protocols work and that DV-enabled sites pose a risk for scams, it is time to learn how to reduce your exposure while shopping or performing other sensitive transactions online. To do so, follow below four steps:
- Read the seller’s privacy policy. Find out how your personal information will be used. Reputable companies should be open about the information they collect and what they do with it.
- Look for trust indicators on shopping sites. Reputable logos or badges signify that the website meets certain security standards
- .Understand the type of SSL/TLS certificate that a website is using. As a first step, look for visual cues indicating security, such as a lock symbol and green color in the address bar. Only EV-enabled websites include the company name in the web address bar. Browsers don’t distinguish a DV certificate from an OV certificate. Security Web tools, provided by Cybersecurity/Anti-Virus companies. These tools can help you to easily decipher the difference
- Only conduct transactions and provide personal data to sites with OV or EV certificates. DV certificates can serve legitimate purposes, but that doesn’t include using them for e-commerce sites. Certain Cybersecurity/Anti-Virus companies provide tools where you can drop a URL into a Web tool. When a site has a DV certificate, rethink conducting any type of transaction through that site. If it is an OV or EV certificate site, you know that the business information has been confirmed.
Final Thoughts
I hope this post provided a bit more insight into the world of certificates. Hopefully, it gives you a better understanding of the security protocols and certificates when browsing the internet.
Feel free to contact me if you have any questions or if you have any additional advice/tips about this subject. If you want to keep in the loop if I upload a new post, don’t forget to subscribe to receive a notification by email.
