The SSL protocol, and its new version TLS, are used to secure exchanges on a network. When the data passes from one point to another, it is not sent in the clear but encrypted.
SSL combines public key and symmetric key encryption to secure a connection between two machines, typically a web server or mail server and a client machine, communicating over the Internet or an internal network.
Table of Contents
Using the OSI reference model, SSL runs above the TCP/IP protocol, which is responsible for transporting and routing data across a network, and below more general protocols such as HTTP and IMAP that encrypt network connection data in the application layer of the Internet Protocol (IP) suite.
The “sockets” in the protocol name refers to the bidirectional method of transmitting data by sockets between a client and a server program on a network, or between program layers in the same computer.
SSL/TLS encryption is more common on the Internet and helps protect the connection between the Internet user’s browser and the server on which a Web application is hosted.
Thus, exchanges carried out with SSL/TLS protection make it possible to:
- Ensure that all data in transit is encrypted via a set of algorithmic and cryptographic keys to make it unreadable.
- Ensure the integrity of the data exchanged without loss or alteration.
- Ensure the identity of the server to which this data is transmitted
The SSL/TLS protocols on the Internet
SSL/TLS has been largely democratized in the face of various threats on the Internet. This encryption makes it possible in particular to avoid man-in-the-middle attacks, i.e. the interception and alteration of data by a third party.
An online bank, a forum or an e-commerce store require the sending of sensitive data. For this reason, they use an encrypted connection through SSL/TSL. More precisely the protocol is added to HTTP to form HTTPS.
To allow secure exchanges, an Internet service provider must necessarily install an SSL/TLS certificate on its servers. The latter is issued by a trusted authority that ensures the legitimacy of the owner of these servers. This verification device is more or less extensive depending on the type of SSL/TLS certificate chosen.
The democratization of SSL/TLS
Formed by Mozilla, Cisco and the Electronic Frontier Foundation, the Let’s Encrypt initiative aims to offer all owners of a website a basic certificate allowing at least to protect the data transmitted.
In fact, the majority of web hosts now offer free and easy activation of an SSL certificate to a website. For this reason, most Internet connections today are HTTPS protected. It has also become a criterion taken into account by Google within its SEO algorithms.
History of the SSL protocol
The SSL protocol was developed by Netscape Communications in the 90s.
The company sought to encrypt its data in transit between its popular Netscape Navigator browser and web servers on the Internet, to ensure the protection of sensitive data, such as credit card numbers.
Version 1.0 of the protocol was never released, and version 2.0, released in February 1995, had a number of security flaws.
After a complete overhaul, version 3.0 was released in 1996. Although never formally standardized (the IETF published the draft 1996 version of SSL 3.0 as a history sheet in the RFC 6101), it has become the de facto standard for Internet communications security.
When the IETF officially took over the SSL protocol for standardization in an open process, SSL version 3.1 was released as Transport Layer Security 1.0.
It introduced security enhancements to address deficiencies found in earlier versions. The name was changed to avoid any legal issues with Netscape.
The POODLE vulnerability is a well-known flaw in the SSL 3.0 protocol, based on the fact that it ignores padding bytes when running in Cipher Block Chaining (CBC) mode.
This flaw could thus allow a hacker to decrypt sensitive information, such as identification cookies. TLS 1.0 is not vulnerable to this attack because it specifies that all padding bytes must have the same value and be verified.
Other key differences between SSL and TLS make the latter a more secure and efficient protocol: message authentication, key generation, and supported cipher suites, with TLS supporting newer and more secure algorithms. TLS and SSL are not interoperable, but TLS offers backwards compatibility so it can work with older systems.