TLS is a security protocol that provides privacy and data integrity for Internet communications. Implementing TLS is standard practice for building secure web apps.
What is Transport Layer Security (TLS)?
Transport Layer Security, or TLS, is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS can also encrypt communications such as email, messaging, and voice over IP (VoIP). In this article, we will focus on the role of TLS in web application security.
TLS was proposed by the Internet Engineering Task Force (IETF), an international standards organization and the first version of the protocol was published in 1999. The most recent version is TLS 1.3, which was published in 2018.
What is the difference between TLS and SSL?
TLS evolved from a previous encryption protocol called Secure Sockets Layer (SSL), developed by Netscape. TLS version 1.0 began development as SSL version 3.1, but the name of the protocol was changed before publication to indicate that it was no longer associated with Netscape. Because of this history, TLS and SSL are sometimes used interchangeably.
What is the difference between TLS and HTTPS?
HTTPS implements TLS encryption on top of the HTTP protocol used by all websites and other web services. Any website that uses HTTPS is therefore employing TLS encryption.
Why should businesses and web applications use the TLS protocol?
TLS encryption can help protect web applications from data breaches and other attacks. Today, TLS-protected HTTPS is standard practice for websites. The Google Chrome browser gradually cracked down on non-HTTPS sites, and other browsers have followed suit. Everyday Internet users are more wary of websites that do not feature the HTTPS padlock icon.
What does TLS do?
There are three main components to what the TLS protocol accomplishes: Encryption, Authentication, and Integrity.
- Encryption: hides the data being transferred from third parties.
- Authentication: ensures that the parties exchanging information are who they claim to be.
- Integrity: verifies that the data has not been forged or tampered with.
What is a TLS certificate?
For a website or application to use TLS, it must have a TLS certificate installed on its origin server (the certificate is also known as an “SSL certificate” because of the naming confusion described above). A certificate authority issues a TLS certificate to the person or business that owns a domain. The certificate contains important information about who owns the domain and the server’s public key, both of which are important for validating the server’s identity.
How does TLS work?
A TLS connection is initiated using a sequence known as the TLS handshake. When a user navigates to a website that uses TLS, the TLS handshake begins between the user’s device (the client device) and the web server.
During the TLS handshake, the user’s device and the web server:
- Specify which version of TLS (TLS 1.0, 1.2, 1.3, etc.) they will use
- Decide on which cipher suites (see below) they will use
- Authenticate the identity of the server using the server’s TLS certificate
- Generate session keys for encrypting messages between them after the handshake is complete
The TLS handshake establishes a cipher suite for each communication session. The cipher suite is a set of algorithms that specifies details such as which shared encryption keys, or session keys, will be used for that particular session. TLS can set the matching session keys over an unencrypted channel thanks to a technology known as public key cryptography.
The handshake also handles authentication, usually consisting of the server proving its identity to the client. This is done using public keys. Public keys are encryption keys that use one-way encryption, meaning anyone with the public key can unscramble the data encrypted with the server’s private key to ensure its authenticity. Still, only the original sender can encrypt data with the private key. The server’s public key is part of its TLS certificate.
Once data is encrypted and authenticated, it is signed with a message authentication code (MAC). The recipient can then verify the MAC to ensure the integrity of the data. This is like the tamper-proof foil found on a bottle of aspirin; the consumer knows no one has tampered with their medicine because the foil is intact when they purchase it.
How does TLS affect web application performance?
The latest versions of TLS hardly impact web application performance at all.
Because of the complex process involved in setting up a TLS connection, some load time and computational power must be expended. The client and server must communicate back and forth several times before any data is transmitted, which eats up precious milliseconds of load times for web applications and some memory for both the client and the server.
However, there are technologies in place that help to mitigate potential latency created by the TLS handshake. One is TLS False Start, which lets the server and client transmit data before the TLS handshake is complete. Another technology to speed up TLS is TLS Session Resumption, which allows clients and servers that have previously communicated to use an abbreviated handshake.
These improvements have helped to make TLS a high-speed protocol that should not noticeably affect load times. As for the computational costs associated with TLS, they are primarily negligible by today’s standards.
TLS 1.3, released in 2018, has made TLS even faster. TLS handshakes in TLS 1.3 only require one round trip (or back-and-forth communication) instead of two, shortening the process by a few milliseconds. When the user has previously connected to a website, the TLS handshake has zero round trips, speeding it up further.
