{"id":7998,"date":"2023-04-14T08:22:42","date_gmt":"2023-04-14T16:22:42","guid":{"rendered":"https:\/\/cheapsslsecurity.com\/blog\/?p=7998"},"modified":"2023-04-14T08:25:21","modified_gmt":"2023-04-14T16:25:21","slug":"what-is-transport-layer-security-in-cyber-security","status":"publish","type":"post","link":"https:\/\/cheapsslsecurity.com\/blog\/what-is-transport-layer-security-in-cyber-security\/","title":{"rendered":"What Is Transport Layer Security in Cyber Security?"},"content":{"rendered":"\n

How secure is your customers’ data? In March 2023, one of the largest healthcare breaches of the year (so far) was reported, impacting more than 4.2 million customers<\/a>. Don’t be the next statistic. Learn what transport layer security can do to secure your data in transfer. Because your customers’ data care starts with you. <\/h2>\n\n\n\n

In Q3 2022, 14% of the devices analyzed by Akamai<\/a> showed at least one domain name system (DNS) malicious transaction (e.g., malware, phishing, ransomware command, and control domains). The consequences? A survey run by IDC and EfficientIP in 2022 gave us a few examples: 70% of organizations<\/a> victims of a DNS attack experienced application downtime and 24% incurred a loss of data.<\/p>\n\n\n\n

Using DNS over TLS<\/a> (DoT) can help prevent your DNS request data from being tampered with by a cybercriminal, protecting your organization from most DNS attacks. How? By adding transport layer security (TLS) encryption on top of the user datagram protocol<\/a> (UDP) utilized for DNS queries. But that isn\u2019t all TLS can do; it can also help protect your customers\u2019 sensitive data in transit.<\/p>\n\n\n\n

So, what is TLS, exactly? How does it work? And what else can TLS do to improve the security of your organization’s website and data? This is exactly what we’re going to explore in this article.<\/p>\n\n\n\n

What Is Transport Layer Security (TLS)?<\/h2>\n\n\n\n

Transport layer security, commonly called TLS, is a cryptographic protocol that helps you keep your internet communications confidential and unmodified by creating an authenticated channel between a client and a web server. This protocol supports public and private key cryptography, meaning encryption methods that use either a key pair or a single key to encrypt and decrypt data.<\/p>\n\n\n\n

It uses asymmetric encryption<\/a> (i.e., a public key<\/a> to encrypt data and a private key to decrypt it) at the start of a connection between the client and the server, and switches to symmetric encryption<\/a> (i.e., the same key is used for encryption and decryption) after having exchanged session keys data. <\/p>\n\n\n\n

\"A
Image caption: The graphic shows the difference between asymmetric and symmetric encryption.<\/em><\/figcaption><\/figure>\n\n\n\n

Let’s say you want to ask your boss for a pay raise. You set up a private meeting in his office so that you can discuss your request directly with him, without anybody eavesdropping on your conversation. But how can you do that over the internet via a chat app or email, for example? It\u2019s possible that someone could be listening in if you\u2019re not using a secure connection.<\/p>\n\n\n\n

Knowing this, how can you make sure that:<\/p>\n\n\n\n

    \n
  1. You\u2019re really talking to your boss and not to a cheeky colleague playing a prank on you?<\/li>\n\n\n\n
  2. The conversation is kept private? And,<\/li>\n\n\n\n
  3. That the stellar raise offered in the document he sent hasn\u2019t been modified by the same cheeky colleague?<\/li>\n<\/ol>\n\n\n\n

    Transport layer security can do all of that for you.<\/p>\n\n\n\n

    TLS is the modern (and more secure) version of Netscape\u2019s old secure sockets layer<\/a> (SSL) protocol. It\u2019s implemented on top of the hypertext transfer protocol (HTTP) to create a more secure protocol (called HTTPS) that can guarantee data authenticity and integrity by leveraging the power of cryptography.<\/p>\n\n\n\n

    And do you know what the best part is? Even though its primary use is to encrypt data transmissions between web applications and servers, TLS security can also be utilized in other cases. For instance, you can employ TLS to protect your communications via voice over IP (VoIP), instant messaging, and email servers, as shown in the example we’ve just made.<\/p>\n\n\n\n

    Before we dig deeper into its characteristics and features, there’s something fundamental that anyone who has to do with TLS should be aware of. Do you know the difference between TLS, SSL, and HTTPS? You don’t? \u201cNae bother\u201d (\u201cno worries\u201d), as my Scottish friend would say. We’re here to help.<\/p>\n\n\n\n

    Why Are TLS and SSL Different From HTTPS?<\/h3>\n\n\n\n

    I remember that when I started working in cyber security, I was overwhelmed by the number of acronyms, terms, and definitions used in the industry. No matter how hard I studied, there were always new terms or definitions coming up that I needed to research.<\/p>\n\n\n\n

    Nevertheless, it\u2019s also one of the things that continues to fascinate me about cyber security: Regardless of how long you\u2019ve been in the business, your learning journey never ends. And with 85% of organizations<\/a> hit by at least one ransomware attack in 2022, if you want to keep your data secure, knowing the meaning of at least the most common terms is paramount.<\/p>\n\n\n\n

    This time, to make things easier and ensure that everyone reading this article doesn\u2019t feel like going through a hieroglyphic text, we\u2019ll be your Rosetta stone. Do you prefer to stick to the bare minimum? We\u2019ve summarized the differences between TLS, SSL, and HTTPS<\/a> in the table below.<\/p>\n\n\n\n

     <\/td>Secure Socket Layer (SSL)<\/strong><\/td>Transport Layer Security (TLS)<\/strong><\/td>Hypertext Transfer Protocol Secure (HTTPS)<\/strong><\/td><\/tr>
    History<\/strong><\/td>Developed by Netscape in the 1990s. Its first version was never published.<\/td>Created by the Internet Engineering Task Force<\/a> (IETF). The first version was released in 1999.<\/td>Firstly conceived by Tim Berners-Lee<\/a> at CERN<\/a> in 1999; later the responsibility moved to the IETF and the World Wide Web Consortium<\/a> (W3C).<\/td><\/tr>
    Function<\/strong><\/td>A (now deprecated) protocol that\u2019s employed on top of HTTPS to encrypt the transmitted data.<\/td>The protocol that\u2019s used on top of HTTPS to encrypt the transmitted data.<\/td>HTTPS over TLS (formerly HTTPS over SSL). It\u2019s a secure version of HTTP that uses cryptographic functions to securely transmit data between a client and web server.<\/td><\/tr>
    How Many Versions of the Protocol Exist?<\/strong><\/td>Three versions: SSL 1.0 (never released), SSL 2.0, and SSL 3.0.<\/td>Four versions: TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3.<\/td>One<\/td><\/tr>
    Status<\/strong><\/td>All versions are deprecated.<\/td>Versions 1.0 and 1.1 are deprecated; TLS 1.2 and 1.3 are the current secure versions.<\/td>It\u2019s the secure version of the HTTP protocol and is the default protocol for 82.9% of websites, according to W3Techs<\/a>.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

    What Makes Hypertext Transfer Protocol Secure (HTTPS) Different?<\/h4>\n\n\n\n

    Have you ever noticed the first letters you see on your browser bar whenever you visit a website? They usually read https:\/\/<\/em>, or, in case of an insecure website, http:\/\/<\/em>. HTTPS<\/a> is the protocol used to securely transmit data between a client and a web server.<\/p>\n\n\n\n

    Hang on. Isn\u2019t TLS doing the same thing? Not quite. While they all work to help you keep your internet connections secure, TLS (and previously SSL) is the protocol used to encrypt the HTTP-transmitted data. You can easily recognize a website using TLS by the tiny padlock displayed on your browser’s address bar, just before the URL<\/a>.<\/p>\n\n\n\n

    \"An
    Image caption: TLS on top of HTTP secures data transmission from forgery, theft, and eavesdropping.<\/em><\/figcaption><\/figure>\n\n\n\n

    HTTPS defines what type of data can be transmitted, in which format, and how the web server should respond. (Basically, it\u2019s what allows you to view information on the internet.) However, it needs TLS to encrypt information and to guarantee the secure exchange of data between the client and web server. Otherwise, if you use an HTTP (insecure) connection, you\u2019ll send this data in plain text, which can be intercepted or modified in transit.<\/p>\n\n\n\n

    To say it in plain English, TLS is the \u201cs\u201d of security in HTTPS, enabling you to take the security of your website to the next level.<\/p>\n\n\n\n

    Nowadays, most websites have at least one TLS version enabled out of the four available. TLS 1.2 is the most popular as, at the time of writing, it\u2019s supported by 99.9% of HTTPS-enabled sites<\/a> surveyed by Qualys (as of March 2023). Let’s have a quick look at these versions.<\/p>\n\n\n\n

    Are you interested in knowing more about the differences between the three protocols? Check out DNSimple\u2019s funny short comic<\/a> strip.<\/p>\n\n\n\n

    The Four Versions of the Transport Layer Security<\/h3>\n\n\n\n

    Four versions with the same goal: to achieve a secure internet connection. These four digital musketeers support different cryptographic functions, including encryption algorithms<\/a> (more on that in a moment), and provide different levels of security.<\/p>\n\n\n\n

    Transport Layer Security 1.0 and 1.1<\/h4>\n\n\n\n

    The first two versions of the protocol, TLS 1.0 and TLS 1.1, have already been declared officially obsolete by the U.S. National Security Agency<\/a> (NSA) in 2021. Based on old and insecure algorithms like MD5<\/a> and SHA-1<\/a>, they\u2019re still supported by 32-35% of sites.<\/p>\n\n\n\n

    They\u2019re both vulnerable to several attacks. Among them:<\/p>\n\n\n\n