There’s a thing called two way SSL/TLS — here’s what you need to know about it
“Wait, what? 2 way SSL/TLS?”
If this was your reaction when hearing or reading about 2 way SSL (or two way SSL, if you prefer), then we totally understand your confusion. SSL, by any means, isn’t easy to understand on its own. And when you get to know a different version of it than you’re used to — mutual authentication instead of the standard one way authentication — the facepalm reaction is totally natural. But don’t you worry — we’re going to break down what two way SSL is and how it work to further continue our quest to simplify every complex SSL-related topic for the “netizens” of the world.
Before we jump right into the topic of two way SSL, let’s first review something that you already know a bit of: one way SSL.
One Way SSL: An Overview
Can you see that padlock icon in your browser’s address bar? Yes, that’s a visual representation of one way SSL. Okay, let us be clearer: An SSL/TLS certificate facilitates a secure (encrypted) connection between two entities (your end user’s browser and your web server). Not only that, but it also allows for authentication between the web server and the browser.
As the SSL certificate is installed on the web server, the web browser is supposed to verify the legitimacy of the website. The web server, on the other hand, doesn’t validate the web browser. This is called “one way SSL” or one way TLS” because it allows authentication only from one end.
The entire authentication process takes place through a process regarded as an “SSL/TLS handshake.” There are a couple of different versions of the handshake that are used in HTTPS connections — namely TLS 1.2 and TLS 1.3, which is the newest. Let’s understand the TLS 1.3 handshake process a bit more in depth by breaking it down:
- First, the client (browser) sends supported cipher suites and compatible SSL/TLS version to initiate the connection. This is called the “client hello” message.
- In return, the web server checks the cipher suites and SSL/TLS version. Then, it shares its public certificate to the client along with the “server hello” message.
- Upon receiving the certificate file, the client validates it. The browser then initiates the process of private key verification by generating and encrypting a “pre-master secret” using the public key of the SSL/TLS certificate.
- In turn, the web server decrypts the pre-master secret with its private key and establishes a secure connection.
So that’s how the verification of the web server is done. This is called “one-way SSL/TLS.” But how does this differ from the two way SSL, or mutual authentication, process?
Two Way SSL: Authentication of Both Parties
Now that you understand how one way SSL/TLS works, you’d be able to guess what two way SSL is all about. Unlike one way SSL, 2 way SSL involves validation of not only the web server but also of the web browser — or what’s referred to as client authentication. Naturally, this process involves two SSL certificates, and each party validates the other’s certificate.
Here’s what the SSL/TLS handshake process of the two way SSL looks like:
- First, the client sends supported cipher suites and compatible SSL/TLS version to initiate the connection. This is called the “client hello” message.
- In return, the web server checks the cipher suites and SSL/TLS version. Then, it sends its public certificate to the client along with a request for the client’s certificate and its “server hello” message.
- Upon receiving the certificate file, the browser validates it. Afterward, the client sends its own SSL certificate to the server.
- The server then verifies the client’s SSL/TLS certificate and paves the way for a secure connection with it.
That wasn’t too complicated, was it?
Why Would You Need Two Way SSL/TLS?
Needless to say, two way SSL is used for places where you only want the server to accept connections from a restricted number of users. It helps to mitigate the risk of fraud in online transactions.
A typical use case of two way SSL is in organizations that want to restrict access to their platform to only their employees and/or customers.
While some organizations may choose to whitelist IP addresses to restrict user access, but that’s not an ideal practice since IP spoofing is becoming more prevalent.
Purchase an SSL Certificate & Save Up to 86%!
We offer the best discount on all types of SSL Certificates — DV, OV, and EV! We offer certificates from the leading CAs, including Comodo CA, Sectigo, Thawte, GeoTrust, and RapidSSL with DV certificates starting as low as $5.45 per year.