Why SSL, TLS and Ciphers for secure web-services ?

In today’s world, web services are an essential part of the modern enterprise. People can easily fulfill most of their requirements within couple of minutes through the internet. So it is very important to ensure all these communications are secure to prevent any sensitive information leaking out to other external parties. Here comes the term security for communications in web services.

Think of an SSL/TLS certificate as a driver’s license for a secure ride. It serves two functions. It grants permissions to use encrypted communication via Public Key Infrastructure, and also authenticates the identity of the certificate’s holder.

Encryption is a process that takes information and essentially scrambles it and the only one who can unscramble it is a server or computer with a corresponding key. By encrypting communication between a server and a browser, all of the information sent between the two is protected from the malicious third parties.

Authentication is done via the organization that issues the SSL certificate. These Certificate Authorities go through a validation process depending on which type of certificate a website is purchasing. There are three types of certificate levels:
* Domain Validation
* Organization Validation
* Extended Validation

What is SSL ?

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. To create an SSL connection a web server requires an SSL Certificate.

Typically an SSL Certificate will contain your domain name, your company name, your address, your city, your state and your country. It will also contain the expiration date of the Certificate and details of the Certification Authority responsible for the issuance of the Certificate. When a browser connects to a secure site it will retrieve the site’s SSL Certificate and check that it has not expired, it has been issued by a Certification Authority the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end user letting them know that the site is not secured by SSL. SSL secured websites also begin with https rather than http.

What is TLS ?

TLS (Transport Layer Security) is also a network protocol similar to SSL that allow data to be transferred privately and securely between a web server and a web browser. TLS is just an updated, more secure, version of SSL.

TLS consists of two parts:

  • The TLS handshake layer manages which cipher will be used, the authentication (using a certificate specific to your domain name and organization), and the key exchange (based on the public-private key pair from the certificate). The handshake process is performed only once to establish a secure network connection for both parties.

TLS establishes an encrypted, bidirectional network tunnel for the data transition between two hosts. TLS is most often used in parallel with other internet protocols such as HTTPS, SSH, FTPS, and secure email.

TLS v1.2 was introduced in 2008 and it is the most widely used TLS standard as at now. TLS 1.3 is the latest published version and it is still in it’s early age. The major benefits of TLS 1.3 vs that of TLS 1.2 is faster speeds and improved security

HTTP vs. HTTPS

HTTPS is the HTTP protocol embedded within the TLS protocol. HTTP takes care of all the web surfing mechanics, and TLS takes care of encrypting the data sent over the network and verifying the identity of the server host using a certificate.

Secure communication block diagram

Why SSL/TLS Security ?

  • It prevent criminals from tampering the communication between website and web browsers.

Drawbacks of SSL/TLS

  • TLS will add latency to your site’s traffic.

What are Ciphers ?

Encrypted Communication Overview

A cipher suite is a set of algorithms used by a secured network connection that uses TLS or SSL. The security of any SSL/TLS protected connection depends on the client and server’s choice of cipher suites. The set of algorithms that cipher suites usually contain include below components.

  • key exchange algorithm- defines how symmetric keys will be exchanged

Let’s elaborate this using an example.

One cipher suite typically consists of 1 key exchange, 1 authentication, 1 bulk encryption, and 1 MAC algorithm. Here’s an example of a typical cipher suite:

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Let’s break that down.

  • TLS simply indicates the protocol

Some key exchange algorithms: RSA, DH, ECDH, ECDHE

Some authentication algorithms: RSA, DSA, ECDSA

Some bulk encryption algorithms: AES, 3DES, CAMELLIA

Some MAC algorithms: SHA, MD5

It is not mandatory to include the protocol components in certain cipher suite. Sometimes it is simply omitted. eg: DHE_RSA_AES256_SHA

Summary

TLS and SSL on top of HTTP provides a mean to protect your web site from hackers and other external parties and to provide a secure and reliable user experience. Ciphers are algorithms which is ideally a set of instructions for encrypting and decrypting information. It is a named combination of ciphers used to negotiate security settings during the SSL/TLS handshake. You can configure your web site to use either a single TLS version or multiple versions and a corresponding set of ciphers depending on your requirement and consumer expectations.

Senior Software Engineer | BSc (Hons) Engineering | CIMA | Autodidact | Knowledge-Seeker

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store