NoteVerse

Web security TLS SSL

Comprehensive study notes, diagrams, and exam preparation for Web security TLS SSL.

Web Security: TLS and SSL

Definition

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols designed to provide secure communication over a computer network. They ensure data privacy, integrity, and authentication between a client (usually a web browser) and a server (a website) by encrypting the data transmitted between them.

Main Content

1. The Evolution from SSL to TLS

  • SSL was the original protocol developed by Netscape in the 1990s to secure web traffic.
  • TLS is the modern successor to SSL. While often referred to as SSL, almost all modern web systems currently use TLS versions 1.2 or 1.3 because they offer superior security fixes and performance.

2. Core Security Services

  • Encryption: Transforms readable data (plaintext) into an unreadable format (ciphertext) using cryptographic keys, preventing eavesdropping.
  • Authentication: Verifies that the website you are visiting is authentic and belongs to the entity it claims to be, typically through Digital Certificates.
  • Integrity: Ensures that data has not been altered or tampered with during transmission by using Message Authentication Codes (MAC).

3. The Digital Certificate Infrastructure

  • Websites obtain digital certificates from a trusted third party called a Certificate Authority (CA).
  • The browser checks the certificate to ensure the website is legitimate. If the certificate is expired or invalid, the browser alerts the user with a security warning.

Working / Process

1. The TLS Handshake (Initialization)

  • The client sends a "Client Hello" message containing supported TLS versions and cipher suites.
  • The server responds with a "Server Hello" and its digital certificate to prove its identity.

2. Key Exchange and Verification

  • The client and server agree on a shared session key using asymmetric encryption (public/private keys).
  • This session key is used to encrypt the actual data transmission, as it is computationally faster than asymmetric methods.

3. Secure Data Transfer

  • Once the handshake is complete, all data sent between the client and server is encrypted using the session key.
  • If any packet is modified during transit, the receiving party will detect the discrepancy and reject the data.
[Client]                [Server]
   |-------Client Hello------>|
   |<------Server Hello-------|
   |<------Certificate--------|
   |---Client Key Exchange--->|
   |<-----Finished (Enc)------|
   |---Encrypted Data -------->|

Visual representation of the TLS Handshake process.

Advantages / Applications

  • E-commerce: Protects sensitive financial information like credit card numbers during online purchases.
  • Data Privacy: Prevents "Man-in-the-Middle" (MitM) attacks where attackers try to intercept private data or passwords.
  • SEO Benefits: Search engines like Google prioritize websites using HTTPS (TLS/SSL) in search rankings, improving visibility and trust.

Summary

TLS and SSL are the fundamental standards for encrypting internet traffic. They work by establishing a secure "handshake" between your device and a server to exchange keys, ensuring that your data remains private and uncorrupted during transit. By leveraging digital certificates, these protocols verify that users are interacting with genuine services, effectively shielding sensitive information from cybercriminals.

  • Important Terms to Remember: Cipher Suite, Handshake, Certificate Authority (CA), Asymmetric Encryption, HTTPS.
← Prev: IP security protocols
Next: Secure Electronic Transaction →