Web Security And Transport Layer Security (TLS)

Not every phone call you make and every letter you write contains secrets. However, you probably don’t want everyone to overhear or read. You should also pay attention to secure encryption when surfing the Internet. Because it’s simply not necessary to send your data in plain text.
 

What is Transport Encryption on the Web?

Information is encoded in HTTP, the standard Internet protocol. However, each recipient can and should decode them again. Therefore, the header indicates which character set was used. This information enables the receiving client or server to display the contents correctly. If the data reaches the wrong recipient, there is no protection whatsoever. To avoid this problem, the HTTPS protocol was developed. The extension in the abbreviation stands for Secure and indicates that it is a secure, encrypted connection. The abbreviation HTTPS stands for “Hypertext Transfer Protocol Secure”.
 

 
Encryption is the encryption of content according to a given algorithm and with a given key. In the simplest form, the characters could be shifted by an agreed number of places in the character set. The key, in this case, would be the number by how many letters it rotates. The “algorithm” would be the arithmetic operation: digit plus or minus key value.

A difference is made between symmetric and asymmetric methods. Symmetric encryption algorithms use the identical key for encoding and decoding. Asymmetric algorithms use public and private key. The special feature here is that content that has been encrypted with one of the two keys can only be decrypted with the other.

Both methods have advantages and disadvantages. With symmetric encryption, it must be possible to exchange the key securely between unknown participants. Of course, the unencrypted transmission is out of the question. On the other hand, the method is fast and robust against attacks.
Asymmetric encryption tends to be slow(er). In addition, only one side can really encrypt its data securely. Data encoded with the private key can be decoded by anyone with the public key.

Therefore, the transport encryption HTTPS uses a hybrid method. The key exchange is protected asymmetrically. Further communication is symmetrically encrypted with the securely exchanged key. The SSL/TLS encryption protocol is used, in which different cipher algorithms can be used.
 

How SSL / TLS works

HTTPS is also known as HTTP over TLS. This is due to the fact that SSL / TLS already starts on the transport layer of the OSI layer model. Accordingly, TLS stands for the term Transport Layer Security. SSL is the abbreviation for Secure Sockets Layer. The common or synonymous use of the two abbreviations is actually incorrect. TLS 1.0 was the successor to SSL 3.0.
In addition to HTTP, other protocols can be based on this secure transport layer. This is used, for example, when encrypting e-mails for the IMAPS / SMTPS and POP3S protocols.
 

 
TLS is based on digital certificates of the X.509 specification. These contain, among other things, the name of the owner, i.e. mostly the domain owner, and the exhibitor. A Certificate Authority (CA) is responsible for this. The certificate is valid and contains the server’s public key. It also has a signature. This can be verified using the public key. The calling browser can query whether the certificate has been revoked. The Certificate Revocation List (CRL) is available for this, in which CAs should enter invalid certificates.

The public key is also required when establishing a secure connection. This is defined in the handshake protocol as follows:

• The browser sends a “client hello message” with, among other things, the session ID and priority list of the cipher suite to be used.
• The server sends a “server hello message” with the server certificate.
• The browser checks the certificate and encrypts a pre-master secret with the public key.
• The server decrypts it with its private key, and both sides use the agreed hash procedure to calculate the session key (master secret).
• The session key is used for symmetric encryption of communication.
• Lists of trustworthy CAs are implemented in common browsers. If the certificate of an unknown CA is used, browsers issue a warning or refuse to establish a connection. A dynamic check is possible via the Online Certificate Status Protocol (OCSP). This is a constantly updated list that can be queried online before the connection is established.
  A hash value is formed over the data packets in order to rule out any change. For this purpose, the keyed hash message code (HMAC) is formed from the session key.
  The TLS 1.3 version has been up to date since 2018 and should be used.

 

Application areas of Transport Encryption

The areas of application of SSL and TLS are very extensive due to the fact that it’s encryption at the transport layer level. Many different types of traffic and protocols can be encrypted. Transport encryption is essential, especially for data protection and the transmission of login or personal data. The age of online shopping and banking also requires the encrypted transmission of access data.
Secure encryption is also indispensable for so-called micropayments, as they take place with online games, online purchases, or abstract payment methods, in order to ensure data protection and security.
 

 

A little more information about SSL / TLS

Different algorithms can be used for encryption. For example, SSL / TLS supports RSA, Diffie-Hellman, and ECDH for key exchanges. AES, DES, Triple DES, RC4, and Camellia can be used for symmetrical encryption. MD5 and SHA are available for HMAC.
SSL / TLS is considered secure. Attacks have become known over the years. These have been responded to and known gaps have been closed in the following versions.
The very famous Heartbleed exploit does not concern a weakness in SSL / TLS, but an implementation error in OpenSSL. Since this is integrated as a library into many operating systems by default, the security hole had such a major impact.
The error was based on the fact that control bits are regularly sent between the communication partners. Similar to a heartbeat, this should guarantee that the connection still exists. In older versions of OpenSSL, the number of bits sent was not checked. If the attacker exceeded this, he got back content that was randomly in the memory in the overhang.
Another main area of ​​application for SSL / TLS is online payment services. In addition to classic online banking, the increasing number of micropayments from different providers. These are services that can be used to easily pay small amounts, for example for online purchases.
 

Conclusion

SSL / TLS is the standard for encrypted connections over the Internet. Consciously or unconsciously, you have probably used it several times today. Sending data over unencrypted connections is not a good idea these days. Therefore you should pay attention to the “S” for “Secure” in the settings when using any protocol and set it to SSL / TLS.
The last update was not long ago, the release of TLS version 1.4 is not yet in sight.
One possible field of further development would be to extend communication to more than two participants. So far, TLS only works for a connection between two stations.
 

MCQPractice competitive and technical Multiple Choice Questions and Answers (MCQs) with simple and logical explanations to prepare for tests and interviews.Read More