What is TLS? A primer on internet security

by Connor Peshek

Back in 1995, the Internet was growing fast. As the Internet grew, concerns for online security grew with it. Kipp E.B. Hickman, an engineer at Netscape, decided to address that. He wrote a spec for a new protocol that would allow computers to make their communication private. That protocol was called SSL. With time, SSL improved and grew, turning into the current protocol of TLS. The names for SSL and TLS are commonly used interchangeably due to how similar they are. The main difference between the two of them is that TLS uses a stronger encryption method than SSL.

So what is TLS?

TLS, or Transport Layer Security, is a procedure used by computers to communicate securely. TLS is often thought of as the “green lock” near a website’s name in Google Chrome. Websites that are secure are less likely to have breaches of sensitive customer information.

Let’s go over how TLS works with an analogy.

You’re a freelance spy and you need to talk to a spy agency in a secret code. The spy agency decides to mail you a special lockbox with two keyholes. It locks when one key has been used, but unlocks when both keys have been used. They keep one key hidden in their agency and mail you the lockbox with the other key. That way, you can lock it with the key they mail you and now only their hidden key can unlock it.

However, dealing with this lockbox over and over can become a burden because of all the back-and-forth time and how much work it takes to lock and unlock the box, so you both decide to establish a secret language to talk in that allows you both to mail letters without the lockbox. So you mail them a decoder ring in the lockbox, and then you and the agency start talking in the language created by the decoder ring.

The lockbox is like an internet request using TLS. The server (spy agency) sends you a locked response, and you put an encryption algorithm (decoder ring) in it and send it back. The encryption algorithm works like Google Translate, you put your regular message into it and the encrypted message comes out and vice versa. Then you and the server talk in a secret language by using the encryption algorithm so that communication is much easier than using the lockbox, but is still secure.

License to TSL

But what if the mail carrier or your nosey neighbor switched the agency’s lockbox with one of their own? You’d be talking in secret, but you might be communicating with someone malicious. In this story, the spy agency could get around this by sending an emblem with their lockbox that is created by a mutually trusted third party. You can verify that the emblem is real by asking the third party if it’s genuine.

When your browser makes an internet request with TLS, it also receives a certificate signed by a Certificate Authority, or CA. It can ask the CA if they actually created the certificate and if it really belongs to the website who sent it. If it does, your browser knows the website is who it claims to be and isn’t a fake website pretending to be someone else.

For your eyes only

Without protocols like TLS, you leave yourself open to a lot of security problems. Since your messages aren’t encoded without TLS, anyone can see the data you’re sending over the internet. And since communication without TLS doesn’t verify who you’re talking to, visitors can end up being the victim of a Man in the Middle attack.

A Man in the Middle attack is when a website pretends to be another website in order to steal information. The visitor has no idea they’re on a fake site, and the real site won’t know that someone is copying them. In fact, the fake website will relay all the information to the real site, so people will be able to do everything they’re usually able to do on the real site, like sign up for accounts or purchase items. But, the fake website will have intercepted all of the credit card and password information and will be able to use it maliciously.

If a website has TLS however, visitors can’t be a victim of this type of attack because they can’t get their certificate verified by a Certificate Authority, so the user’s browser will alert them that they are on a fake site.

As of July of 2018, Chrome will also alert visitors if they’re visiting a site that doesn’t use TLS.

This is a big deal considering that as of January of 2018, 61% of people are using
Google Chrome to browse the web from their desktop or laptop computer.

You can view a website’s certificate in Chrome by opening the developer tools in the settings and clicking the View Certificate button under the Security tab, and you can view the certificate in Safari by clicking on the lock icon next to the website’s name in the address bar.

From Cloudflare, with love

You can get TLS by purchasing a certificate from a Certificate Authority such as COMODO and setting up your server to send the certificate with your requests. This process requires technical skills, which is why companies like Cloudflare have come up with ways to make this much easier. Cloudflare is a network that gives your website huge benefits, such as DDoS protection, CDN caching, and free TLS certificates. Instead of purchasing and setting up a certificate yourself, you can put Cloudflare in front of your site and allow us to do it for you for free with just a couple clicks.

The request is not enough

Without Kipp E.B. Hickman, the internet would still be a very scary place. Credit card and bank information would be easily stolen, people would have no privacy online, and many growing business wouldn’t be able to exist online (or at all). In 2016, Google reported over 77% of their internet traffic was now encrypted with either SSL or TLS, 27% higher than 2014. Using TLS to secure your website is the best thing you can do for your online business. Here’s how to get started.