Uncategorized

Understanding Internet Security – SSL, TLS, and HTTPS

1 May

With online and Internet security all over the headlines these days, it’s important to take some time to understand some of the terminology and nuances of online security. What do certain security terms and acronyms mean? Are the current methods of online security actually securing my website properly? What does the future hold for Internet security? How will Internet security affect me?

All of these questions are the pressing ones in boardrooms around the world. Having an online presence is absolutely imperative in today’s economy and digitally-social based society. Your business loses out on a lot of potential customers by not having a website, online store, online subscription, etc. However, where do we draw the line between growth and possible death by Internet attack? There are some methods out there to help protect your website, and your website visitors, from malicious software and attacks.

The most common methods are known as SSL, TLS, and HTTPS. You have probably noticed while browsing online that some websites have a URL structure like this: http://mywebsite.com; while others have one this like: https://mywebsite.com. Facebook is a prime example of this. You may or may not also see a “lock” symbol up in the left hand corner of your browser, right next to the URL.

This is known as HTTPS, or HTTP Secure, or HyperText Transfer Protocol Secure. HTTPS is not standalone protocol, and to understand how it fits into everything, we must first explore SSL and TLS.

SSL – Secure Sockets Layer

SSL is a somewhat complicated term for describing secure communication between websites. In “geek speak”, SSL is a cryptographic protocol that authenticates a counter-party with whom it’s communicating. For instance, SLL is used in web browsers (of course), e-mail, online message, and Voice Over IP communication.

Websites that wish to give their users a secure connection often use an SSL Certificate. This essentially proves that the website is valid, and that any information sent through the website (credit card info, name, email, address, SSN) is encrypted and deemed secure.

TLS – Transfer Layer Security

TLS is very similar to SSL, and is often referred to as “SSL 3.1” due to the similarities between the security protocols. SSL was created by Netscape in the 90’s, and to avoid confusion between the two, or any litigation of course, TLS was created as an “open” secure protocol to be improved over time.

TLS also users a cryptographic protocol to authenticate other parties on the web, most often used in web browsers and e-mail.

Now, this brings us back to HTTPS. How does HTTPS round everything out? Well, we procure an SSL/TLS certificate for our online store, but we need to make our site even more secure. Here comes HTTPS:

HTTPS – Hypertext Transfer Protocol Secure

HTTPS is defined as a communications protocol for secure communication over a computer network, most often on the Internet. HTTPS is not considered a protocol all its own though. Using HTTPS is in addition to SSL/TLS. This allows the capabilities of SSL/TLS to be pinned with standard HTTP or Internet communication. HTTPS was originally used for secure payment transactions online, but later spread in use to all types of pages on the Internet, so that browsers and other applications could verify their identity and authority.

Think about it like this:

Say you have a perfect looking peanut butter and jelly sandwich, but you won’t get to eat it until lunch time. Between now and then your sandwich has to be carried from home to work and to lunch without it being tampered with. First, you should put a layer of security around it with a sandwich bag (SSL/TLS), then, to make things extra secure, put that sandwich in a tupperware container (HTTPS). See, now you have two layers of security so your sandwich can easily make it from your home to the lunch area in a few hours without any problems.

Now, your sensitive data is not a PB&J, sure, but you see how the example works. Things are very similar on the Internet; you try to get all of your data from one place to another without it being damaged or stolen. You also protect yourself against malicious software (mold for the PB&J, ahh!).

In the end SSL/TLS and HTTPS work together to bring a more secure Internet to the forefront. Are they perfect? No, not by any means. SSL certificates must still be supplied by certain outfits, and those places don’t always have the best intentions. Man in the Middle attacks are still common, and often the result of poor certificates or fake certificates. However, SSL/TLS and HTTPS are what we have, and what we’re working with to create a more secure, and genuinely open Internet. The good thing is we’re understanding more and more about how the Internet works, and how people are using it. This will only breed progress in the online security forum.