Transport Layer Security (TLS)

Transport Layer Security (TLS) is a protocol that provides communication security and privacy and data integrity over a computer network. It's widely used across various applications such as web browsing, email, instant messaging, chat, and voice-over-IP.

It's the successor to the Secure Sockets Layer (SSL) protocol developed originally by Netscape. However the term "SSL" is still, confusingly, used interchangeably and could refer to TLS or SSL.

Table of contents

What does TLS provide?

When a connection between two computers is secured using TLS, it has one or more of the following:

TLS usage in the wild

Web

Most consumers would now be somewhat familiar with using secure websites when browsing various e-commerce stores. The padlock in the browser location bar being evidence that the site is communicating securely with your browser.

What's actually happening here is the connection has been encrypted using TLS. While standard web requests use the Hyper Text Transport Protocol (HTTP) and connect on port 80, your secure connection uses HTTPS (the S being for "secure") and connects on port 443.

VPNs

If you're connecting back to a corporate firewall so you can access your company network, or simply using a VPN to secure your surfing on public wifi, there is a strong chance you're using TLS to encrypt that communication. The primary reason being that as the authors or OpenVPN have stated: "TLS is considered to be one of the strongest and most mature secure protocols available"

VoIP

Various vendors who control the end-to-end aspect of VoIP (e.g., Skype) have proprietary protocols so how exactly communication is encrypted isn't fully known. However open standards such as SIP do have built-in support for various communication configurations. Much like the standard web convention of 80/443 for standard and encrypted communications, the VoIP community has standardized on 5060/5061 for standard and encrypted SIP setup. Encryption of communications on port 5061 is done via one of the various implementations of TLS.

Versions of Transport Layer Security

TLS 1.0

The 1.0 version of TLS was first announced back in 1999. It was primarily an upgrade to SSL 3.0 that had been developed and owned by Netscape. The changes however, while minor, were enough to prevent from TLS 1.0 and SSL 3.0 from being compatible with each other.

TLS 1.1

7 years after the 1.0 release came TLS 1.1 in 2006. The main advancement in this release was protection from cipher-block chaining attacks.

TLS 1.2

This version of was released in 2008. It brought with it more secure hash algorithms such as SHA-256 as well as new cipher suites that support elliptic curve cryptography.

At this point it is however starting to show it's age and has been the target of multiple attacks recently.

TLS 1.3

This is currently a draft version of TLS that is expected to become official any day now. It is both faster and more secure than the previous version. This is due in part to the removal of old insecure forms of cryptography that had been included in 1.2 for the sake of backward compatibility. This could lead to accidental misconfiguration which left services exposed to undue risk. As a result all old ciphers have been removed and support for backward compatibility is broken in the interests of increasing security.

Support for TLS 1.3

If you're building an API or a product where you can control both the client and server you can definitely start using TLS 1.3 today. If however you're running a website it's unlikely to be usable until some months after the draft becomes official.

Firefox included support officially in the February 2017 update of their browser, and the Google Chrome developer/canary release has support included. Other vendors will support it after it's official.

Is HTTPS/TLS slower than HTTP?

It's complicated. In theory the additional computational overhead for both client and server to encrypt and decrypt content, plus the additional network communication to initially establish the secure connection introduces new overhead that wouldn't exist with a plain HTTP request.

However, migrating to TLS also opens the door to supporting HTTP2 which only requires a single connection to a server. To see the difference this can make you can visit the HTTP vs HTTPS test. Additionally TLS 1.3 potentially introduces the concept of a TCP Fast Open which could remove the extra round trip connection setup for TLS.

Join us in Slack