TLS, SSL, HTTP, HTTPS….Are you not familiar with these terms or concepts? Unfortunately, many professionals seem not to know the network-related terminologies to read a security report.
In this blog post, we list some basic terminologies used by network officials in this blog.
We will first explain HTTP, then the difference from HTTPS. Afterward, we will explain the SSL and TLS encryption (the difference between HTTP and HTTPS). In the end, we will explain how they all work together.
What is HTTP?
HTTP means “HyperText Transfer Protocol.” It is a set of rules to send and receive text-based messages. Computers work in a language of 1’s and 0’s, i.e., “binary language.” Therefore, a set of 1’s and 0’s can be a word.
Let’s say I want to write ‘a’. Now, if 0 stands for ‘a’, 1 stands for ‘b’, and 01 stands for ‘c’, we can infer that a combination of 0’s and 1’s can construct a word as well. In this case, the text is already constructed and is being sent on the wire. The computer works in many languages – pure binary, text, and some other formats like byte codes. However, in HTTP, only text is transferred.
The browser interprets this text, and the moment the browser interprets it, it becomes hypertext, and the protocol that transfers the text is referred to as hypertext transfer protocol – HTTP.
Using HTTP, you can also transfer images and text and even sound, but no videos.
What is HTTPS?
HyperText Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and your connected website. It means the communication between your web application and the website is encrypted. HTTPS is often used to protect highly confidential online transactions like online banking and online shopping order forms. It uses SSL or TLS encryption which we explain below.
As of April 2018, 33.2% of Alexa top 1,000,000 websites use HTTPS as default, 57.1% of the Internet’s 137,971 most popular websites have a secure implementation of HTTPS, and 70% of page loads (measured by Firefox Telemetry) use HTTPS.(en.wikipedia.org)
What is SSL?
SSL stands for Secure Sockets Layer. SSL is a secure protocol developed for sending information securely over the internet. Many websites use SSL for secure areas of their sites, like user account pages and online checkout. Usually, when you are asked to “log in” on a website, the resulting page is secured by SSL creating essentially a secure session.
SSL encrypts the data being transmitted so that a 3rd party cannot “eavesdrop” on the transmission and view the data being transmitted. Only the user’s computer and the secure server can recognize the data.
SSL keeps your name, address, and credit card information between you and the merchant to which you’re providing it. Without this type of encryption, online shopping would be far too insecure about being practical. After you visit a web address starting with “https,” the “s” after the “HTTP” indicates the website is secure. These websites often use SSL certificates to verify their authenticity.
What is TLS (Transport Layer Security)?
TLS stands for Transport Layer Security. TLS is the protocol that provides authentication, privacy, and data integrity between two communicating computer applications. When data has to be securely exchanged by web applications over the network, it is the most likely the deployed security protocol. Applications can include web browsing sessions, file transfers, VPN connections, remote desktop sessions, and voice over IP (VOIP).
TLS evolved from SSL and has largely suppressed it, although the terms SSL or SSL/TLS are mostly associated with one another. Key differences between SSL and TLS that makes TLS a more secure and efficient protocol are:
- message authentication
- key material generation
- the supported cipher suites, with TLS supporting newer and safer algorithms.
As of August 2019, about 80% of TLS-enabled websites are configured to use cipher suites that provide forward secrecy to most web browsers.(en.wikipedia.org)
TLS and SSL are not interoperable, although TLS currently provides backward compatibility to connect with legacy systems. Also, look at our blog post on how different browsers like Chrome, Safari, Edge, etc., handle the display of older TLS protocol versions. When you use TLS encryption, the two endpoints that communicate with each other perform a TLS handshake. We explain this next.
What is a TLS handshake?
It is called a handshake because it’s when two parties – client and server – come across one another for the first time. The handshake involves various steps that start from validating the opposite party’s identity and concludes with the generation of a standard key – a secret key if you call it.
Fundamentally, the SSL handshake is nothing but a conversation between two parties (client and server) wanting to accomplish the identical purpose – securing the communication with the assistance of symmetric encryption.
Imagine this SSL Handshake process as a communication session between the two. Let’s see how it goes.
Client: “Hello there. I want to determine secure communication between the two of us. Here are my cipher suites and compatible SSL/TLS version.”
Server: “Hello, Client. I verified your cipher suites and SSL/TLS version. I feel we’re good to travel ahead. Here are my certificate file and my public key. Verify them”
Client: “Let me verify your certificate… (After Verification) Okay, it seems fine, but I want to verify your private key. I will generate and encrypt a pre-master (shared secret key) key using your public key. Decrypt it using your private key, and we’ll use the master key to encrypt and decrypt the information.”
[Now that both parties know who they’re rebuking, the information transferred between them is secured using the master key. When the verification part is over, the encryption takes place only through the master key. This is often called symmetric encryption.]
Client: “I’m sending you this sample message to verify that our master key works. Please send me the decrypted version of this message. If it works, our data is in safe hands.”
Server: “Yeah, it works. I feel we’ve accomplished what we were trying to find.”
How do TLS, SSL, HTTP, and HTTPS play together?
The SSL certificate you set up is used to transmit data using HTTPS. They are dependent on each other. URLs are preceded with either HTTP (Hypertext Transfer Protocol) or HTTPS (Hypertext Transfer Protocol Secure). This is effectively what determines how any data that you send and receive is transmitted. This means identifying whether a site uses an SSL certificate is to looking at the URL and seeing if it contains HTTP or HTTPS. That’s because HTTPS connections require an SSL certificate to work.
Read more about common SSL and TLS misconfiguration here.
Scan your web application now for free and see if you have any TLS, SSL, HTTP, or HTTPS security vulnerabilities opening the door to hacking!