What is Transport Layer Security?
tl;dr - The Transport Layer Security (TLS) protocol facilitates privacy and data integrity between two communicating endpoints.
In today’s highly-connected world, users and web applications alike want secure communications. After all, when you visit your bank’s website and check out your massive account balance, you want to make sure that interaction is done securely where no one else can see it. No one blames you. Transport Layer Security (TLS) is a protocol that provides privacy and data integrity between two communicating applications. This protocol defines the exact methods, actions, etc that each communicating device must use to achieve secure communications.
As you can imagine, if 10 different people sat down to figure out a way to get a computer browser and a web server to securely communicate with one another, 10 different methods would probably be presented. Instead of having all different ways to securely communicate, a group came together and developed a protocol (a standardized way of doing things) that specifically outlined exactly how a computer browser and a web server would do this secure communication thing. It doesn’t matter what computer browser you use and it doesn’t matter what software is running your web server…everyone follows the same set of rules.
This protocol actually started out back in 1994 when Netscape developed what was known as the Secure Sockets Layer (SSL) version 1.0. SSLv1 never saw the light of day because it had so many significant security problems. Ironic, right? One short year later (1995), Netscape released SSLv2 and it stayed in place for one year. That’s when the Internet Engineering Task Force (IETF) took over and developed SSLv3 because SSLv2 was also filled with security problems. SSLv3 stayed in place for 3 years, and then in 1999, the IETF released the next version…called Transport Layer Security version 1.0 (TLS 1.0). TLSv1.0 presented a much more secure protocol than its SSL predecessors, and version 1.0 stayed around for a long 7 years until IETF developed TLSv1.1 in 2006. TLSv1.1 showed improvements over TLSv1.0 but the IETF developed yet another version (TLSv1.2) in 2008. TLSv1.2 is still the latest and greatest version of TLS today. The IETF is working on the next version (TLSv1.3), and it isn’t fully accessible today. The chart below shows a quick timeline of the SSL/TLS versions and their release dates:
Generally speaking, the TLS protocol outlines the way that a computer browser and a web server need to communicate with one another in a secure way. That is, if you want to achieve secure communications on the Internet, you need to follow these guidelines. The TLS protocol consists of two basic layers (with many additional detailed parts):
- The TLS Record Protocol
- The TLS Handshake Protocol
The purpose of the Record Protocol is to ensure the connection between the browser and the web server is private (no one else can see/read what you are sending back and forth) and the connection is reliable (the data you send is actually going to arrive at its intended location).
The purpose of the Handshake Protocol is to allow the browser and the web server to authenticate each other (you are who you say you are) and negotiate the exact type of encryption that will be used to encrypt everything (key exchange mechanism, bulk encryption).
So, any time you visit a website with HTTPS:// at the beginning of the URL (like this article), you can rest assured that your browser and the web server have completed a very sophisticated set of transactions to make sure your visit to the website will be private and secure.
For more information on the TLS Handshake, check out this Lightboard Lesson video: Breaking Down the TLS Handshake
Other Related Resources: