SHARE
Security / September 6, 2019

Gigamon’s Guide to Communications Security: What Is SSL, TLS and HTTPS?

Updated July 28, 2020.

In order to properly understand communications security, we should get acquainted with the terms SSL, TLS and HTTPS. Throughout this article, you will find the answer to questions like, what is SSL? What is TLS? How do SSL and TLS communications work? And what’s the difference between SSL, TLS and HTTPS? In short, SSL and TLS are security protocols designed to protect data privacy. But for businesses interested in protecting the integrity of their networks, that’s only scratching the surface.

At Gigamon, our purpose is to give you the visibility you need to ensure security and effectiveness across your entire digital infrastructure. But why stop there? After all, when it comes to protecting your data, there’s a lot more at play than just what goes on in your network.

Take SSL, TLS and HTTPS, for example.

These are the sentinels that help keep data safe as it moves through the internet. But while most people have heard of these terms, and may be familiar with the overall process of data encryption, exactly what SSL and TLS are, and how they work, may not be quite as obvious.

Gigamon’s Guide to Communications Security puts SSL and TLS networks front and center, illuminating the purposes and processes behind the internet’s most widely used security protocols. But to understand how these protocols work, and how they interoperate with HTTPS, let’s first take a look at why they’re so important.

For related information on SSL and TLS, check out these resources:

Data Up for Grabs

Data sent and received over the internet moves fast. Extremely fast. In fact, depending on what it’s moving through (traditional wires, fiber optic cables, or even the air itself), internet data packets can reach speeds of hundreds of thousands of kilometers per second, traveling at almost the speed of light. But while that may make it seem like data arrives instantly, that’s actually not the case. Between point A and point B, your data gets routed through multiple devices, until it ends up at its intended destination.

And while it’s in transit, it’s vulnerable.

There’s no denying it — criminals are targeting data, and they have your business in their sights. That’s because stolen data is valuable…and costly. Research suggests that the average data breach ends up costing the target company USD 3.92 million.1

Unfortunately, given that we create, upload and send approximately 2.5 quintillion bytes of data2 every day, keeping track of all of the information zipping around the internet isn’t exactly easy.

And that’s where data encryption and authentication comes in.

What Is Data Encryption and Authentication?

Data encryption and authentication is a process designed to prevent vital data from falling into the wrong hands. It does this by scrambling the data as it is sent. The intended recipient (aka the web server) receives a special key in the form of a set of instructions detailing how to unscramble the data. The server uses the key to properly decode the encrypted data. Without that key, anyone who intercepts the encrypted data en route can see only meaningless gibberish.

Of course, for this to work, there needs to be an agreement of sorts between the sender and the receiver. Otherwise, the two sides wouldn’t have the information they’d need to effectively encrypt/decrypt the data that they exchange. To facilitate this process, we use several security and cryptographic protocols — most commonly SSL or TLS.

But, before answering the questions “What is TLS?” and “What is SSL?” it’s important to understand what HTTP is and the relationship it has with TLS and SSL.

What Is HTTPS?

The internet — specifically, the web — is a huge distributed client/server information system. That means it operates via clients (usually personal computers or mobile devices) contacting servers to request information. The server then either accepts or rejects the client’s request. If the request is accepted, the server creates a connection with the client over a specific protocol. The protocol acts as a standard set of rules which make it possible for the servers and clients to communicate.

And that brings us to HTTP.

HTTP stands for Hypertext Transfer Protocol, and is the underlying protocol used throughout the World Wide Web. HTTP defines what type of data may be transmitted, how that data is formatted, and how servers should respond to specific commands. When a client initiates communication with a server, an HTTP command is sent out requesting access to the desired page.

HTTP is extremely effective, as its almost universal adoption attests. But HTTP isn’t very secure. This is because HTTP lacks data encryption and authentication, essentially transmitting data out in the open where anyone can access it. HTTPS (Hypertext Transfer Protocol Secure) solves this problem, creating a secure, encrypted connection between the client and the server. This secures websites against eavesdropping, tampering and data theft.

Originally, HTTPS was designed specifically for e-commerce and business websites that regularly handle sensitive information (such as passwords and credit card details), but new recommendations3 suggest that every website — even ones that are strictly informational — should use HTTPS. Google promotes this mindset by offering slight search engine rankings boosts to HTTPS sites, and by displaying “not secure” warnings in Google Chrome browser address bars on non-HTTPS sites.

HTTPS offers a better, safer solution for the client/server model. But this added security isn’t automatic and it isn’t exempt from attacks; sites that want to maintain security standards need to first purchase an SSL/TLS certificate from a trusted certificate authority.

What Is SSL?

In order to know the answer to “What is SSL?”, let’s take a look at some history surrounding the technology. SSL stands for Secure Sockets Layer, and was first developed by Netscape back in 1994. SSL encryption/decryption is a method by which internet connections are kept secure, whether they be client to client, server to server, or (much more regularly) client to server. This prevents unauthorized third parties from seeing or altering any data being exchanged across the internet.

SSL was originally created to protect connections between customers and online businesses. Unfortunately, as the value of seemingly mundane personal information and browsing habits is increasing, that’s a sign for cybercriminals to expand their net to target non-commerce sites as well. As such, SSL has become widely adopted. But time marches on, and an updated protocol was released all the way back in 1999, and has since completely replaced SSL as the standard security certificate.

This updated protocol is called TLS.

What Is TLS?

Oftentimes, SSL and TLS are mentioned synonymously and used interchangeably. But there is a difference between the two. So, what is TLS exactly?

TLS stands for Transport Layer Security, and is essentially SSL, but more secure. More accurately, the Internet Engineering Task Force has deprecated SSL in favor of TLS.

Much like SSL, TLS is a cryptographic protocol which provides privacy, authentication and data integrity over computer networks, and is used in web browsing, instant messaging, email and more. But even if TLS fulfills the same role as SSL, it does so more effectively. TLS is easier to trust for a number of reasons and that’s because TLS was designed to address known SSL vulnerabilities and support stronger, more secure cipher suites and algorithms.

To achieve this, TLS encryption incorporates message authentication, in the form of a keyed-hash message authentication code (HMAC) algorithm. Message authentication ensures and reassures that data has not been modified during transit, and allows the recipient to verify the message source.

TLS networks also allow for improved key management in the form of key material generation, and use improved encryption algorithms. TLS incorporates and supports elliptical-curve keys, secure remote passwords, pre-shared keys and Kerberos — setting it apart from SSL and offering a more secure line of data communication. TLS has gone through four version types, with TLS 1.3 being the newest and most secure. You can easily see if your browser is connected using TLS; the URL in your address will be preceded by a padlock icon and include https as part of the URL.

TLS supersedes SSL. However, its original effectiveness and widespread use earned it an ongoing place in internet vernacular; the term SSL is still widely used, even within tech and computing circles, and many certificate authorities advertise SSL certificate services, when they are actually selling TLS certificates. But given that the two protocols perform the same basic function (i.e., securing digital communications against unwanted tampering), it’s understandable why the general populace isn’t as concerned with distinguishing between the two. For the sake of accuracy, users and authorities will often use the term SSL/TLS.

HTTPS Is SSL/TLS Secured

SSL/TLS is what puts the S in HTTPS. For a site to be designated secure, it needs an up-to-date SSL/TLS certificate. And while SSL/TLS certification is not strictly required, it is strongly encouraged by all major browsers. In fact, in July 2018, Google Chrome began marking sites without SSL/TLS certification as “not secure,” warning away potential site visitors. Other major browsers have followed suit. At the same time, Google is rewarding HTTPS sites with better search engine rankings, providing more incentive to webmasters to use SSL/TLS certificates.

SSL/TLS is now almost ubiquitous across the web, with 90 of the world’s top 100 (non-Google) websites defaulting to HTTPS.4 But how does it work?

How Does SSL/TLS Decryption Work?

To be effective, SSL/TLS needs to maintain high performance along with reliable security. As such, modern SSL/TLS uses both symmetric and asymmetric cryptography.

Symmetric cryptography encrypts data using a secret key that has been shared with both parties (sender and recipient). To ensure security, the key should be at least 128 bits in length. Conversely, asymmetric cryptography relies on key pairs, each made up of a private key and a public key. The relationship between the private and public keys are mathematically designated, making for a more secure connection, but also one that demands greater bandwidth (with the recommended minimum key length being 1024 bits).

Modern SSL/TLS uses asymmetric cryptography to generate a secure session key, which is used to encrypt/decrypt transmitted data, and is then discarded. Session keys are a necessary part of the TLS handshake.

The TLS handshake describes the process by which communication between a client and server is established and defined. The TLS handshake is essentially a negotiation, where both parties come together to acknowledge one another, verify each other’s authenticity, designate encryption algorithms, and agree upon session keys.

During the TLS handshake, the following occurs:

  1. The client contacts the server, initiating communication with a “client hello” message. This message alerts the server to the client’s TLS version and available cipher suites. A string of random bytes called the “client random” is included in this message.
  2. The server responds to the client with a “server hello” message. This message contains the SSL/TLS certificate and the server’s chosen cipher suite. The server also sends a string of random bytes called the “server random.”
  3. The server’s SSL/TLS certificate is verified by the client. By confirming the certificate with the certificate authority that issues it, the client verifies the identity of the server.
  4. The client sends a random string of encrypted information bytes, known as the “premaster secret.” This is encrypted using the public key.
  5. The server uses the private key to decrypt the premaster secret.
  6. Using the client random, server random, and premaster secret, both the client and the server generate session keys. Using the same information, the client and the server should arrive at the same result.
  7. The client uses its session key to send a “finished” message, indicating that it has completed the client-side portion of the TLS handshake.
  8. The server uses its session key to send a “finished” message, indicating that it has completed the server-side portion of the TLS handshake.
  9. Communication can now continue using session keys. These keys will remain in effect until the session is complete.

3 Levels of SSL/TLS Certification

Although SSL/TLS offers a relatively secure solution to problems related to communications security, extended authentication can provide increased protection for sensitive data. Businesses may need extended SSL/TLS protection. In these cases, organizations can opt for business-level authentication SSL/TLS certificates.

SSL/TLS certificates come in three security levels:

  1. Domain validation certificates
    The most basic SSL/TLS certificate is the domain validation certificate. This certificate requires that the organization prove that it controls the domain name being given. It does not, however, confirm the identity of the organization.
  2. Organization validation certificates
    An organization validation certificate requires that the business proves that it controls the domain name being given, as well as proving that the company is legally registered as a business. This authentication level is proof of both the domain name and the company name, and is preferred for public-facing sites that collect data from users.
  3. Extended validation certificates
    The most secure SSL/TLS certificates are extended validation certificates. In addition to proving ownership of the domain name and the company name, these certificates include additional verification steps designed to protect data from tampering.

Of course, even with extended validation, SSL/TLS may still be vulnerable in certain circumstances.

SSL/TLS Threat Vectors

Threat actors have begun exploiting TLS sessions to insert malware, cloak command-and-control traffic, and exfiltrate stolen data. To defend against these threats and gain visibility and control of the sharply rising TLS traffic numbers, network administrators need to consider decrypting incoming and lateral traffic. But before you turn to decryption, you’ll want to weigh some relevant factors. So, what SSL/TLS factors should you weigh?

The first of these factors is resource usage. Decryption is an intensive function that depends on large amounts of processor resources. And as these resources are finite, this effectively steals available resources from security tools. In fact, in a recent study NSS Labs found that SSL/TLS decryption can degrade firewall performance by as much as 80 percent, and reduce transactions per second by as much as 92 percent.5

A second important factor is privacy regulation. Privacy regulations are in place to ensure that personally identifiable information (PII — e.g., data to which GDPR, financial and HIPAA regulations apply) is never disclosed. This means that decryption needs to be selective about what traffic is inspected, and what traffic is left alone.

Gigamon provides the solution, in the form of the Gigamon Visibility Fabric™.

With the Gigamon Visibility Fabric, organizations can gain optimal visibility over SSL/TLS traffic, offloading decryption processor needs and freeing up resources for use by security tools. The Gigamon Visibility Fabric decrypts the right traffic, and decrypts it once. It then shares relevant traffic with the right tools. This decrypt-once approach frees up network bandwidth, and ensures that only authorized traffic is entering the network — effectively eliminating SSL/TLS as a threat vector.

SSL/TLS Frequently Asked Questions

  • Is SSL/TLS compatible across all browsers?
    • Yes, all major browser support SSL/TLS.
  • Is SSL/TLS compatible on all devices and operating systems?
    • As a general rule, yes, SSL/TLS should be compatible with all devices and operating systems. That said, your certificate authority should be able to work with you to help you achieve optimal SSL/TLS configuration.
  • Is SSL/TLS compatible with mobile?
    • SSL/TLS should be compatible with all modern mobile devices, but some older devices may have compatibility issues when dealing with the newest protocols. Your certificate authority should be able to help you resolve any mobile compatibility issues.
  • How can I tell if a site has an SSL/TLS certificate?
    • Many browsers will provide a “not secure” warning if the site is not HTTPS compliant. Even with browsers that do not issue such a warning, secured sites will be designated as “https://” instead of “http://” (followed by the rest of the address).

      If you’re still not sure about a specific site or if you’d like more details, you can navigate to https://www.ssllabs.com/ssltest. This is a free service that allows you to check SSL/TLS certification for any site on the public internet.
  • How do I install an SSL/TLS certificate on my site?
    • Depending on how and where a site is hosted, there are various methods used to add an SSL/TLS certificate. Your chosen certificate authority can guide you through the installation process and answer any specific questions you may have.

Protect Your Users, Protect Your Business

Data shared across the internet is not only vulnerable, it’s being actively targeted. And e-commerce sites aren’t the only ones that are under fire. Beyond passwords and credit card information, cybercriminals are interested in acquiring even seemingly mundane information — information that, if compromised, could still create serious problems for your customers and your business.

SSL/TLS is a reliable solution, providing dependable data encryption and decryption to keep sensitive information out of the wrong hands. But it’s not foolproof. To ensure communications security within your network, you need advanced network visibility and the power to decrypt once and route all of your traffic to the right security and monitoring tools.

The Gigamon Visibility Fabric makes this possible. Giving every tool optimal visibility into all relevant decrypted traffic, Gigamon empowers security and analytics tools with increased accuracy and effectiveness. At the same time, the Gigamon decrypt-once approach improves performance  and reduces latency, enabling fewer tools to handle the same amount of traffic.

After all, users put a lot on the line when they share data with your business. Protect their interests, with Gigamon.

Relevant Terms:

  • Asymmetric cryptography
    • Ciphers that create mathematically related keys pairs (consisting of one public key and one private key) for use during the encryption and decryption processes. These keys are very large (in terms of bits) and are not identical.
  • Certification authority (CA)
    • One of several groups officially authorized to distribute, renew, suspend or revoke SSL/TLS certificates.
  • Cipher suite
    • A set of algorithms designed to help secure network connections using SSL/TLS.
  • Encryption
    • The process of rendering data unintelligible to any and all outside observers, making the recovery of said data impossible without implementing a specifically designated decryption process.
  • SSL/TLS handshake
    • The process by which clients and servers are able to authenticate and verify one another, and establish encrypted communication.
  • Symmetric cryptography
    • Ciphers that use the same cryptographic keys for encryption and decryption. The keys must be shared between the sender and the recipient.

Further reading:


References

  1. IBM. “Cost of a Data Breach Study.” IBM, 2019. https://www.ibm.com/security/data-breach.
  2. DOMO. “Data Never Sleeps 5.0.” DOMO, 2019. https://www.domo.com/learn/data-never-sleeps-5?aid=ogsm072517_1&sf100871281=1.
  3. Google. “Secure your site with HTTPS.” Google. Google Search Console Help. https://support.google.com/webmasters/answer/6073543?hl=en.
  4. Google. “HTTPS encryption on the web.” Google Transparency Report. https://transparencyreport.google.com/https/overview?hl=en.
  5. NSS Labs. “NSS Labs Expands 2018 NGFW Group Test with SSL/TLS Security and Performance Test Reports.” GlobeNewswire. July 24, 2018. https://www.globenewswire.com/news-release/2018/07/24/1541279/0/en/NSS-Labs-Expands-2018-NGFW-Group-Test-with-SSL-TLS-Security-and-Performance-Test-Reports.html.

Featured Webinars
Hear from our experts on the latest trends and best practices to optimize your network visibility and analysis.

CONTINUE THE DISCUSSION

People are talking about this in the Gigamon Community’s Security group.

Share your thoughts today

RELATED CONTENT

CALCULATOR
Customers have saved millions in IT costs. How much can you save?
REPORT
Learn how 1,200 of your IT security peers plan to fight cyberattacks
DEMO
See how to finally achieve visibility to reduce costs and remove complexity
EBOOK
Four steps to become stronger during times of disruption

Back to top