SSL/TLS is something developers often see but rarely fully understand. While SSL/TLS is really just a protocol written directly on top of TCP, it leads to a lot of confusion when talking about things like certificates and cryptographic protocols. In this article, we discuss what SSL/TLS is, the difference between TLS and SSL, and why SSL/TLS is important for secure network communication between web apps and servers.
SSL and TLS are protocols used with network connections to provide authentication and data encryption between servers. They are built directly on top of TCP (Transmission Control Protocol) which is a basic standard in computer science for establishing a network connection for exchanging data. This means SSL/TLS doesn't interfere with HTTP directly (HTTP being a separate protocol designed specifically for sending data over the internet). When someone refers to HTTPS vs HTTP, they are really referring to the underlying connection or tunnel that HTTP runs through. If a network is using the SSL/TLS protocol, then HTTP is considered to be HTTPS because information traveling over the network is encrypted and authorized with the SSL/TLS. You could say that SSL/TLS puts the "S" in HTTPS.
SSL and TLS are often grouped together because they are really the same thing. TLS is simply a later version of SSL. Why the naming difference? It all really boils down to legality issues with Netscape (the original developers of SSL). TLS is simply a later (more secure) version of SSL. After SSL 3.0 came TLS 1.0. To avoid confusion, some developers even refer to TLS as SSL 3.1.
SSL/TLS allows for the secure transfer of data over a network. Specifically, the SSL protocol secures sensitive data through both (a)authentication and (b)encryption. We cover both in a bit more detail below:
This is where SSL certificates come into play. If you've ever hosted a web site or even used the world wide web (everyone) then you've experienced SSL authentication. When your browser connects to a website (say Google), an exchange takes place between you (the client) and Google's web server. This exchange is known as an "SSL handshake". During the handshake, your browser takes a copy of Google's certificate and generates a session key which it then sends back to Google. Google then decrypts your session key and sends back an acknowledgment to start the session.
Why is this important? It prevents man in the middle attacks or hackers who "pretend" to be Google. With the SSL handshake authentication process, you ensure that no one can intercept messages/data and pose as Google.
Apart from authentication, SSL/TLS also encrypts the data exchanged between you and Google. This protects sensitive data like passwords, financial information, etc. from being seen by hackers trying to "sniff" packets of data sent over the network. While packet sniffers exist to easily monitor all data payloads sent over a connection, SSL/TLS encrypts these packets so no sensitive information is revealed.
If you aren't using SSL/TLS and send data over a network connection, packet sniffers can easily expose the data you send to Google over a network connection.
SSL/TLS is crucial to secure network connections. While SSL/TLS have different names, they are really the same progression of the same cryptographic protocol (TLS 1.0 really being SSL 3.1). SSL operates directly on top of TCP which allows higher protocols like HTTP to run the same. The HTTP protocol becomes HTTPS when the SSL/TLS is being used on top of TCP. SSL is important because it brings both authentication and encryption to network connections.