SSL/TLS (Transport Layer Security)

Cryptographic protocols that provide secure communication over computer networks, securing web traffic, email, and other internet services

Introduction

TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are cryptographic protocols designed to provide secure communication over a computer network. TLS operates at the transport layer, sitting between the application layer and the network layer, encrypting data exchanged between applications (such as web browsers and web servers) while remaining transparent to the applications themselves.

TLS provides three essential security properties:

  • Confidentiality: Data is encrypted so that eavesdroppers cannot read it, even if they capture the network traffic
  • Integrity: Data is protected against tampering -- any modification to the encrypted data is detected
  • Authentication: The identity of at least one party (typically the server) is verified using digital certificates, preventing impersonation

TLS is the protocol behind HTTPS (HTTP over TLS), which secures over 95% of web traffic. But TLS is not limited to the web -- it also secures email (SMTPS, IMAPS), file transfer (FTPS), VoIP (SRTP over DTLS), database connections, API communications, and virtually any TCP-based protocol.

While the terms "SSL" and "TLS" are often used interchangeably in casual conversation, SSL refers to the older, deprecated versions of the protocol (SSL 2.0 and 3.0), while TLS refers to the current, secure versions (TLS 1.2 and 1.3). All SSL versions are considered insecure and must not be used.

"SSL/TLS is the single most widely deployed security protocol in the world. Understanding how it works -- and how it can fail -- is essential knowledge for anyone working in cybersecurity." -- Ivan Ristic, author of Bulletproof SSL and TLS

History: From SSL to TLS 1.3

The SSL protocol was developed by Netscape Communications in the early 1990s to secure web communications. SSL 1.0 was never released due to security flaws. SSL 2.0 was released in 1995 but was quickly found to have serious vulnerabilities. SSL 3.0, released in 1996, was a complete redesign that served as the foundation for TLS.

VersionYearStatusKey Notes
SSL 1.0Never releasedNever deployedFound to have fundamental security flaws before release
SSL 2.01995Deprecated (RFC 6176, 2011)Vulnerable to cipher downgrade, no integrity on handshake
SSL 3.01996Deprecated (RFC 7568, 2015)Vulnerable to POODLE attack (2014)
TLS 1.01999 (RFC 2246)Deprecated (RFC 8996, 2021)Vulnerable to BEAST attack; based on SSL 3.0
TLS 1.12006 (RFC 4346)Deprecated (RFC 8996, 2021)Fixed BEAST but lacks modern cipher suites
TLS 1.22008 (RFC 5246)Current (widely deployed)Supports AEAD ciphers, SHA-256+, flexible cipher suites
TLS 1.32018 (RFC 8446)Current (recommended)Major redesign: faster handshake, removed insecure features, mandatory PFS

The TLS Handshake

The TLS handshake is the process by which the client and server establish a secure connection. During the handshake, they agree on the protocol version and cipher suite, authenticate the server (and optionally the client), and generate the shared secret keys used to encrypt the subsequent data exchange.

TLS 1.2 Handshake

The TLS 1.2 handshake requires two round trips (2-RTT) before application data can be exchanged:

  1. ClientHello: The client sends its supported TLS versions, cipher suites, compression methods, and a random value (Client Random)
  2. ServerHello: The server selects the TLS version and cipher suite, sends its random value (Server Random)
  3. Certificate: The server sends its X.509 certificate chain for authentication
  4. ServerKeyExchange: The server sends Diffie-Hellman parameters (for DHE/ECDHE key exchange)
  5. ServerHelloDone: The server signals it has finished its initial messages
  6. ClientKeyExchange: The client sends its Diffie-Hellman public value (or RSA-encrypted pre-master secret)
  7. ChangeCipherSpec (client): The client signals it will now use the negotiated encryption
  8. Finished (client): The client sends an encrypted verification message
  9. ChangeCipherSpec (server): The server signals it will now use the negotiated encryption
  10. Finished (server): The server sends an encrypted verification message
  11. Application Data: Encrypted communication begins

TLS 1.3 Handshake

TLS 1.3 dramatically simplifies the handshake to just one round trip (1-RTT):

  1. ClientHello: The client sends supported cipher suites, key shares (DH public values for supported groups), and supported versions -- all in one message
  2. ServerHello + EncryptedExtensions + Certificate + CertificateVerify + Finished: The server responds with its key share, certificate, and proof of possession -- all in one flight, and encrypted from the Certificate message onward
  3. Finished (client): The client confirms the handshake
  4. Application Data: Can begin immediately after the server's first flight (the client can send data alongside its Finished message)

TLS 1.3 also supports 0-RTT (zero round trip time) resumption, where a client that has previously connected to the server can send encrypted application data in the very first message. However, 0-RTT data is vulnerable to replay attacks and must be used with caution -- servers must ensure that 0-RTT requests are idempotent (safe to process more than once).

Cipher Suites

A cipher suite is a named combination of cryptographic algorithms used during a TLS connection. Each suite specifies algorithms for four functions:

FunctionTLS 1.2 OptionsTLS 1.3 Options
Key ExchangeRSA, DHE, ECDHEECDHE, DHE only (RSA key exchange removed)
AuthenticationRSA, ECDSA, DSARSA, ECDSA, EdDSA (separate from cipher suite)
Bulk EncryptionAES-CBC, AES-GCM, ChaCha20-Poly1305, RC4, 3DESAES-128-GCM, AES-256-GCM, ChaCha20-Poly1305 only
MAC/IntegritySHA-1, SHA-256, SHA-384Integrated into AEAD cipher (GCM, Poly1305)

A TLS 1.2 cipher suite name describes all four components. For example:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 means: ECDHE key exchange, RSA authentication, AES-256-GCM encryption, SHA-384 for the PRF (pseudorandom function).

TLS 1.3 simplified cipher suite naming because key exchange and authentication are negotiated separately. The five defined TLS 1.3 cipher suites are:

  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_CCM_SHA256
  • TLS_AES_128_CCM_8_SHA256

All TLS 1.3 cipher suites use AEAD (Authenticated Encryption with Associated Data) algorithms, which combine encryption and integrity verification into a single operation, eliminating entire classes of vulnerabilities that plagued older cipher constructions.

TLS 1.3 Improvements

TLS 1.3, published as RFC 8446 in August 2018, represents the most significant overhaul of the protocol since its creation. Key improvements include:

  • Faster handshake: 1-RTT instead of 2-RTT, with optional 0-RTT resumption. This reduces connection latency, especially noticeable on mobile networks and high-latency connections.
  • Mandatory Perfect Forward Secrecy (PFS): RSA key exchange is removed entirely. All TLS 1.3 connections use ephemeral Diffie-Hellman (ECDHE or DHE), ensuring that compromise of the server's private key does not allow decryption of past sessions.
  • Simplified cipher suites: Only five cipher suites, all using AEAD algorithms. Insecure algorithms (RC4, 3DES, CBC-mode ciphers, SHA-1, MD5) are removed entirely.
  • Encrypted handshake: Most of the handshake is encrypted (from the server's Certificate message onward), reducing metadata leakage. In TLS 1.2, the certificate and other handshake messages were sent in cleartext.
  • Removed insecure features: Compression (vulnerable to CRIME), renegotiation (vulnerable to renegotiation attacks), static RSA key exchange, arbitrary DH groups, export ciphers, and ChangeCipherSpec messages are all removed.
  • Downgrade protection: Built-in mechanisms detect and prevent protocol version downgrade attacks.

"TLS 1.3 is a major improvement. It is faster, simpler, and more secure than TLS 1.2. By removing decades of accumulated complexity and insecure options, TLS 1.3 makes misconfiguration much harder." -- Eric Rescorla, editor of RFC 8446

Certificate Validation and PKI

TLS server authentication relies on X.509 digital certificates issued by Certificate Authorities (CAs) within the Public Key Infrastructure (PKI). When a client connects to a server, the server presents its certificate chain, and the client must verify:

  1. Chain of trust: The server certificate is signed by an intermediate CA, which is signed by a root CA that the client trusts (root CAs are stored in the client's trust store)
  2. Certificate validity: The certificate has not expired and its notBefore date is in the past
  3. Domain name match: The certificate's Subject Alternative Name (SAN) or Common Name (CN) matches the hostname the client is connecting to
  4. Revocation status: The certificate has not been revoked, checked via CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol)
  5. Key usage: The certificate is authorized for the purpose it is being used (e.g., server authentication)

Let's Encrypt, launched in 2015, revolutionized the certificate ecosystem by providing free, automated certificates using the ACME protocol. As of 2024, Let's Encrypt has issued certificates for over 400 million websites, dramatically increasing HTTPS adoption. Certificates issued by Let's Encrypt are domain-validated (DV) and valid for 90 days, encouraging automated renewal.

Certificate Transparency (CT), specified in RFC 6962, requires all publicly trusted CAs to log every issued certificate in publicly auditable CT logs. This makes it possible to detect misissued or unauthorized certificates, providing an additional layer of accountability for the CA system.

HSTS and Security Headers

HTTP Strict Transport Security (HSTS), defined in RFC 6797, is a security mechanism that instructs browsers to always use HTTPS when connecting to a domain, even if the user types http:// or clicks an HTTP link. Once a browser receives an HSTS header, it automatically converts all HTTP requests for that domain to HTTPS for the specified duration.

HSTS header example:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  • max-age: Duration (in seconds) the browser should remember to use HTTPS (31536000 = 1 year)
  • includeSubDomains: Apply HSTS to all subdomains
  • preload: Opt into the HSTS preload list (hardcoded into browsers, protecting even the first visit)

HSTS protects against SSL stripping attacks, where a man-in-the-middle intercepts the initial HTTP request and prevents the upgrade to HTTPS. Without HSTS, users who type example.com (without https://) send their first request over unencrypted HTTP, creating a window for attack.

Related security headers that complement HSTS:

  • Content-Security-Policy (CSP): Controls which resources the browser is allowed to load, mitigating XSS and data injection
  • X-Content-Type-Options: nosniff: Prevents MIME type sniffing
  • X-Frame-Options: Prevents clickjacking by controlling whether the page can be framed
  • Referrer-Policy: Controls how much referrer information is sent with requests

Common Vulnerabilities

The history of SSL/TLS includes several major vulnerabilities that have driven protocol improvements and highlighted the importance of proper configuration:

VulnerabilityYearAffectedDescriptionMitigation
BEAST2011TLS 1.0 CBCBrowser exploit against SSL/TLS; exploits predictable IV in CBC modeUse TLS 1.1+ or AES-GCM
CRIME2012TLS compressionExploits TLS-level compression to recover secret cookiesDisable TLS compression (default in modern browsers)
BREACH2013HTTP compression over TLSSimilar to CRIME but targets HTTP-level compressionDisable HTTP compression for sensitive responses, use CSRF tokens
Heartbleed2014OpenSSL 1.0.1-1.0.1fBuffer over-read in TLS Heartbeat extension leaks server memory (including private keys)Patch OpenSSL, revoke and reissue certificates
POODLE2014SSL 3.0Padding oracle attack against CBC ciphers in SSL 3.0Disable SSL 3.0 entirely
FREAK2015Export ciphersForces downgrade to 512-bit RSA "export" ciphers, trivially brokenDisable export cipher suites
Logjam2015DHE with weak parametersDowngrade to 512-bit DH; precomputation attack against 1024-bit DHUse 2048-bit+ DH groups or ECDHE
ROBOT2017RSA key exchangeReturn of Bleichenbacher's oracle attack against RSA PKCS#1 v1.5Disable RSA key exchange; use ECDHE

Heartbleed (CVE-2014-0160) deserves special mention as one of the most impactful security vulnerabilities in internet history. A missing bounds check in OpenSSL's TLS Heartbeat extension allowed attackers to read up to 64 KB of server memory per request, potentially exposing private keys, session cookies, passwords, and other sensitive data. An estimated 17% of all TLS-enabled web servers were affected at the time of disclosure. The vulnerability existed for over two years before discovery, and its impact drove significant investment in open-source security auditing.

Best Practices

  • Use TLS 1.3 wherever possible; support TLS 1.2 as a fallback but disable TLS 1.0, 1.1, and all SSL versions
  • Enable HSTS with a long max-age (at least one year) and includeSubDomains; consider HSTS preloading
  • Use strong cipher suites only: ECDHE key exchange, AES-GCM or ChaCha20-Poly1305 encryption, SHA-256+ for PRF. Disable CBC-mode ciphers, RC4, 3DES, and any export ciphers
  • Ensure Perfect Forward Secrecy (PFS): Prefer ECDHE cipher suites; disable static RSA key exchange
  • Use 2048-bit+ RSA keys or 256-bit+ ECDSA keys for certificates. Consider Ed25519 for modern deployments
  • Implement certificate automation: Use ACME (Let's Encrypt) for automated certificate issuance and renewal
  • Monitor Certificate Transparency logs for unauthorized certificates issued for your domains
  • Enable OCSP stapling for faster certificate revocation checking without privacy concerns
  • Test your configuration regularly with tools like SSL Labs (ssllabs.com/ssltest), testssl.sh, or Mozilla TLS Observatory
  • Follow Mozilla's TLS configuration guidelines: The Mozilla SSL Configuration Generator provides tested, secure configurations for all major web servers

For deeper exploration of related topics, see asymmetric encryption, public key infrastructure, IPsec, and VPN technologies.

References

  • Rescorla, E. (2018). RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3. IETF.
  • Dierks, T., & Rescorla, E. (2008). RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2. IETF.
  • Moriarty, K., & Farrell, S. (2021). RFC 8996: Deprecating TLS 1.0 and TLS 1.1. IETF.
  • Hodges, J., Jackson, C., & Barth, A. (2012). RFC 6797: HTTP Strict Transport Security (HSTS). IETF.
  • Ristic, I. (2017). Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications. Feisty Duck.
  • Durumeric, Z., et al. (2014). "The Matter of Heartbleed." Proceedings of the 2014 ACM IMC.
  • Moller, B., Duong, T., & Kotowicz, K. (2014). "This POODLE Bites: Exploiting the SSL 3.0 Fallback." Google Security Advisory.
  • Adrian, D., et al. (2015). "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice." 22nd ACM CCS.
  • Laurie, B., Langley, A., & Kasper, E. (2013). RFC 6962: Certificate Transparency. IETF.
  • Mozilla (2024). Server Side TLS Guidelines. Mozilla Wiki.