Codepath

SSL and TLS

  • SSL: Secure Sockets Layer
  • TLS: Transport Layer Security

SSL and TLS are cryptographic communication protocols which provide privacy and guarantee data integrity. They create a secure channel over an otherwise insecure network.

SSL was developed by Netscape in 1996 as a way to encrypt web traffic. It was popular in the early internet, especially for e-commerce and online payments. However, SSL suffers from a few security vulnerabilities which has caused it to deprecated—meaning it is going away soon and being used less and less.

TLS was created by the Internet Engineering Task Force in 1999 as replacement for SSL. TLS is currently considered secure and is widely used in a variety of online communications: websites, file transfers, email, instant messaging, voice-over-IP (VoIP).

It is ironic that TLS is a replacement for SSL, and has never been compatible with SSL, yet most people commonly refer to TLS as "SSL". When you hear anyone say "SSL", think "TLS".

TLS has three main advantages:

  • Confidentiality: No one can eavesdrop on the encrypted data.
  • Data integrity: No one can modify signed data.
  • Identity integrity: No one can fake their identity.

TLS Handshake and Communication

A TLS connection between a client and server begins when the client contacts the server and indicates a desire to use TLS for communication. The client and server then initiate a handshake procedure, basically a negotiation about the configuration options that the two will use to communicate. The most important of these configurations is which encryption algorithms will be used. This depends on the algorithms the client and server support, allow, and prefer.

Once the configuration is set, the client and server use Public-Key Cryptography to begin their communication. A public-key is a good way to begin communications because no password is needed to send the first piece of data. Additionally, each party uses their private key to digitally sign the data to verify their identify and ensure data integrity. But public-key algorithms are slower than alternative algorithms, so only a password is encrypted and shared.

Once both the client and server have a shared password to use, they can switch to using Symmetric Key Algorithms to communicate. These algorithms are much faster. Each message sent from the client to the server or from the server to the client will be encrypted using the algorithm and the password negotiated during the handshake.


Besides providing privacy, TLS provides important prevention measures against a number of attacks, including credential theft, cookie theft, and session hijacking. The main disadvantage is that it is slower simply because all data must be encrypted before sending and decrypted once it is received. This was a significant barrier to adoption ten years ago, however it is only a small issue for much faster, modern computers. It remains a concern for less-powerful mobile devices and for sites which need to serve up large files, such as online video. The cost and setup are minimal, but do keep it from being more widely adopted.


Heartbleed Bug

The Heartbleed bug was a major vulnerability discovered in the OpenSSL library in 2014. It was a significant concern because the OpenSSL library is widely used for TLS. It has been estimated that at least 20% of secure servers use OpenSSL.

The bug allowed at attacker to read parts of server memory which they should not be able to see (technically called a "buffer over-read"). It had the potential to compromise a server's private keys, and once an attacker has the private keys, it compromises all TLS communications with that server.

A media campaign was organized (including a catchy name, logo, and website) to make as many developers aware of the issue and to get as many servers upgraded with a patched version of OpenSSL as quickly as possible.

Unfortunate cases like Heartbleed, provide an example of why forward secrecy is important. TLS can guarantee forward secrecy if configured correctly.

Fork me on GitHub