SSL, TLS and HTTPS

  • 6 minute(s) read
Prev Next

Introduction

With HTTP/2, most websites (whether it is a blog, portal, e-retail or social media) are moving to HTTPS, and that brings in new challenges in maintaining the SSL certificates required to run the websites properly.

To support this, Catchpoint is introducing the SSL monitor to not only monitor certificate expiry, but also to check for host-mismatch, insecure protocols (like SSLv2 or SSLv3), weak signature (like MD5 or SHA1), certificate revocation, untrusted root, and lot more including certificate pinning.

Catchpoint's SSL monitor is not restricted to HTTPS, but supports any secure application protocol on top of TCP (like SMTPS, POPS, IMAPS, FTPS, WSS, MQTTS etc).

What is Secure Sockets Layer (SSL)?

Secure Sockets Layer (SSL) is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser, or a mail server and a mail client (e.g., Outlook).

SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. Normally, data sent between browsers and web servers is sent in plain text—leaving you vulnerable to eavesdropping. If an attacker is able to intercept all data being sent between a browser and a web server, they can see and use that information. More specifically, SSL is a security protocol. Protocols describe how algorithms should be used. In this case, the SSL protocol determines variables of the encryption for both the link and the data being transmitted.

All browsers have the capability to interact with secured web servers using the SSL protocol. However, the browser and the server need what is called an SSL Certificate to be able to establish a secure connection.

What are TLS and HTTPS?

TLS (Transport Layer Security) is just an updated, more secure, version of SSL. Because SSL is a more commonly used term, if you are buying SSL certificate, you might be actually buying the TLS certificate with the option of ECC, RSA or DSA encryption.

HTTPS (Hyper Text Transfer Protocol Secure) appears in the URL when a website is secured by an SSL certificate. The details of the certificate, including the issuing authority and the corporate name of the website owner, can be viewed by clicking on the lock symbol on the browser bar. (reference)

What is an SSL Certificate?

SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol and allows secure connections from a web server to a browser. Typically, SSL is used to secure credit card transactions, data transfer and logins, and more recently is becoming the norm when securing browsing of social media sites. SSL Certificates bind together:

  • A domain name, server name or hostname.
  • An organizational identity (i.e. company name) and location.

Why Do I Need an SSL Certificate?

1. Increased Google Rankings

Over 30% of the sites on the first page of Google are HTTPS, which is not a surprise, since Google has confirmed that they favour HTTPS sites. Google wants to ensure the best user experience for their customers, so understandably they don’t want to send searchers to insecure sites. Because of that, their ranking algorithm favours HTTPS sites. If your website isn’t secure, it could be getting outranked by similar sites that are.

2. Improved Security

There’s a reason why Google favours HTTPS—they want to achieve the safest web experience for their users. Google adds criteria to the rankings algorithm when it has proven to provide better user experience. HTTPS protects your users’ information and your information from hackers. Keeping everything safer and more secure is simply a better option for everyone.

3. Updated Browser Labels

Are we tired of talking about Google yet? Well there’s one more thing. As part of their push for a more secure web, Google is also updating their labelling for HTTP sites in Chrome’s URL bar.

Currently, HTTP sites are marked with a gray colour information symbol that tells the user the website is not secure if they click on it. Soon, Google is going to update that to include a “Not Secure” label that is displayed in plain website, rather than after a user clicks on the information symbol.

Eventually, Google is going to mark http sites with a red triangle with a “Not Secure” label written in red.

While this new label only means that your website is not HTTPS, users don’t fully understand that, and many will likely feel a sense of unease from seeing that label on a website they are browsing.

4. Increased Conversions

While users may not have a complete technical understanding of secure connections, they do understand that they want a website to be HTTPS if they are providing personal information. We already see a difference in conversion rates between HTTP and HTTPS sites. But, after Google rolls out their new HTTP labelling, we will probably see an even larger difference in conversion rates between the two.

When users see those red labels, something as simple as entering a name, email, and phone number into a basic lead generation form can cause anxiety and concern for users.

5. Increased Customer Confidence

With all the buzz about HTTPS going around, more users are specifically looking for a secure connection when visiting a website. A secure connection gives your customers peace of mind that your website can be trusted, and their information is safe.

How does an SSL certificate work?

The basic principle is that when you install an SSL certificate on your server and a browser connects to it, the presence of the SSL certificate triggers the SSL (or TLS) protocol, which will encrypt information sent between the server and the browser (or between servers); the details are obviously a little more complicated.

SSL operates directly on top of the transmission control protocol (TCP), effectively working as a safety blanket. It allows higher protocol layers to remain unchanged while still providing a secure connection. So underneath the SSL layer, the other protocol layers can function as normal.

If an SSL certificate is being used correctly, all an attacker will be able to see is which IP and port is connected and roughly how much data is being sent. They may be able to terminate the connection, but both the server and user will be able to tell this has been done by a third party. However, they will not be able to intercept any information, which makes it essentially an ineffective step.

The hacker may be able to figure out which host name the user is connected to but, crucially, not the rest of the URL. As the connection is encrypted, the important information remains secure.

  1. SSL starts to work after the TCP connection is established, initiating what is called an SSL handshake.
  2. The server sends its certificate to the user along with a number of specifications (including which version of SSL/TLS and which encryption methods to use, etc.).
  3. The user then checks the validity of the certificate and selects the highest level of encryption that can be supported by both parties and starts a secure session using these methods. There are a good number of sets of methods available with various strengths - they are called cipher suites.
  4. To guarantee the integrity and authenticity of all messages transferred, SSL and TLS protocols also include an authentication process using message authentication codes (MAC). All of this sounds lengthy and complicated but, it’s achieved almost instantaneously. (reference)