What is SSL/TLS?
A deeper dive into the tech that secures everything on the web.

Until somewhat recently in the lifespan of the internet, people mainly browsed websites through unsecured http — the HyperText Transfer Protocol.

The protocol allows for clients to make requests — GET, POST, PUT/PATCH, and DELETE requests, and receive responses from servers. The messages are sent in plaintext — bare, human-readable, unencrypted text — from a port on your local machine’s IP to a target server’s port.

But in the event that an eavesdropper drops in the middle and routes communications from your computer to the server, it’d be trivially easy to read and modify the messages you send back and forth. This is especially easy on unsecured Wi-Fi access points, where attackers can sniff out your connection and tunnel between your computer and the router.

This is where HTTPS comes in handy: it’s a secure communication protocol that allows for a client and a server to send encrypted communications between each other. The messages are encrypted through a cryptographic protocol called TLS, short for Transport Layer Security. TLS is more commonly referred to by its predecessor’s name: SSL — Secure Socket Layer.

The end-to-end encryption works by initiating what’s called a handshake protocol between the client and the server. The server starts by communicating with the client to use the highest version of TLS they both support.

The server then shows its certificate. When you browse a secure site, you know it’s secure because of this little lock sign:

That means the server you’re sending information to has an authorized certificate. SSL certificates are given by trusted third-party certificate authorities like VeriSign, Comodo, and LetsEncrypt — most of these services charge for certificates yearly.

This certificate at minimum checks that the server indeed is authorized to administrate the domain name it says it’s on (domain validation).

In a man-in-the-middle attack, an attacker can certainly try to spoof a certificate, but most browsers will communicate with the issuer to make sure the certificate’s signatures and keys match up with their records. If it all checks out, you’ll get a nice green lock that basically says “I am the server/service provider you think I am.”

In any other cases, where a certificate is expired, a server tries to roll its own certificate, or an interceptor tries to spoof a site’s certificate, this screen will pop up:

After verifying the SSL certificate, the server and client exchange keys, agree on a cipher to decipher messages going both ways, and tell each other that all communications going forward will be encrypted.

The big upside to enabling HTTPS is that any information passed between the client and the server is just between you. Credit card information, emails, passwords, account numbers — it’s all encrypted when sent, and decrypted by the authorized server.

HTTPS isn’t just a big up for internet privacy but for anti-censorship as well.

On bare http sites, interceptors can sniff out the content of requests you pass in and out, including the URLS of pages you visit.

And while some of that is true for https sites — the NSA can tell you’ve visited google.com — they can’t tell you’ve visited https://google.com/?q=how+to+commit+big+huge+crimes+lol.

That layer of privacy from https is what prevents some governments from blocking domains whole hog — they can’t tell if you’re a good actor or a bad just from the fact that you’ve visited the site.

HTTPS isn’t just for online banking and ecommerce. HTTPS is for any website that adds to the public dialog, whether it’s political commentary, how to contact a government official, or just a personal blog.

— Why you should care about HTTPS, even if you have nothing to hide


Written by Clinton Nguyen on 04 January 2017