TLS, SSL, HTTP, HTTPS, ….Are you not familiar with these terms or concepts? Many professionals may not know the network related terminologies to read a security report. Find out some basic terminologies used by network officials in this blog.
We wil first explain HTTP, then the difference to HTTPS. Afterwards, we explain the SSL and TLS encryption (which is the difference between HTTP and HTTPS). In the end, we will explain how they all work together.
What is HTTP?
HTTP means "HyperText Transfer Protocol". It means it is a set of rules to send and receive text-based messages. Computers work in a language of 1's and 0's, i.e. “binary language”. Therefore, a set of 1's and 0's can be a word.
Let's say I want to write 'a'. Now, if 0 stands for 'a', 1 stands for 'b', and 01 stands for 'c', we can infer that a combination of 0's and 1's can construct a word as well. In this case, the text is already constructed and is being sent on the wire. The computer works on many languages - pure binary, text and some other formats like byte codes. However, in HTTP only text is transferred.
This text is interpreted by the browser and the moment the browser interprets it, it becomes hypertext, and the protocol that transfers the text is referred to as hypertext transfer protocol - HTTP.
Using HTTP, you can also transfer images and text and even sound, but no videos.
What is HTTPS?
HyperText Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. It means the communication between your web application and the website is encrypted. HTTPS is often used to protect highly confidential online transactions like online banking and online shopping order forms. It uses the SSL or TLS encryption which is explained below.
What is SSL?
SSL stands for "Secure Sockets Layer." SSL is a secure protocol developed for sending information securely over the internet. Many websites use SSL for secure areas of their sites, like user account pages and online checkout. Usually, when you are asked to "log in" on a website, the resulting page is secured by SSL.
SSL encrypts the data being transmitted so that a 3rd party cannot "eavesdrop" on the transmission and view the data being transmitted. Only the user's computer and the secure server are able to recognize the data. SSL keeps your name, address, and credit card information between you and the merchant to which you're providing it. Without this type of encryption, online shopping would be far too insecure to be practical. After you visit a web address starting with "https," the "s" after the "http" indicates the web site is secure. These websites often use SSL certificates to verify their authenticity.
Visual representation of SSL encryption usage on websites
What is TLS?
TLS is the protocol that provides authentication, privacy, and data integrity between two communicating computer applications. When data has to be securely exchanged by web applications over the network, it is most likely the deployed security protocol. Applications can include web browsing sessions, file transfers, VPN connections, remote desktop sessions, and voice over IP (VOIP).
TLS evolved from SSL (which is explained later in the article) and has largely suppressed it, although the terms SSL or SSL/TLS are mostly associated with one another. Key differences between SSL and TLS that makes TLS a more secure and efficient protocol are:
- message authentication
- key material generation
- the supported cipher suites, with TLS supporting newer and safer algorithms.
TLS and SSL are not interoperable, although TLS currently provides some backward compatibility in order to connect with legacy systems.
Also have a look at our blog post on how different browsers like Chrome, Safari, Edge, etc. handle the display of older TLS protocal versions.
When you use TLS encryption, the two endpoints that communicate with each other perform a TLS handshake. We will explain this next.
Overview of OSI layers and representation of TLS protocol in the layers
What is a TLS handshake?
The reason it is called a handshake is that it’s when two parties – client and server - come across one another for the first time. The handshake involves a variety of steps that start from validating the identity of the opposite party and concludes with the generation of a standard key – secret key if you will call it.
Fundamentally, the SSL handshake is nothing but a conversation between two parties (client and server) wanting to accomplish the identical purpose – securing the communication with the assistance of symmetric encryption.
Imagine this SSL Handshake process as a dialog between the two.
Let’s see how it goes.
Client: “Hello there. I want to determine secure communication between the two of us. Here are my cipher suites and compatible SSL/TLS version.”
Server: “Hello Client. I verified your cipher suites and SSL/TLS version. I feel we’re good to travel ahead. Here are my certificate file and my public key. Verify them”
Client: “Let me verify your certificate...
(After Verification) Okay, it seems fine, but i want to verify your private key. I will generate and encrypt a pre-master (shared secret key) key using your public key. Decrypt it using your private key and we’ll use the master key to encrypt and decrypt the information”
[Now that both parties know who they’re rebuking, the information transferred between them is secured using the master-key. When the verification part is over, the encryption takes place only through the master-key. This is often called symmetric encryption.]
Client: “I’m sending you this sample message to verify that our master-key works. Send me the decrypted version of this message. If it works, our data is in safe hands.”
Server: “Yeah, it works. I feel we’ve accomplished what we were trying to find.”
How do TLS, SSL, HTTP, and HTTPS play together?
Visual representation of protocols on different OSI layers
The SSL certificate you set up is used to transmit data using HTTPS. They are dependent on each other. URLs are preceded with either HTTP (Hypertext Transfer Protocol) or HTTPS (Hypertext Transfer Protocol Secure). This is effectively what determines how any data that you send and receive is transmitted.This means that to identify whether a site uses an SSL certificate is to look at the URL and to see if it contains HTTP or HTTPS. That’s because HTTPS connections require an SSL certificate to work.