Custom Search

GLOSSARY:

TLS/SSL (Transport Layer Security)

TLS/SSL is now used by most websites.

It is an automatic process between the browser and the server that keeps data safe in transit.

It doesn’t mean that any site is genuine.

Any website, including criminal ones, can now implement TLS/SSL for free.

However, its use means that end users can benefit from the confidentiality and integrity provided by cryptography without having to worry about the technical details of configuring their software or managing keys.

TLS/SSL uses a combination of asymmetric and symmetric encryption to exchange data.

When a web browser connects to a server and requests a secure communication the two computers first engage in what is known as a 'handshake' and agree how future communications will be conducted, including the type of cryptography that will be used.

After agreeing how to communicate, the server transmits its own public key and a digital certificate of authenticity to the user’s computer which checks that the certificate is genuine and has not expired.

If the certificate is genuine, the user’s computer then generates a master secret, encrypts it with the copy of the server’s public key and sends that to the server.

The server decrypts the encrypted master secret with its own private key.

Both the server and the computer now have copies of the secret and use that to generate identical copies of a symmetric encryption key. Crucially, the key itself has not been transmitted across the network.

Each computer now informs the other that all other transactions in this session will be conducted using the symmetric key (called the session key), by sending ‘finished’ handshake messages using each other’s session keys.

The two computers can now perform the secure transaction itself, including sensitive information such as bank account details, addresses, credit card numbers and receipts using the high-speed symmetric key.

At the end of the secure session, the two computers say goodbye to one another and each deletes their copies of the symmetric session key.

If the user starts another secure session a completely new key will be used.

Web browsers have made it easy to determine if a website is using TLS/SSL by:

  • Making all secure addresses begin ‘https://’ (rather than ‘http://’) with the s standing for ‘secure’.

Examples include:

Gmail, at https://mail.google.com/

Google defaults to Google Safe Search at https://www.google.com/ 

which means that your search requests and results cannot be seen by others.

  • Showing a closed padlock symbol in or near the top of your browser window.