Exploring Secure Sockets Layer (SSL) and Its Successor
Secure Sockets Layer (SSL) is one of the most fundamental security technologies on the Internet. Without it, the world’s billions of dollars in annual e-commerce would be all but unattainable and online business transactions would be at risk for financial data to be compromised in every transaction. However, while it is important for information security professionals to understand the fundamentals of Secure Sockets Layer, they also need to understand the continual changes occurring with encrypted communications, particularly the rise of the Transport Layer Security (TLS).
What is Secure Sockets Layer?
SSL is a security protocol that establishes an encrypted link between a server and a client. The “client” is typically the end user’s web browser, although modern mail clients can also use SSL to secure their transmissions. SSL encryption strength is measured in bits, with higher numbers denoting better security – for example, bank transactions typically use 256-bit encryption.
By using Secure Sockets Layer, it becomes possible to transmit highly sensitive data, such as credit card numbers and login credentials with minimal risk that they will be intercepted in transit. Although SSL is fundamental to Internet security, the basic technologies behind it are easy to understand and have inspired many other security implementations over the years.
An SSL “certificate” is required for the creation of a secure connection. The SSL certificate is installed on the receiving server and establishes the legitimate identity of the receiver. Though this can foil many attempts at “spoofing” a website’s identity, it is only the beginning of what SSL does to ensure security for web users.
Secure Connections With SSL Certificates
The SSL secure connection makes use of a “handshake” process that will be familiar to anyone who has studied TCP/IP logical addressing. As a connection is launched, the SSL certificate initiates three keys: the public, private, and session key. All data packets encrypted with the public key can only be decrypted with the private key – and the reverse is also true.
If the private and public keys were used exclusively in mediating the entire encrypted session, it would create an enormous amount of procedural overhead. To streamline and accelerate the process, the private and public keys are used at the outset of the process to generate the session key. The session key is responsible for encrypting all data for the rest of the transaction.
The Past and Future of SSL Encryption
SSL was initially developed by Netscape, a leader in web browsing software in the 1990s. The first version of the protocol was released in 1995, but had significant security flaws. By 1996, version 3.0 corrected the issues and was widely available. At the time, none of the software engineers involved could have realized the massive amount of commerce that SSL would facilitate – the Internet was still largely open terrain, with robust search capabilities arriving in 2000.
As the Internet grew, it became clear that secure encryption would be a vital part of safeguarding both end users and enterprises. Even after Netscape was acquired, financial institutions understood that the work the company had started needed to continue. Today, Payment Card Industry (PCI) standards require SSL to be used for sites collecting credit card data; however, SSL is not the ultimate or final implementation of commercial-grade encryption.
Transport Layer Security: The Successor to SSL
Transport Layer Security (TLS) is set to supersede SSL, which was depreciated in 2015. Signs of SSL’s sunset had been accumulating for years – the U.S. government has already mandated that SSL 3.0 not be used for sensitive communications or HIPAA (Health Insurance Portability and Accountability Act)-compliant data. Further, SSL’s image was battered by vulnerabilities, the most memorable of which was the man in the middle attack called POODLE, which helped drive data-focused industries to seek alternates.
Of course, major protocols do not disappear overnight. It often takes action from an industry leader to inspire others, causing disparate actors to pull together in the same direction. For SSL, this moment may have come when Apple announced its iOS 9 would support TLS 1.2, not SSL. This revelation set off a virtual arms race as security engineers and application developers rushed to update their skills for using the relatively new protocol.
Apple’s adoption of TLS signals that the consumer-facing mobile applications of the future will be expected to include more robust security. While SSL will continue to be a part of the finance and PCI world for some time to come, TLS may also mark the beginning of a change in what is expected for encrypted communications. It will be important for information security professionals to keep an eye on the evolving issue and consider how servers and other infrastructures may need to be updated to remain secure in the changing landscape.
As the nation’s oldest private military college, Norwich University has been a leader in innovative education since 1819. Through its online programs, Norwich delivers relevant and applicable curricula that allow its students to make a positive impact on their places of work and their communities.
At Norwich University, we extend a tradition of values-based education, where structured, disciplined, and rigorous studies create a challenging and rewarding experience. Online programs, such as the Master of Science in Information Security & Assurance, have made our comprehensive curriculum available to more students than ever before.
We are one of the first information assurance schools to be designated as a Center of Academic Excellence by the National Security Agency and Department of Homeland Security. Through your program, you can choose from the five unique concentrations that are uniquely designed to provide an in-depth examination of policies, procedures, and overall structure of an information assurance program.