Demystifying SSL / TLS certificates

During February, LAWtrust did a series of articles on the Importance of SSL / TLS certificates. The series has generated a lot of interest and a lot of questions.

For our last post we will look at some of the most frequently asked questions and demystifying some of the concepts around TLS certificates.

How does TLS secure your connection to a website?

As mentioned previously, a TLS certificate servers two purposes:

• Identify and verify the owner of a website.
• Encrypt data between the user’s client (computer) and the server.

So how is TLS used to protect a website’s users?

1. The TLS process starts when a client sends a request to a web server requesting secure content.
2. The server responds with its TLS certificate.
3. The client then uses the TLS certificate to verify the server’s identity and ensure the server can be trusted.
4. The clients generates a session key and encrypts the key with the TLS certificate.
5. The client sends the encrypted session key to the web server.
6. The web server decrypts the session key.
7. All communication between the web server and the client will be encrypted with the session key.

What is the difference between SSL and TLS?

SSL and TLS are the same thing.

Secure Socket Layer (SSL) is the cryptographic protocol that provides the identity of a website to users and encrypts the data between the user and the website.

Transport Layer Security (TLS) is the latest version of SSL.

SSL v1 was never public released but SSL version 2 was released in 1995. In January 1999 TLS v1 was released to replace SSL since there were a lot of known vulnerabilities in the SSL protocol.

The latest version of TLS is TLSv1.3.

SSL and TLS are normally used interchangeably, notably, people reference SSL when they are really talking about TLS.

What is a Certificate Authority?

A Certificate Authority (CA) is an entity that issues TLS certificates to organisations that requires the TLS certificates to secure their website. Usually, the applicant must pass through an identity verification process before the TLS certificate is issued.

What is the difference between public trust TLS certificates and private trust TLS certificates?

Public trust TLS certificates are certificates issued by Certificate Authorities that carries ‘trusted’ status. The public trust certificates that they issue are automatically recognised by most major browsers like Chrome, Microsoft Edge, Firefox and Safari.

To be able to issue public trust certificates, the Certificate Authority must issue and manage TLS certificates in accordance with the policies established by the CA / Browser forum. By adhering to these policies, the Certificate Authorities maintains industry best practices and standards to ensure the best security for their users.

Private trust certificates are not recognised by any of the major browsers and their issuance does not have to adhere to any standards. Therefore, organisations can issue their own private trust certificates easily. However, since these TLS certificates are not recognised or trusted outside of the organisation, they are not suitable for securing public-facing websites. These certificates are normally used to secure internal communication.

Get regular updates on all things SSL right to your inbox, subscribe to our blog now.