TLS/SSL security for websites

What if I told you that the TLS/SSL protocols can provide impenetrable protection for your company’s website? While completely untrue (nothing is impenetrable),TLS/SSL can provide strong data privacy, dependable data integrity and accurate server authentication to give you and your customers some peace of mind.

13 ssl
Thinkstock

Imagine waking up one morning to the news that your company has suffered a data breach. While reading the headlines, you learn that the hacker was able to steal the usernames, passwords, addresses and payment information of 85,000 customers. In the following days and weeks, you eventually learn from investigators that the hacker was able to get this information quite easily because your company’s web pages were not secure.

As a result of this simple oversight, your company will spend millions of dollars for forensic experts, PR firms, litigation fees and more. Additionally, the revenue and stock prices plummet as consumers decide to take their business and their stock portfolio elsewhere.

To be hacked or not hacked, that is the question!

Thankfully, the likelihood of the above scenario can be reduced through taking steps to ensure that your company’s web pages are secure. If you have ever surfed the web, you have probably seen URLs that start with “https.” The ‘s’ stands for secure and lets a web browser know that the website it is connecting to is secure and legitimate.

Having encryption present on a website is important as it conceals sensitive information such as usernames, passwords and credit card information. With the encryption, that sensitive information appears to be a garbled mess of characters. Even if a hacker spies on the web traffic and pulls back the data packets, he or she would not be able to translate what has been transmitted between a client and a company. Companies can therefore ensure that their website is secure as well as encrypted by utilizing the TLS/SSL protocols.

While the terms TLS and SSL tend to be used interchangeably, there are a couple of differences between the two that one should be aware of. SSL stands for the secure sockets layer protocol and it was established by Netscape in 1994. The protocol was created as a way to keep the internet connection between two systems secure as well as to safeguard any sensitive data sent between the two systems.

TLS stands for the transport layer security protocol. It was first introduced in 1999 by the Internet Engineering Task Force (IETF). As an upgrade to SSL, TLS provides strong confidentiality, integrity and authentication to the internet connections that take place between a website and those who browse the site.

Confidentiality, integrity, authenticity, oh my!

The first protection that the TLS protocol provides is confidentiality, which is the act of keeping something private between two parties. When a user’s browser connects to a website server, the expectation is that sensitive information such as usernames, passwords, account information and payment methods are kept confidential between the two entities. This is so that an outsider spying on the network traffic would not be able to discern such information.

TLS uses encryption algorithms to obscure data so that sensitive information remains private between the intended parties. If an outside party tries to extract encrypted data, he or she would receive a garbled mess instead of usable intel.

The second protection TLS provides is integrity, which is the act of ensuring that a message or document has not been modified. For example, if a user is doing online banking and decides to transfer money to a friend, a hacker could change the recipient account to his or her own before the banking server receives the request which would be undesirable. TLS uses something called HMAC (hash message authentication code) to verify that data has not been tampered with during transit.

When a message is inserted into a hash function it returns a hash number that is unique to that message. If one small thing is changed in the message such as a letter or a space, the hash function generates a totally different hash number that looks nothing like the original hash.

Using the example from earlier, if the banking server receives the transfer request and the hash of the received message does not match what the originally hashed message is supposed to be, the request will be rejected. This prevents unauthorized transfers.

The third protection that TLS provides is authentication, which is the act of verifying one’s identity. Before logging into a site with credentials that could grant someone access to sensitive information, users want to be sure that they are on a legitimate site and not a spoofed version.

TLS allows a website to present itself as legitimate by possessing a digital certificate that is signed by an entity known as a Certificate Authority.

Just like American citizens confirm their identity with driver’s licenses that are issued by the DMV, websites prove their identity with digital certificates. The presence of digital certificates assures users that they are on the correct website and that their login information is not being mined by hackers.

Not only do the TLS/SSL protocols allow companies to protect and secure their websites using industry best practices, these protocols ultimately provide consumers and other casual browsers with peace of mind when they see the lock symbol in their URL bar.

Therefore, using encryption on your websites is a subtle way to ensure customers that your company values cybersecurity and is committed to taking the proper precautions to ensure that sensitive information remains protected.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.