Office of the Chief Information Security Officer

January 25, 2021

Transport Layer Security (TLS)

What is TLS?

Communication via the Internet is made possible by data exchanges between properly functioning servers, routers, and other devices. The exchanges between your smartphone and/or computer and those devices are susceptible to eavesdropping at any point in the process. In order to prevent someone  from listening in to your Internet activities computers, smartphones, servers, routers, and other devices have rules when they talk to each other, and those rules are referred to as protocols.

A protocol that is specifically designed to ensure security between servers and other devices, (often referred to as clients), is Transport Layer Security, or TLS. TLS enables a secure connection by allowing a server and client:

  • to authenticate or verify one another’s identity,
  • to agree upon a method of encryption, which is a way to obfuscate data from attackers, and
  • to ensure reliable transmission of data by including a message authentication code.

TLS is often used interchangeably with SSL (Secure Sockets Layer), which was first developed in 1995. TLS came along a few years later and became known as a more secure version of SSL. While they are two distinct protocols with different rules, the term “SSL” is still associated with encrypted connections, as in the term “SSL certificates,” which verifies a website or server’s identity. When you see “HTTPS,” rather than “HTTP” at the beginning of a URL, the “S” refers to the SSL certificate, and implies that the connection is secure.

Why should you care?

Understanding the TLS protocol and keeping servers, browsers, and websites configured and updated to the latest version is an important part of securing UW’s institutional systems. Check the resources below for guidance.

Things to do

  • Ensure that you see “https” (not http) on any websites in which you enter information, particularly login credentials, and be aware that “http” web pages are highly vulnerable to attacks, such as eavesdropping and injection of unwanted advertisements.
  • Enable TLS 1.2 or 1.3 on all web browsers that you use.
    • You can test your browser here.
  • Server administrators should disable TLS 1.0, 1.1 and require connections to use TLS 1.2 or above.
    • You can test your servers and view best practices and other documentation here.

Resources

Qualys SSL Labs

https://www.ssllabs.com/index.html

Test Your Browser

https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html

SSL Server Test

https://www.ssllabs.com/ssltest/

Qualys SSL/TLS deployment best practices

https://www.ssllabs.com/projects/best-practices/index.html

Verisign: Everything you need to know about SSL certificates

https://www.verisign.com/en_US/website-presence/online/ssl-certificates/index.xhtml

Modernizing TLS connections in Microsoft Edge and IE 11 (updated 8/2020)

https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/

More Articles