Best Practice for SSL and TLS

Cyber threat has made every one worry about their online privacy. Even larger organizations and the political leaders are also putting their efforts to mitigate this havoc. Many countries are now waking up from long sleep and started to made cyber security and surveillance law in strict manner. Whether it is a business data or individual information, each single bit needs to be secured with bound security so that any third party could not intercept in ongoing information over the web. To get rid of data sniffing or intercepting, the best solution is TLS (Transport Layer Security) which is predecessor of SSL (Secure Socket Layer) technology. 


What is TLS?

TLS is the best tunneling protocol that works on transport layer. This protocol encrypts, authenticates as well perform data integrity. TLS is helpful in securing client-server communication and server-to-server communication. Software publishers or application developers sign software code with TLS/SSL so the update will be trusted in a secure environment. TLS can be only given in the form of digital certificate that is an electronic document.

What is Digital Certificate?

The certificate authority (CA) that verifies the identity of a user, server, company or a client software program, issues digital certificate. These certificates may vary according to validation type that the CA performs. Digital certificate can be checked in browser means a visitor can check the issuer name, encryption strength, expiry date, algorithm type, and other details to confirm further confirm that the website is genuine. Many individuals create their own certificate that is called self-signed certificates but these certificates fundamentally untrustworthy by browsers and the CAs.

Integral of SSL:

SSL has three basic integrals on which the base of encryption stands data authenticity, data integrity and data encryption.

· Identity Authentication:

SSL provides authentication means you are communicating with the right server that you intended earlier. The authentication helps to identify the real person as the criminal could take advantage by entering in man-in-middle and capture details without user awareness. To avoid this unwanted situation, users should go with trusted SSL certificate provider that follows Public Key Infrastructure. 

· Data Encryption:

The main motto of SSL is to encrypt sensitive information that travels between the server and the browser. Currently, 256-bit encryption is prescribed by the CA/Browser forum. The reason to have encryption is to save data from data interception. A strong encryption encodes the information in cipher text, which makes it hard to decode thus, SSL provides security over the web.

· Data Integrity:

SSL also take care of data integrity means the information passes between two endpoints is not altered by any third party. Especially, data integrity is essential for software publishers who can easily rely on code integrity that is signed with digital certificate. It means the code is not altered since it is signed. Data integrity avoids bugs, virus, and malware thus keep the data secured and unaltered.

Difference between SSL and TLS:

SSL (Secure Socket Layer)

Netscape originally created SSL protocol in 1995 with the release of version SSL 2.0. After that SSL 3.0 was came in force in 1996. The object of SSL was to provide security and reliability between two servers and applications. However, SSL v3.0 is vulnerable to poodle attack hence; it is widely used in servers. SSL connections start with security and proceed to secured communications.

TSL (Transport Layer Security)

TLS is a new form of SSL as TLS 1.0 was introduced after SSLv3.0. it is believed that TLS1.0 is like SSL3.1 but it is more reliable than SSL versions. TLS1.0 was defined in RFC2246, which was published in 1999. TLS1.0 was allowed to downgrade the secured connection to SSL3.0. Later on TLS 1.1 and 1.2 were also introduced. Browsers at present do support TLS versions. TLS 1.1 and 1.2 protocol has fixed many loopholes seen in SSL3.0 and TLS 1.0 version. New TLS version can avoid BEAST; POODLE attacks and offers strong ciphers. 

The main difference between SSL and TLS is ciphers, hash algorithms and key exchange mechanism. The flexibility and the cryptographic features makes TLS winner in security industry.

Certificate Chain:

To instill trust in customers and browsers, every CA has their root certificates in browsers and operating systems (OS). Certificates signed by these root certificates become also trustworthy. The root certificates are updated periodically. The root authority (main authority) has subsequent certificate issuer CAs that relies on root authority. Under root certificate, there is an intermediate certificate, which is on second position in certificate hierarchy (root, intermediate and end user certificate). This certificate hierarchy is used to verify the validity of a certificate’s issuer. It enables the receiver to confirm that the sender and all intermediate certificates are reliable. 

Self-Signed Certificates:

Digital certificates that are generated by an individual using certificate tools are named Self-Signed certificate. These certificates are used for internal purpose but for external environment, it is hard to make them trustworthy as any individual can sign it. Such certificate can provide encryption but does lack authentication therefore, fails to meet browser’s trustworthy test. 

Trustworthy Certificate Authorities:

When it comes to server security, you cannot rely on self-signed certificate, as browsers will throw warning when making a secure handshake. Certificate authorities (CAs) are third party reliable body that verifies the identity of business and SSL applicant and authorize the entity to use SSL certificate. Symantec and Comodo are reliable certificate authorities that have covered huge market in SSL industry.

Extended Validation:

What could be the best way to authenticate your business along with modern encryption algorithm? The simple answer is Extended Validation (EV) certificate that is also named green bar certificate. EV SSL certificate is mostly useful for ecommerce, financial institutions, banking, payment merchant, government etc. where large amount of transactions are taking place on regular base. EV SSL certificate turns the address bar into green bar in browser and shows verified company name on the green bar. Visitors/customers can verify the certificate details with a single mouse click on it.

The rules to verify the identity of business is strict as the CA will look into article of association, legally government records, legal existence. The CA verifies that the entity has right to use domain name and the applying person belong to organization and is empowered to do so. Extended validation certificate are bit costly compare to other SSL certificates. 

Common TLS mistakes:

There are sometime website designer or developer does mistakes that make SSL/TLS ineffective. Here are few mistakes we have highlighted that should be avoided to get the benefit of SSL at its best.

HTTP GET Method:

When you use HTTP GET method in URL, it easily shows the value and exposes it to other person. However, SSL can secure the URL and avoids data sniffing. Such URL is stored in web server log and browser history and can be bookmarked. If there is an insecure link that is linked to a secured link, then the full URL will be there in header sent to the server.

Secure Cookies:

Cyber crooks can perform attacks based on the information retrieved from insecure cookies. Use “Secure” flag so a server sends cookies on a secured connection. Attackers can steal cookie information via packet sniffing, session hijacking, and XSS attack. Many websites use insecure cookies in secured sessions.

Mixed Content Error:

Many websites run frame, script, video, images on HTTP instead of HTTPS. Such links are not served on HTTPS hence not secured. It cause damage to website security and browsers do block such type of insecure content over HTTPS website. If there is any HTTPS URL, it should be changed to HTTPS. 

HTTP to HTTS Redirection:

it is wrong way to redirect HTTP URL to HTTPS especially such redirection is made on login page or payment page. Phishers can take advantage of such redirection and abuse the website. Website owners should avoid such redirection and keep login page secured with HTTPS.

Certificate Expiry:

SSL certificates carry expiry date on which it should be renewed to enjoy long-lasting website security. An expiry date is written on dialog box when you click on HTTPS address bar. Attackers can inject malicious code into website coding that could harm website. Attacker can perform zero day and man-in-middle attack on website, which SSL is expired. Expired SSL can cause shopping cart abandonment as customers face browser warning of untrusted website. Customers do not pass sensitive information on such untrusted website.

Certificate Revocation:

Certificate revocation immediately removes HTTPS from the website means a withdrawal of trust. It protects people from dealing with websites as it may be used for eavesdropping, fraud. The certificate can be revoked in case 

·  A private key of a certificate is compromised.
· The certificate holder does not have control on domain name for which the certificate was issued. 
· The certificate was erroneously signed.

There is a way to check revoked certificate for browsers like CRL (certificate revocation list) and OCSP (Online Certificate Status Protocol). OCSP provides revocation status of X.509 certificate information. CRLs provide a list of revoked certificates that should not be trusted.

Certificate Management:

Any organization that is running multiple domains, or certificates faces certificate management issue. If certificate management is not handled properly, it could invite trouble to organization. To solve this issue, CAs prefer online management that keep track of multiple certificate and avoid unwanted expiry as well handles renewals and reissues of certificates. Without an online certificate management, a business would end up in managing text and spreadsheet that can be a hectic process. If a person managing such records leaves company, the record may be lost or mismanaged. CAs keep managed PKI for smooth SSL certificate management that can track internally CAs and externally certificates.


TLS is also named as SSL that helps to secure communication of application networks across the web as well internally. TLS offers strong encryption, authentication and data integrity thereby secures ongoing communication. A trusted certificate authority is required to increase ability and importance of TLS protocol. CA/browser forum and the NIST bring timely update in rules and regulation that every certificate authority has to follow to enhance security of TLS certificate.