I am going to try to educate the masses on just what TLS/SSL, Transport Layer Security and Secured Socket Layer, does whenever you access a webpage. If there is a green bar, a lock, or “https”, that means you are connected to the website securely. HTTPS stands for Hypertext Transfer Protocol Secure, which is just a fancy way of saying “Your connection is secure”. This secure protocol uses TLS/SSL. Just for clarity reasons, I will start to refer both TLS and SSL as just SSL since TLS is built on SSL and designed for HTTP.
In order to explain how this encryption works, let us first understand how standard HTTP functions. HTTP works as a request-response protocol. If the client requests a webpage, the server returns a response with the webpage and then both the transaction and connection is finished. Sites keep an individual “logged in” by issuing them either a session token or a cookie. These are requested by the server upon every transaction so as to make sure the client is approved to view whatever is requested.
The issue of security revolves around the principle that internet protocols are open to most every computer or internet-capable device connected to the system throughout the entire transaction. If one was to request data from any host, the person sitting next to that individual could look at the request and figure out the data being sent by the individual and received back from the host.
This is where SSL comes in. The act of looking at information sent and received by other people on the network is called packet sniffing. This itself is not the issue. Standard internet protocol dictates that most every connection is handled this way. This is just how the current systems work. The issue comes when people decide to packet sniff important login data between a user and the server.
Let us put this into perspective. If Facebook did not have the secured SSL connection and one decides to log into Facebook, anyone anywhere along the line of connections can try and fetch the login information. This is not that hard as previously described because all it takes is one rogue person across the line of ten or more connections to get that data. It is even worse when a DNS service gets hacked and the hackers decide to set up automatic sniffing to amass loads of user data within only a few minutes. Whatever the case, that individual is compromised and should now change their password. Oh but wait, the connection is not secured so now the password change will be logged and known.
SSL ensures that a connection is made private through a simple system called RSA which essentially makes it almost impossible to break given the nature of the system. This is a lock-key based system. The individual requests an item from the server and the server issues that individual the public key and a lock that only the web server has the key for. Upon the next request, the user then locks their data back up like a padlock and the web server unlocks it to view the transaction details. This is the principle behind RSA, and by extension, SSL. Therefore SSL establishes a secure connection where only the web host and the client know what is going on.
Now that the connection is secured, only the individual viewing the data and the server processing the requests can see the transaction. Everyone in the modern technological industry should be enforcing SSL and be cautious of the sites that do not use SSL. With web applications becoming more and more capable with banking, insurance, credit card companies, and more, said encryption is a requirement for any group or individual who wants to make a trusted and respectable website.
There used to be many excuses to not have SSL in the past. It either costs too much or is outside the capability of their server to host and manage. Both of these concerns are nearly non-existent these days given technology. Groups like Let’s Encrypt have free SSL certificates and a system to install them easily. I personally have gone with the Let’s Encrypt route for installing a webroot certificate, but I have gone through the difficulties of enforcing my own policies to get an A+ rating on SSLLabs.
I feel this is an important topic for modern technology companies to understand. I still see companies not use this simple system and it just confuses me. Technology companies should be leading the front end of this push for better security across all systems. Whenever I see a company host a site that uses user data yet not secure the connection, I remind myself that this is equivalent to going to the restroom with no stall dividers, eating food that has been touched by practically everything, going to the bank with people watching you over your shoulder, and your UPS package being opened and repackaged many times before reaching its final destination.
I am writing this in frustration of seeing “technology companies” still not secure their data and as a PSA to anyone who thinks it is not that big of a deal.