What is Transport Layer Security (TLS)? A Complete Guide
What is Transport Layer Security (TLS)?
Transport Layer Security (TLS) is a protocol for establishing secure connections between computers. Most commonly powering HTTPS connections, TLS ensures that sensitive information like passwords, credit card numbers, and personal data remains private during transmission.
As suggested by its name, TLS provides security for data that is sent through transport layer protocols. It does this by creating a secure connection (often conceptualized as a tunnel) through which data can be transmitted to its destination. You can think of TLS as a wrapper for transport layer protocols. TLS makes use of other algorithms and protocols to handle things like encryption and key exchange. However, TLS is not itself an encryption algorithm.
Now that we’ve got an idea of what TLS is, let’s understand how it works in the next section.
How Transport Layer Security works
Every time we see a padlock in our browser’s address bar, TLS is working hard behind the scenes. Let’s explore how it works.
TLS handshakes
To establish a secure connection, Transport Layer Security performs a multi-step process called the TLS handshake, which helps the client and server agree on how to communicate safely. The handshake serves two primary purposes:
- Server authentication: The client must verify the identity of the server to ensure it’s communicating with the correct party.
- Key agreement: The client and server must agree on a shared secret that will be used to derive symmetric encryption keys for secure communication.
The details of the handshake differ depending on the encryption and key exchange algorithms supported by the client and the server. In general, the process works like this:
- Client sends a “hello” message to the server, containing their supported protocol versions, cipher suites, and a random string of data called the client random.
- The server responds with its TLS certificate, the cipher suite it has chosen, and another random string of data called the server random.
- The client uses the server’s TLS certificate to authenticate the server.
- The client and the server exchange a piece of information called a premaster secret. The details of this exchange vary depending on the key exchange algorithm, but the result is that both the client and the server end up with the same premaster secret. The client and the server use the premaster secret, client random, and server random to generate session keys.
- The client and the server send each other messages encrypted using the session keys to test the connection.
- If everything works correctly, it means an encrypted connection has been established.
TLS authentication
Transport Layer Security uses public key infrastructure (PKI) to handle authentication for servers. PKI is a system where a trusted third party called a certificate authority verifies ownership of a server’s public key and digitally signs the server’s TLS certificate. A client can verify the certificate’s authenticity using the certificate authority’s public key. In practice, this involves a hierarchy of certificate authorities and certificates, some of which are part of a computer’s operating system.
Now, let’s discuss how Transport Layer Security operates compared to SSL (Secure Sockets Layer).
TLS vs. SSL: key differences
SSL is the predecessor of TLS. Like TLS, it is a protocol meant to establish secure communications between computers.
Here are the differences between TLS and SSL:
| Aspect | TLS | SSL |
|---|---|---|
| Security | Stronger encryption, faster performance | Vulnerable to many attacks |
| Performance | Better handshake speed and reduced latency | Slower and less efficient |
| Compatibility | Widely supported | Mostly unsupported in modern systems |
| Cipher suites | Supports AEAD (e.g., AES-GCM, ChaCha20-Poly1305) | Uses outdated cipher suites (e.g., RC4) |
| Handshake process | More efficient and secure | More round trips and insecure handshakes |
| Forward secrecy | Strong support in TLS 1.2+ | Not guaranteed |
| Use today | Standard protocol for HTTPS, email, VPNs, etc. | No longer recommended |
Finally, let’s go through some best practices for implementing Transport Layer Security.
TLS best practices
Here is a list of best practices for using Transport Layer Security:
- Use the latest TLS versions: Always use TLS 1.3 or TLS 1.2 for secure communication. Older versions like TLS 1.0, TLS 1.1, and SSL are deprecated and vulnerable to known attacks.
- Disable deprecated protocols: Ensure that insecure protocols such as SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 are completely disabled on your servers to reduce the attack surface.
- Use strong cipher suites: Configure your server to use modern, secure cipher suites such as AES-GCM or ChaCha20-Poly1305 with ECDHE for perfect forward secrecy. Avoid weak ciphers like RC4 and DES.
- Ensure perfect forward secrecy (PFS): Enable cipher suites that support PFS, such as those using ECDHE or DHE, to prevent past communications from being decrypted if your private key is ever compromised.
Applying these best practices will enable us to implement TLS efficiently.
Conclusion
In this guide, we explored what TLS is and how it works. We compared TLS with SSL, from which we can conclude that TLS is far superior to SSL in various aspects and is the recommended protocol to use when it comes to implementing security in today’s world. We also went through some best practices that will help us use TLS effectively.
TLS is a core protocol for the modern internet, enabling secure communications, web browsing, and more. Websites that don’t support TLS will find themselves unable to use HTTPS to securely communicate with visitors, running the risk of sensitive data exposure. Additionally, modern browsers flag any website that does not use HTTPS or has expired/invalid TLS certificates as insecure, often preventing users from visiting them. How you implement TLS will depend on the combination of technologies you’re using, but to create a secure experience on the modern web, developers need to ensure their websites are using TLS.
If you want to learn more about securing your device, check out the Introduction to Personal Digital Security course on Codecademy.
Frequently asked questions
1. Is TLS HTTP or TCP?
TLS is neither HTTP nor TCP. It’s a separate protocol that sits between the application layer (like HTTP) and the transport layer (like TCP). TLS encrypts the data before it’s sent over TCP and decrypted after it’s received. Think of it as a security wrapper for protocols like HTTP, SMTP, or FTP.
2. Is TLS layer 4 or 7?
TLS operates between Layer 4 (Transport) and Layer 7 (Application) of the OSI model. It’s often referred to as sitting at Layer 6 (Presentation Layer) because it handles encryption, decryption, and data formatting, which are responsibilities of that layer.
3. Is TLS better than HTTP?
TLS is not a replacement for HTTP—it’s a security layer for it. When combined with HTTP, it forms HTTPS (HTTP over TLS), which encrypts the communication between your browser and the server.
4. What is the difference between TCP and TLS?
TCP is a transport protocol that assures reliable delivery of data between devices, but it doesn’t provide security. TLS is a cryptographic protocol that works on top of TCP to encrypt and protect that data during transmission.
5. What are the two protocols in TLS?
TLS is made up of two main protocols:
- Handshake Protocol: Used to authenticate the server (and optionally the client), negotiate encryption settings, and establish a shared secret key.
- Record Protocol: Used after the handshake to encrypt and transmit the actual data securely between the client and the server.
'The Codecademy Team, composed of experienced educators and tech experts, is dedicated to making tech skills accessible to all. We empower learners worldwide with expert-reviewed content that develops and enhances the technical skills needed to advance and succeed in their careers.'
Meet the full teamRelated articles
- Article
OSI Model: Complete Guide to the 7 Network Layers
Learn the OSI model's 7 layers and how data travels across networks. Explore key protocols like TCP, IP, and HTTP with examples for beginners. - Article
What is HTTP? Understanding HTTP Requests
Learn what HTTP requests are, how they work, their different types, and why HTTPS is essential for secure web communication. - Article
HTTP Requests
Understand HTTP requests, methods, and how browsers and servers communicate through the web.
Learn more on Codecademy
- Learn how to defend against malicious attacks and improve user experiences using sessions, cookies, and password authentication.
- Includes 5 Courses
- With Certificate
- Intermediate.8 hours
- Build an HTTP server using Node.js to facilitate the connection between a client and a server.
- Beginner Friendly.2 hours