Skip to main content

SSL vs. TLS: The Future of Data Encryption

The Secure Socket Layer (SSL) protocol is responsible for keeping a lot of your online data secure, and the United States' National Security Agency (NSA) has likely already cracked it. Knowing what SSL and its more-secure successor, Transport Layer Security (TLS), are may help you keep your data safe from prying eyes.

On Sept. 5, the New York Times ran a detailed report about the NSA's ability to compromise almost any information that people — Americans or otherwise — use online. One of the organization's primary focuses, the report claimed, was on finding a way to crack SSL security and gain access to everything from email to online commerce records.

As more information emerges, citizens will likely learn how close the NSA has gotten to its goal, and what it intended to do with the information it gathered. In the meantime, though, it's important to understand just how SSL functions and why taking away the security it confers would be such a catastrophic loss.                                 

How SSL protects you

SSL protects data in transit by encrypting it. When you send an email, for example, you need to read its contents in order to write it, and the server needs to read its contents in order to deliver it. If you buy a DVD box set or a pair of shoes online, you need to enter your credit card number, and the vendor needs to see it.

There are, of course, plenty of people who don't need to see your private information — opportunists called "data sniffers" who steal data in transit and use it to their own advantage. Whether it's taking credit card numbers or intercepting sensitive business information, data-sniffing attacks are relatively easy as long as the data is unsecured.

Data that goes through SSL protocols is encrypted with a (theoretically) unbreakable algorithm that will not reveal its secrets unless it detects secure SSL certificates on both sides of an interaction — a process called a "handshake." Bypassing the encryption process could give data sniffers access to everything from private emails to online purchase records to bank account information.

MORE: Inside the Black Budget: 5 Things NSA May Be Working On

Better security with TLS

SSL is not the only security protocol online, of course, and there is no evidence that the NSA has targeted SSL's successor, called TLS. From a functionality standpoint, SSL and TLS are almost identical: TLS also encrypts data in transit and requires a "handshake" between two authorized servers before it spills its contents.

The differences between SSL and TLS are subtle and extremely technical, but TLS is generally a newer and more refined system. The safety of SSL's current version, 3.0, is comparable to TLS 1.0, but TLS 1.1 and 1.2 outstrip both by leaps and bounds. Even so, the two methods are so similar that some email programs even use the two terms interchangeably.

Users can access websites secured with SSL and TLS through a system called Hypertext Transfer Protocol Secure (HTTPS). You've probably seen green padlock icons in your browser's URL window while shopping or accessing your bank account, which indicate that the site is secure and running SSL or TLS protocols through an HTTPS site. Telling whether a site is running SSL or TLS, though, is generally much harder and beyond the scope of everyday Web browsing.

MORE: How HTTPS Safeguards Your Browsing

From a user standpoint, the safest thing about TLS is that the NSA does not appear to be targeting it (this, of course, could change). There is not much that users can do to prevent the NSA from cracking SSL protocols, but if you configure your own email software, you can set your preferences to TLS instead.

A website called ismymailsecure.com will let you know whether your email provider uses TLS protocols. Most private businesses and university servers do, as does Gmail; Yahoo Mail and Hotmail do not. Of course, the NSA can request information directly from Google as well, and the NSA documents unearthed hint that the agency is or is attempting to place spies within the major online companies. So using Gmail might not be a 100 percent secure solution.

In terms of Web browsing and online shopping, the safest recourse might be to use an HTTPS plugin like HTTPS Everywhere, which will automatically activate SSL or TLS protocols on a website if they are available. Granted, if a website only offers SSL functionality, it may not do much good, but it's better than taking no precautions at all.

Follow Marshall Honorof @marshallhonorof. Follow us @tomsguide, on Facebook and on Google+.

  • MajinCry
    There is plenty that users can do to stop the NSA, just nothing that can be achieved by sitting in your chair.

    Hell, get a bunch of people, go up to the NSA's HQ and burn it to the ground; workers and all.

    Sure, that's only one head of the Hydra, but ya gotta start somewhere.
    Reply
  • koga73
    Bah the problem with BOTH is the handshake. If the traffic goes through an NSA server then they have the handshake which means they have the decryption keys. From this point its pretty easy to get the plain-text message.
    Reply
  • merikafyeah
    Even if you see the padlock, it doesn't mean you're secure:
    https://www.grc.com/fingerprints.htm

    You have to check the site's fingerprints in order to be (reasonably) certain that your secure line is not being intercepted.
    Reply
  • agnickolov
    While SSL/TLS can be used with certificates on both ends, in practice this is very very rare. Servers typically don't care who their clients are thus they don't request client certificates. This is actually a good thing, otherwise the system would be unusable by the average user. Not to mention the client costs to maintain a certificate would make it financially completely impractical.

    As far as snooping the SSL handshake, that won't gain you anything unless you know how to break the underlying cipher or have the server private key already. As mentioned in a few recent articles already, the underlying AES cipher is still mathematically sound, though the older 128 bit keys slowly get less and less secure primarily through computational advances enabling brute force attacks. I expect 128-bit AES to be completely replaced within 10 years with more critical deployments already switching to 256-bit keys.
    Reply
  • ammaross
    "As far as snooping the SSL handshake, that won't gain you anything unless you know how to break the underlying cipher or have the server private key already."

    According to the reports, that is EXACTLY how the NSA has "hacked" SSL: by obtaining the private keys through force or subterfuge (you think China is the only country to hack American companies?).
    Reply
  • dark_knight33
    @MajinCry

    I live within view of Fort Meade, aka NSA HQ. It's not one building, it's a compound. Your choice of entrances are either Military guard posts at FT Meade's front gates, or off-ramps from local highways that are guarded 24x7 by MD state troopers. You wouldn't make it close enough to do anything of consequence.

    The NSA is no joke. Given the current climate of fear and paranoia out there by both the populace and especially the NSA, I wouldn't make even moderately threatening statements towards them, lest you get labeled a domestic terrorist.
    Reply