An Introduction to Transport Layer Security

Transport Layer Security (TLS) is an industry-standard security protocol that enables encrypted network communications. If your organization stores or processes payment or healthcare data, or if it collects confidential user information in general, using security safeguards such as TLS or SSL may not only be a good idea, but legally mandated.

Below, we'll show you how TLS/SSL works, when you should use it, and how you can implement it at your organization.

What is TLS/SSL?

TLS is the successor to Secure Sockets Layer (SSL), an older cryptographic protocol. TLS/SSL can be used to create a secure environment for web browsing, emailing, or other client-server applications.

TLS/SSL encryption requires the use of a digital certificate, which contains identity information about the owner as well as a public key, used for encrypting communications. These certificates are installed on a server; typically, a web server if the intention is to create a secure web environment, although they can also be installed on mail or other servers for encrypting other client-server communications.

Securing a web server with TLS/SSL

This is the probably the most common application of TLS/SSL. If used with a web server, TLS/SSL can encrypt online transactions and confidential data relayed between a user's web browser and a website. A secured web server can be identified by a padlock symbol at the bottom of the browser window or in the address bar, as well as by a URL that begins with https rather than http.

Securing a mail server, database server, or directory server with TLS/SSL

TLS/SSL can be used with mail servers to encrypt email messages. An email that was sent with TLS/SSL encryption may display a ribbon or other icon in the recipient's email client. TLS/SSL can similarly be used with database and directory servers to encrypt server queries.

Securing a virtual private network (VPN) with TLS/SSL

TLS/SSL can be used by a VPN appliance to encrypt the connection between a remote user's computer and the network being accessed. For more information on how TLS/SSL works with VPN, see TechSoup's article Four Tools for Private Communication

How Does TLS/SSL Work?

The encryption methods TLS/SSL employs are rather complex — par for the course when you're dealing with a cryptographic security protocol. What follows is a simplified explanation.

A TLS/SSL session is authenticated with what is known as a "handshake." The client first sends the server a "hello" message that lists the client's supported cryptographic capabilities. Being a well-mannered machine, the server send back a "hello" message of its own with a choice of one of the listed cryptographic methods, to ensure the client and server will be able to speak the same language.

The server then sends its TLS/SSL certificate, which contains its public key, and may request a certificate from the client if client-authentication is necessary. The client checks that the certificate from the server is valid (if an untrusted certificate was installed on a web server, this is when a security warning would pop up in a web browser) and sends its own certificate if necessary.

The client then sends a random number that has been encrypted with the server's public key. After this number is decrypted by the server, the client and server will have a common key that can be used to the send and receive data that only the pair of them can understand. Both the client and server then send messages notifying the other that all further communication will be encrypted, and both send final messages that are actually encrypted, ending the handshake and allowing encrypted data exchange to begin.

While this may seem like a lengthy process, a TLS/SSL handshake in most cases takes less than a second.

Does My Organization Need to Use TLS/SSL?

Whether you need to use TLS/SSL depends on your organization's activities. For organizations involved in health services or payment processing, using a security protocol such as TLS/SSL to encrypt network communications may be a federal or commercial requirement. For other organizations, using TLS/SSL might simply be a good idea.

Organizations involved in health services

For organizations involved in health services, using security safeguards such as TLS/SSL may be a federal requirement. Any organization that transmits electronic billing information to any health insurance provider, Medicare, or Medicaid, is covered by the Health Insurance Portability and Accountability Act (HIPAA) and must meet certain security standards. Additionally, any organization that stores or transmits user login or patient information may need to be compliant with the HIPAA Security Standard, even if it is not technically a covered entity. It is important to remember that security protocols such as TLS/SSL can help an organization become HIPAA compliant, but they do not provide compliance on their own. For more information on HIPAA and finding out whether you need to comply with its requirements, see Idealware's In Search of HIPAA-Compliant Software on selecting HIPAA-compliant software and visit the official HIPAA website at the Department of Health and Human Services.

Organizations that store or process payment information

For organizations that store or process payment information, such as donor credit card numbers, implementing TLS/SSL may be a requirement of the Payment Card Industry Data Security Standard (PCI DSS). This standard was created by the PCI Security Standards Council, a group of several major payment card brands, to protect cardholder data. Organizations may be required to comply with the PCI DSS by their acquiring bank or payment processor. You may have heard the term PCI-compliant in reference to certain websites, meaning that these sites that have proven their compliance with these standards. As with the HIPAA standards noted above, it is important to remember that security protocols such as TLS/SSL can help an organization become PCI compliant, but they do not provide compliance on their own. For more information on the PCI DSS and compliance, read TechSoup's article Laws for Organizations that Accept Online Payments or visit the PCI SSC website.

Other organizations

If an organization stores confidential user information but does not transmit health or payment information, they still may want to implement security safeguards like TLS/SSL. Staff, volunteers, and constituents will appreciate knowing that their personal information, like addresses or phone numbers, are secure when accessed via an organization's Intranet. Organizations associated with human rights and justice could benefit from encryption by protecting the information and even identities of the people they serve. The use of TLS/SSL can also provide secure connections for organizations accessing their networks remotely. Though these safeguards would not be required by the federal government or a commercial entity, they could help to ensure an organization's mission is not compromised by security breaches.

How Can My Organization Use TLS/SSL?

Most uses of TLS or SSL require a digital certificate from a certification authority or certificate authority (CA), a trusted authority that can attest to the identity of the certificate owner. Organizations will need a system or network administrator who is familiar with whichever client-server applications need to be secured to enable TLS/SSL encryption.

If an organization purchases a certificate from a trusted CA, that certificate will contain the digital signature of the certification authority, attesting to the certificate's validity. Organizations can also create their own certificates, known as self-signed certificates, although these will not be inherently trusted by a web browser if installed on a web server and will usually display a security warning for any user who visits a website with a self-signed certificate.

Certificates are usually issued for a one-year period, and different security features may be available depending on the vendor. Most of these features are targeted at organizations that will install these certificates on web servers.

Although there are several commercial certification authorities, the top ones include VeriSign, Comodo and Go Daddy. Visit each of those organization's websites to compare prices or request a certificate. Comodo security products are also available through TechSoup Stock for eligible organizations.

Organizations that Use TLS/SSL

Organizations of various sizes have made use of TLS/SSL for many of the purposes described here. A good example is the National Cristina Foundation, a nonprofit organization that provides computers and other technology to people with disabilities, students at risk, and the economically disadvantaged. Their website uses SSL to secure an online form that is filled out by parties who wish to donate computers or other items to the organization. The organization also uses SSL to encrypt its online grant application used by prospective recipients to obtain the technology they need.

Another nonprofit organization, Blood Centers of the Pacific, uses SSL encryption on its Blood Heroes blood donation website to allow donors to securely enter their information, make appointments, and view health information about their blood. And of course, TechSoup uses SSL certificates to keep its own members' information secure. The TechSoup login page uses this encryption, as does the entire checkout process on TechSoup Stock

Conclusion

No single security measure will fully protect your organization from unauthorized data breaches, but implementing security protocols like TLS/SSL can reduce the chances of such threats. If you are not obligated by law or commercial edict to implement a protocol like TLS/SSL but think it might be a good idea, you should find out whether you have the technical staff and resources to do so. Staff and constituents who are worried about their information's safety will likely appreciate these safeguards — erring on the side of caution when it comes to data security is typically a prudent choice.