What is SSL/TLS Encryption?

TLDR: SSL/TLS encrypts communications between a client and server, primarily web browsers and web sites/applications. 

SSL (Secure Sockets Layer) encryption, and its more modern and secure replacement, TLS (Transport Layer Security) encryption, protect data sent over the internet or a computer network. This prevents attackers (and Internet Service Providers) from viewing or tampering with data exchanged between two nodes—typically a user’s web browser and a web/app server. Most website owners and operators have an obligation to implement SSL/TLS to protect the exchange of sensitive data such as passwords, payment information, and other personal information considered private.

SSL/TLS uses both asymmetric and symmetric encryption to protect the confidentiality and integrity of data-in-transit. Asymmetric encryption is used to establish a secure session between a client and a server, and symmetric encryption is used to exchange data within the secured session. 

A website must have an SSL/TLS certificate for their web server/domain name to use SSL/TLS encryption. Once installed, the certificate enables the client and server to securely negotiate the level of encryption in the following steps:

1. The client contacts the server using a secure URL (HTTPS…).
2. The server sends the client its certificate and public key.
3. The client verifies this with a Trusted Root Certification Authority to ensure the certificate is legitimate.
4. The client and server negotiate the strongest type of encryption that each can support.
5. The client encrypts a session (secret) key with the server’s public key, and sends it back to the server.
6. The server decrypts the client communication with its private key, and the session is established.
7. The session key (symmetric encryption) is now used to encrypt and decrypt data transmitted between the client and server.

Both the client and server are now using HTTPS (SSL/TLS + HTTP) for their communication. Web browsers validate this with a lock icon in the browser address bar. HTTPS functions over Port 443.

Once you leave the website, those keys are discarded. On your next visit, a new handshake is negotiated, and a new set of keys are generated.

SSL/TLS encryption is great for security because it increases confidentiality and integrity of data communication. However, because attackers also use encryption to hide malicious payloads, effective SSL/TLS decryption is necessary for inspection tools such as IDS/IPS, next-gen-firewalls, secure web gateway (SWG), and others that need decrypted data to perform their inspections. 

Attackers know that organizations have challenges decrypting and inspection traffic—and they use that knowledge to their benefit. By taking advantage of encryption, attackers can bypass most inspection devices to deliver malware inside the network. Also, encrypted data exfiltration bypasses security tools without scrutiny.

Many security inspection devices have trouble just scaling to meet the onslaught of malicious traffic, much less decrypting, inspecting, and then re-encrypting it again. To keep their data secure, organizations need better visibility into encrypted traffic while orchestrating their security inspection zone to efficiently manage flow, process, and risk.

Learn more about SSL Decryption.