SSL/TLS

Introduction

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) encompass general internet encryption and security. These two cryptographic protocols secure communication between two or more applications over the internet. Certificates for SSL/TLS contain public and private key pairs that establish an encrypted connection. The vast majority of internet traffic: HTTPS, FTPS, SMTPS, POP3S, and more rely on SSL/TLS for encryption. The S at the end of HTTPS signifies HTTP plus SSL/TLS encryption.

History of SSL / TLS

Since their inception SSL and TLS have released many versions:

  1. SSL 1.0 - Never released
  2. SSL 2.0 - Deprecated in 2011
  3. SSL 3.0 - Deprecated in 2015
  4. TLS 1.0 - Deprecated in 2021
  5. TLS 1.1 - Deprecated in 2021
  6. TLS 1.2 - Released in 2008 and still in use
  7. TLS 1.3 - Released in 2018 and still in use

Since 2015 SSL is end-of-life. While no new website should use SSL, many legacy sites still use SSL across the world. Browsers such as Google Chrome, Firefox, and Edge now warn users and even block sites that don't comply with modern SSL and TLS standards. Additionally, while TLS is the defacto standard SSL is still the brand name. SSL/TLS vendors will advertise the “SSL” certificate even though they only sell TLS certificates. This convention may shift in five years' time, however for now the common term is SSL and not TLS.

SSL offloading

SSL offloading, also called SSL termination, is the process of decrypting SSL traffic. Since SSL is an encryption standard it is CPU intensive. As a result, either the proxy server or load balancer will decrypt the message. Several advantages of this approach are:

  1. 1. Simplifying the backend server model
  2. 2. Only load balancers and proxy servers require SSL certificate installs
  3. 3. Independently scaling of backend servers and middleware servers
  4. 4. Caching certain SSL requests in the middleware, saving expensive compute time

While seemingly optimal there is one large challenge: unencrypted data passes between the middleware and backend servers. If these 2 reside in the data center this is not an issue because the data will never cross over a network. If they reside in different data centers however this becomes an issue because the data now needs re-encrypted, this introduces the concept of SSL passthrough.

SSL Passthrough

SSL passthrough differs between SSL offloading only at the level of decryption. The server will decrypt the message instead of the load balancer or proxy server. The message is secure until reaching the server, but this comes at the expense of CPU-intensive decryption processes on the server. A small alternative to this is that the load balancer or proxy server will still perform SSL termination, however, they will re-encrypt the message with a self-signed SSL before transferring to the server. This is still CPU intensive but allows some message optimizations at the load balancer or proxy server before hitting the main server. A payment processing flow will utilize SSL passthrough for full end-to-end encryption.

DTLS

DTLS (Datagram Transport Layer Security) is a specific type of SSL/TLS for UDP. This protocol exists because of UDP's sensitivity to latency. DTLS avoids problems such as the “TCP meltdown problem”, however, additional challenges such as package reordering and data loss. An example of a DTLS is A VPN user connection.

Conclusion

SSL/TLS is important for end-to-end encryption across the internet. If this encryption ceased everyday functions of the internet would be impossible. SSL/TLS enables users to process payment and personal information across the internet with peace of mind.

Scaling
TCP and UDP