Most people don't think twice of when they connect to a website. The split second it takes for a (new) website to load, an awesome protocol occurs behind the scene - to make sure that the website that you are requesting to view is who they say they are.
TLS stands for Transport Layer Security, and in my personal opinion, is under appreciated, especially for how widely used it is.
The goal of TLS is to have you (client) and the server, agree to using the same key to encrypt and decrypt any messages sent between you two. This is known as a symmetric key.
How do you agree to the same key? If either the client or the server sends they key over, then anyone eavesdropping can just steal the key and use it. To get the same key to both parties, asymmetrical encryption is used.
In TLS 1.2, the client proposes key exchange algorithms and a symmetric key encryption algorithms, and the server sends back which one it prefers to use. This agreement doesn't exist in TLS 1.3, by assuming that the key exchange is going to be in a certain key exchange method, and therefore doesn't have to go through that round trip. Furthermore, TLS 1.3 depreciated insecure features, such as SHA-1, DES, MD5, AES-CBC (and some more). Another cool thing about TLS 1.3 is that it mandates perfect forward secrecy - meaning that there's an assurance that a session's key will not be compromised even if the secrets used in the session key exchange are compromised.
I'm going to make a future post going into the details of the actual exchange of keys and the math behind it. Stay tuned!
Top comments (0)