How One "S" Can Make a Difference

by aestetix

Privacy is more important than ever.  With large corporations and governments alike spying on innocent people, we need to ensure both that we have tools which can protect us, and that we know how they work.  One of these tools is Transport Layer Security, or TLS (formerly known as SSL).  In this article, we'll take a high level look at what TLS does, and how it helps protect us.

In order to understand how TLS works, we first need to understand how HTTP works.  Let's say we go to our web browser, type in:

http://www.2600.com/stores

and hit Enter.  Here is what the server sees:

GET /stores HTTP/1.1 Host: www.2600.com

Notice how the www.2600.com and the /stores are split apart.  This is because the browser first connects to the host (www.2600.com) on port 80, and then, after the connection has been made, requests the path (/stores).

To break this down a bit more, let's outline the steps:

1. The browser reads in the URL (http://www.2600.com/stores).
2. The browser parses the URL into host (www.2600.com) and path (/stores).
3. The browser then initiates a connection to the host on port 80.
4. Once connected, the browser uses the connection to request the path.

When we connect on port 443 (for TLS), the browser makes a connection, and then it performs a TLS handshake, requiring that all following steps of the connection are encrypted.  This means that only the server can see the part where it sends /stores.  Let's outline the steps of the TLS connection to see the difference:

1. The browser reads in the URL (https://www.2600.com/stores).
2. The browser parses the URL into host (www.2600.com) and path (/stores).
3. The browser then initiates a connection to the host on port 443.
4. The host and browser perform a TLS handshake to encrypt the connection.
5. One the handshake has completed, the browser uses the encrypted connection to request the path.

The key difference here is that after Step 3, all communication between the browser and the host is encrypted in the TLS connection.  This means that any government or third-party trying to monitor our connection will see the host we connect to, but nothing more.  Let's look at a few more examples to understand this more completely.

For a GET request with parameters, such as:

https://www.youtube.com/video-hash?has_verified=1

the host is www.youtube.com and the path is video-hash?has_verified=1.  This means that when we connect to YouTube, both the path and all the parameters that our browser passed along are encrypted.  The request looks like this:

GET /video-hash?has_verified=1 HTTP/1.1 Host: www.youtube.com

For a GET request with parameters and a cookie, the cookie (in this example, a session ID) is passed as a header.  Headers are part of the request, so they are also encrypted:

GET /video-hash?has_verified=1 HTTP/1.1 Host: www.youtube.com Cookie: sessionid=1234

Once again, the only thing that a government spy will see is the connection between the browser and the host, in this case www.youtube.com.  Everything else is encrypted.

One last example to drive the point home: a POST request.  Where a GET request is generally used to request data, a POST is what the browser uses when logging into a website or uploading a file.

A typical POST request might look like this:

POST /login HTTP/1.1 Host: www.youtube.com Cookie: sessionid=1234 login=user&password=password

In this request, the last line, called the POST data, contains the login credentials for the user.  If our connection is using TLS, then the only thing the government or corporate spy will see is the initial connection.  In other words, if our browser shows the TLS lock, then nobody will be able to steal our password.

While it is good practice to use TLS for everything, it's worth noting that the host we connect to can see everything in plaintext.  For this reason, it is important to know that we trust the host with our data, and it's also important to be aware of their data privacy practices.  What does the host do with the data it collects?  For Europeans, is the host General Data Protection Regulation (GDPR) compliant?

It's also not foolproof.  There are occasionally vulnerabilities found in TLS, as well as new versions that improve speed and reliability.  As of this writing, the latest version is TLS 1.3.  But in general, making sure we use TLS is good practice.  If you are at a login form for a website, make sure the URL says: https://

You can also use the HTTPS Everywhere browser extension from the Electronic Frontier Foundation, which will ensure you are browsing securely in case we forget.

In conclusion, while using TLS is as simple as adding a single into our address bar, it has wide ranging consequences that work in our favor.  In an age where it is increasingly difficult to control who has access to our data, every bit counts.