Transport Layer Security (TLS)

Transport Layer Security (TLS)

TLS refers to the process of securely transmitting data between the client—the app or browser that your customer is using—and your server. This was originally performed using the SSL (Secure Sockets Layer) protocol. However, this is outdated and no longer secure, and has been replaced by TLS. The term SSL continues to be used colloquially when referring to TLS and its function to protect transmitted data.
Payment pages must make use of a modern version of TLS (for example, TLS 1.2) as it significantly reduces the risk of you or your customers being exposed to a man-in-the-middle attack. TLS attempts to accomplish the following:
Encrypt and verify the integrity of traffic between the client and your server
Verify that the client is communicating with the correct server. In practice, this usually means verifying that the owner of the domain and the owner of the server are the same entity. This helps prevent man-in-the-middle attacks. Without it, there’s no guarantee that you’re encrypting traffic to the right recipient.
Additionally, our customers are more comfortable sharing sensitive information on pages visibly served over HTTPS, which can help increase your customer conversion rate. NSPECT.IO Uses Wix, Stripe Payments and Google for marketplace which is using TLS by default.

What is the Working Principle of SSL/TLS?
There is a server-client-side working logic between the user and the internet server. The user
requests a connection from the internet server and in return, the internet server sends the
client, that is, the "public key" with the certificate to the user. The Internet browser evaluates
the certificate to check the information that the client has used and sent. If the browser passes
the certificate authority, it generates a symmetric key. The public key encrypts this symmetric
key and transmits the message to the server. The message coming to the server is tried with the
"public key" and if the message matches, it opens and runs the symmetric key with its own
"private key". The server uses this symmetric key to move the data to the client as it wishes.
The client, on the other hand, uses the data from the server and the activated symmetric key to
reach the information it wants in the browser.

TLS protocol prevents users from eavesdropping and making changes without users' consent,
and allows applications to communicate over the network between client and server. In order
for the client to use the TLS connection, it must express its desire to establish a TLS connection
or not. There are two main ways in which this request can be expressed.

The first of these ways; It is the use of different port numbers for TLS extensions. For example;
Port number 443 used for HTTPS. The second way is; an ordinary port number is used. In this
case, the client specifies that the server should forward the connection to the TLS protocol,
with the TLS protocol customized mechanism on behalf of clients. Then, when the client
requests a secure connection from the activated server and this request is fulfilled, the
connection process, which we call the "handshake", begins to take place.

The server has encryption and hash function information from the secure information
requested by the client. The client is supported by the server, and in return, the client sends its
requests with a certificate, which is a numeric identity. The numeric ID includes the trusted
certificate manager, the public encryption key the server has, and the name the server has.
Then the client checks the reliability and validity of the certificate sent by the server and tries to
generate the session key in a secure connection. The client sends the passwords and encrypted
message to the server by sharing any number with the "public key" of the server. The server
can reach the stage of decrypting this encrypted message using only the "private key".
The client and server generate a "master key" of random numbers. After obtaining the "master
key", the client and server generate a public key for encryption and decryption. This key is also
called the "session key". Thus, the connection process, which we also call the "handshake"
between the client and the server, is ended and a secure connection is established between the
client and the server.

After this stage, the client and the server must retain the data they have sent to each other.
Afterwards, they are expected to encrypt the data they hold and to preserve the data they
encrypt. These three operations are transferred to the last generated session key and the
process is reduced to a much simpler one. There is no need to use either the "master key" or
the "public key" anymore.


Algorithm in TLS Protocol

Session keys, like every software, have algorithms and session keys are created and run through
these algorithms. Before the exchange of information secured by TLS on the client and server,
in order to encrypt the data; They must agree on the encryption algorithm to be used and the
encryption key.
“Public key” certificates are used throughout the change and during this change, they vary
according to the size of “private key” and “public key”. This ensures a high level of security.
Data Integrity of Algorithms in TLS Protocol
While it is important for algorithms to preserve the integrity of the data, it is a difficult path.
However, the TLS protocol has improved itself a lot in this regard and has thus managed to
preserve data integrity. In order to establish data integrity, the verification code we call
"message authentication code" is used. CBC modes are used for block ciphers and HMAC
modes are used for string ciphers. AEAD is used for verified encryptions such as CCM and HCM
mode.


TLS Applications

During the design of applications, TLS continues to develop on any transport layer, while TLS
maintains the major protocols of the applications. In other words, it hides some properties and
functions of any object from another class and objects. Reliable transport protocols are
considered and preferred in the past and today. However, besides these reliable transport
protocols, data-based protocols were also used and TLS was developed in this way.
Websites that can be used on behalf of TLS
The most used form of TLS is prepared for websites. The reason for this is that it makes the
transmission dangers that come with the "http" protocol in the web pages and browsers on the
internet more reliable with the "HTTPS" protocol.


Web Browsers That Can Be Used On Behalf Of TLS

The most popular web browsers we've all heard of at least once, support the latest and
advanced versions of TLS in their latest versions. Web browsers also provide these supports by
default. However, despite all this, it is also known that some old versions of web browsers have
problems with the latest and advanced versions of TLS.


Libraries that can be used on behalf of TLS

Botan is encryption created using C++ language with BSD license. Botan portable uses open
source encryption and is a library used to prevent unwanted data in the content from being
read by undesired parties. Well; Thanks to Botan, we can prevent unwanted data in the content
from being read by unwanted parties.
Cryptlib is a library that uses portable open-source encryption like Botan to make the content
unintelligible in order to prevent unwanted data in the content from being read by unwanted
parties, like Botan.

People dealing with Delphi programming based on Pascal language can use the Indy library,
which was created by utilizing OpenSSL (open source implementation of TLS protocol).
GnuTLS: Although the LGPL licensed and fully permitted Java Secure Socket Extension has
enabled TLS 1.1 and TLS 1.2 support since Java 7, the Java Runtime Environment is disabled for
users. Despite this, the Java Runtime Environment is still more active from the server side. As of
Java 8, it is active and available for both the user and the server.
LibreSSL, which belongs to the Transport Layer Security protocol and is an open source
implementation, is the implementation of OpenSSL made by OpenBSD.
mbed TLS, previously called PolarSSl, is a small SSL library made for use in embedded
systems.

Network Security Services: It is an open source library that is also certified by FIPS 140.
OpenSSL is a free-to-use application for users. It is also a BSD licensed application.
SChannel: It is an application that creates TLS and SSL packages of Microsoft Windpws
systems.
Secure Transport: It is an application that creates TLS and SSL packages of iOS and OS X
systems.


Other Uses for TLS

Since SMTP, which is the e-mail sending protocol with its short name, requires a secure
infrastructure, as in the others, we can easily protect our e-mails by applying TLS for sending emails.
At the same time, these applications can easily verify their most recent transactions
through digital certification and the handshake method we mentioned earlier.
TLS also offers the VPN usage that most of us know, because we see similar structural features
in VPN. It is a protocol in which the entire network is covered by tunneling as a result of using
TLS. Tunneling can be expressed as: It is a protocol that covers another data packet that uses
different communication protocols to read the data within its own data, but the data packet it
covers must be complete. It aims to create a tunnel between two points in a single network
that can transmit any type of data you can think of, seamlessly and securely.
VPNs based on TLS, after a certain period of time, have shown a large number of effects and
played a role in applications where client servers can be taken as a basis, apart from web
browsers.
TLS also plays an important role in the SIP application, which is the Session Initiation Protocol,
and plays a standard role in protection.

31302093 ISMS17 2022-08-02 english_page-0001.jpg
31302093 ISMS17 2022-08-02 english_page-