Website Security

Restricted and private data are at greater risk of being compromised when applications aren't properly secured. Take proper measures using these tools to protect restricted and private data.

What is TLS?

Transport Layer Security (TLS) protocol allows applications to communicate across a network in a way designed to prevent eavesdropping, tampering and message forgery. It's a successor to the Secure Sockets Layer (SSL) protocol that many of us are familiar with.

TLS provides endpoint authentication and communications privacy over the Internet using cryptography. Typically, only the server is authenticated (i.e. its identity is ensured) while the client remains unauthenticated; this means that the end user (whether an individual or application, such as a Web browser) can be sure with whom it is communicating. The next level of security—in which both ends of the "conversation" are sure with whom they are communicating—is known as mutual authentication. Mutual authentication requires public key infrastructure (PKI) deployment to clients, unless TLS-PSK or the Secure Remote Password (SRP) protocol are used, which provide strong mutual authentication, without needing to deploy a PKI.

Is the Problem Really Solved?

If you think about it, a general SSL certificate should "prove" that you’re seeing an authentic website. The reality is that pretty much anyone can get an SSL certificate at no cost, without proving anything. The only validation is that the "hostname," also known as the Fully Qualified Domain Name (FQDN) in the certificate matches what the browser says. Spammers buy domains and then get certificates for them, as no real validation occurs. For example, (note the dash after www) can get an SSL certificate that will show up as valid to a user. All an SSL certificate proves is that the URL matches the certificate. Many people fail to carefully check that the URL is sending them where they expect to be going, which leads to successful phishing attacks.

How Is this Problem Being Addressed?

Extended Validation (EV) Certificates are basically SSL certificates that require a more detailed background examination of the requesting entity. They require an establishment of a legal identity, so the applicant needs to own the domain, with all required documents signed by an authorized official. In short, it requires the sort of procedure that an SSL certificate should require in the first place.

See also