Secure Socket Layer (SSL) protocol is responsible for keeping a lot of your online data secure, and the United States’ National Security Agency (NSA) has likely already cracked it. Knowing what SSL and its more-secure successor, Transport Layer Security (TLS), are may help you keep your data safe from prying eyes.
On Sept. 5. 2013, the New York Times ran a detailed report about the NSA’s ability to compromise almost any information that people — Americans or otherwise — use online. One of the organization’s primary focuses, the report claimed, was on finding a way to crack SSL security and gain access to everything from email to online commerce records.
As more information emerges, citizens will likely learn how close the NSA has gotten to its goal, and what it intended to do with the information it gathered. In the meantime, though, it’s important to understand just how SSL functions and why taking away the security it confers would be such a catastrophic loss.
How SSL protects you
SSL protects data in transit by encrypting it. When you send an email, for example, you need to read its contents in order to write it, and the server needs to read its contents in order to deliver it. If you buy a DVD box set or a pair of shoes online, you need to enter your credit card number, and the vendor needs to see it.
There are, of course, plenty of people who don’t need to see your private information — opportunists called “data sniffers” who steal data in transit and use it to their own advantage. Whether it’s taking credit card numbers or intercepting sensitive business information, data sniffingattacks are relatively easy as long as the data is unsecured.
Data that goes through SSL protocols is encrypted with a (theoretically) unbreakable algorithm that will not reveal its secrets unless it detects secure SSL certificates on both sides of an interaction — a process called a “handshake.” Bypassing the encryption process could give data sniffers access to everything from private emails to online purchase records to bank account information.
Better security with TLS
SSL is not the only security protocol online, of course, and there is no evidence that the NSA has targeted SSL’s successor, called TLS. From a functionality standpoint, SSL and TLS are almost identical: TLS also encrypts data in transit and requires a “handshake” between two authorized servers before it spills its contents.
The differences between SSL and TLS are subtle and extremely technical, but TLS is generally a newer and more refined system. The safety of SSL’s current version, 3.0, is comparable to TLS 1.0, but TLS 1.1 and 1.2 outstrip both by leaps and bounds. Even so, the two methods are so similar that some email programs even use the two terms interchangeably.
Users can access websites secured with SSL and TLS through a system called Hypertext Transfer Protocol Secure (HTTPS). You’ve probably seen green padlock icons in your browser’s URL window while shopping or accessing your bank account, which indicate that the site is secure and running SSL or TLS protocols through an HTTPS site. Telling whether a site is running SSL or TLS, though, is generally much harder and beyond the scope of everyday Web browsing.
From a user standpoint, the safest thing about TLS is that the NSA does not appear to be targeting it (this, of course, could change). There is not much that users can do to prevent the NSA from cracking SSL protocols, but if you configure your own email software, you can set your preferences to TLS instead.
A website called ismymailsecure.com will let you know whether your email provider uses TLS protocols. Most private businesses and university servers do, as does Gmail; Yahoo Mail and Hotmail do not. Of course, the NSA can request information directly from Google as well, and the NSA documents unearthed hint that the agency is or is attempting to place spies within the major online companies. So using Gmail might not be a 100 percent secure solution.
In terms of Web browsing and online shopping, the safest recourse might be to use an HTTPS plugin like HTTPS Everywhere, which will automatically activate SSL or TLS protocols on a website if they are available. Granted, if a website only offers SSL functionality, it may not do much good, but it’s better than taking no precautions at all.