June 09 2020

Protecting your Financial Website with Transport Layer Security (TLS)

transport layer securityAs users continue to do more online, companies – especially financial institutions – must keep web communications private and secure by taking standardized measures, such as Transport Layer Security (TLS). While many businesses use TLS to secure all communications between their web servers and browsers regardless of whether sensitive data is being transmitted, banks and credit unions increasingly rely on this crypto protocol for web application security to protect their user data and information. So, if you are a financial marketer, an IT professional for a bank or credit union, or just a fan of technical acronyms, settle in for an overview of why TLS is critical for your website security.

What is TLS?

Preceded by the now-deprecated Secure Socket Layer (SSL), TLS is a cryptographic protocol designed to provide privacy and data security for communications and transactions over a computer network, particularly the Internet. An Internet Engineering Task Force (IETF) standard, TLS is widely utilized in common applications such as web browsing, instant messaging, email communications, and voice over IP (VoIP). Intended to prevent eavesdropping, tampering and message forgery, TLS is utilized by websites to encrypt all communications between web applications and servers, such as when a web browser loads a site. The first version of the security protocol was introduced as an upgrade over SSL Version 3.0 in 1999, and (of this writing) the most recent version is TLS 1.3, which was published in 2018.

Why use TLS?

Assisting with website security, TLS encryption helps protect web applications from data breaches and DDoS attacks. With a correct implementation, TLS makes it so others can only infer the connection endpoints, type of encryption, as well as the frequency and an approximate amount of data sent. Critically, TLS ensures that outsiders cannot read or modify any of the actual data being communicated. Furthermore, HTTPS protected by the most current TLS version (currently 1.3) is rapidly becoming the best practice for secure websites. Look no further than the most popular web browser, Google Chrome, which is cracking down on non-HTTPS sites with security warning messages. Additionally, online users – especially those visiting financial sites – are seeking out the HTTPS padlock icon in the address bar before safely surfing a site. For companies like banks and credit unions, TLS protocol is more than a “nice to have” and now an absolute must.

What is the difference between TLS, SSL, and HTTPS?

Developed in the mid-90s by Netscape for adding the HTTPS protocol to their Navigator web browser, SSL is the previous encryption protocol that eventually gave way to TLS. Interestingly, TLS 1.0 started as SSL Version 3.1 with the eventual name change meant to distance itself from Netscape, which is why the terms SSL and TLS are sometimes still used interchangeably. However, there is a distinct difference between TLS and SSL.
 
Providing more efficiency and security, TLS offers backward compatibility for devices using SSL, but this doesn’t apply the other way around. Continuing the crossover of SSL to TLS, HTTPS is an implementation of TLS encryption on top of the HTTP protocol, which is used by all websites, as well as other web applications. HTTPS protects data, secures users, and enables opt-in technology. Of note, any website that uses HTTPS today is effectively employing a TLS encryption, which traces its roots all the way back to SSL.

How does TLS work?

 The main goal of TLS is to provide privacy and data integrity between two or more communicating computer applications. When secured by TLS, connections between a client (e.g., a web browser) and a server (e.g., a website) should have at least one and ideally all the following key components:

  • Encryption – secures a private connection, as symmetric cryptography encrypts the transmitted data, hiding it from third parties.
  • Authentication – ensures that the parties exchanging information are who they claim to be, using public-key cryptography.
  • Integrity – verifies that the data has not been tampered or forged during transmission, by including a message integrity check for reliability.

Moreover, TLS can be configured to provide more privacy-related properties. For example, forward secrecy ensures that any forthcoming disclosure of encryption keys cannot be used to decrypt any previously recorded TLS communications. Because TLS supports many different methods for encrypting data, authenticating message integrity, and exchanging keys, a secure configuration involves many parameters to achieve success. In response to ongoing security threats, revisions to TLS protocol and updates to web browsers are continually rolled out over time.

What are the TLS protocol layers?

The TLS protocol defines two layers – the TLS handshake and the TLS record. The TLS record protocol provides connection security and verifies the integrity and origin of application data, while the TLS handshake protocol enables the client and server to authenticate each other and to negotiate security keys before any data is transmitted. The TLS handshake is the technical name for the process that establishes an HTTPS connection. The HTTPS connection involves two parties – the client who is initiating the connection and the server. The TLS handshake exchanges cipher suites and parameters, authenticates one or both parties, and create symmetric session keys.
 
To initiate a secure TLS connection, a TLS handshake establishes a cypher suite of algorithms that specify shared encryption keys, which are matched using public key cryptography. In addition, the TLS handshake performs authentication, using public keys with one-way encryption to allow the server to prove its identity to the client. Once data is encrypted and authenticated, it is then signed with a message authentication code (MAC), which ensures the integrity of the data. The TLS record protocol secures application data using the keys created during the TLS handshake. When the TLS record protocol is complete, the outgoing encrypted data is passed down to the TCP layer for transport. At the other end of the TLS connection, the basic steps of the sender are replicated, but done in reverse.

Which versions of TLS are still acceptable?

Unfortunately, it is not enough to simply be utilizing any TLS protocol to ensure secure website usage – your organization needs to implement a current, acceptable version. Dating back to 1999, TLS 1.0 is obsolete, while TLS 1.1, which debuted in 2006, is also deprecated. Neither TLS version supports the latest cryptographic algorithms, inviting potential hazardous data breaches and website security issues. Defined in 2008, TLS 1.2 is still the acceptable norm for privacy and data integrity between a web browser and website. If your website does not support TLS 1.2, then it is not payment card industry (PCI) compliant and therefore cannot securely store, process, or transmit cardholder data.
 
Established in 2018, TLS 1.3 is the latest and preferred protocol, boasting major improvements in security, performance, and privacy. TLS 1.3 makes it more difficult for hackers to decrypt HTTPS-encrypted traffic, speeds up the handshake process faster with only one round of required encryption, and uses the same certificates and keys as TLS 1.2 for relatively seamless implementation. In response to early concerns from financial services not being able to see what was happening on their own networks with TLS 1.3 in place, the IETF made several revisions to allow monitoring tools to be set up with the current protocol.

What are the perceived drawbacks to TLS?

Previous versions of the TLS protocol presented some unique challenges, including cost, speed, and security. Earlier iterations were somewhat costly to set up, as authentication, encryption and decryption are all expensive processes. With its additional overhead, TLS 1.0 and TLS 1.0 could strain servers, especially for larger websites that necessitated lots of TLS handshakes to secure hundreds of thousands of visitors per day. Moreover, while TLS is not invulnerable to hackers who look for flaws in the protocol and implementation to uncover ways to steal valuable information.
 
The good news is that TLS is continually improving with each new version and subsequent revisions by the IETF. TLS 1.2 and especially TLS 1.3 both perform much better than earlier versions. The current TLS versions are easier to set up, monitor and maintain than predecessors going all the way back to SSL. Improvements to TLS 1.2 and TLS 1.3 allow for less rounds of handshakes to secure communications without lagging load times nearly as much as in the past. The idea that HTTPS is slower than HTTP is not the case with today’s TLS. Furthermore, the IETF rewrote and modernized the protocol, so TLS 1.3 makes it a lot tougher for hackers to decrypt HTTPs-encrypted traffic, providing more privacy and better protection. The improved implementation, performance and privacy of TLS 1.2 and TLS 1.3 should make it worth the investment of time, money, and effort to establish for your institution.

Who can support my website’s TLS?

Implementing a compliant version – TLS 1.2 and TLS 1.3 – is relatively easy for personnel experienced in computer communication security. A good place to start is determining which configuration your website is currently running, by using a free layer server test, which you can find online. If your organization does not already have a certificate, you will need to purchase one from a certificate authority (CA). You will need to determine the number of domains to be secured and the level of identity assurance for your website visitors. After projecting the cost of verification and Subject Alternative Names (SANs) required, the next step is to generate a Certificate Signing Request (CSR) from your server. Then your organization must decide whether your certificate will be used for Public Trust (for anyone surfing the web) or Private Trust (for internal environments).  
 
Depending on their expertise and bandwidth, your in-house IT team may be able to install the certificate on your origin server and set up TLS for your company’s website. If not, your digital agency or website hosting company should be able to help to disable an old version and enable a new version of TLS protocol, while initiating other security enhancements, such as load balancing and limiting the number of cipher suites used. Avoiding any potential security breaches, seek out any additional support that your company or institution may need to ensure a proper TLS implementation. 

Keeping consumer information confidential

Now, more than ever, customers and members of banks and credit unions rely on safe and secure online and mobile banking, as well as their institution’s public websites. By offering a highly functional, well-protected website, financial institutions need to meet this demand for online accessibility, while also keeping confidential information safe. Considering that sensitive financial information is often transmitted via the web and stored in digital databases, it critical to implement data privacy protocols that will protect both users and institutions from online hackers. Implementing a compliant TLS version to authenticate data and provide a safe connection to your server is an essential security precaution for financial institution today.

  • Banks
  • Credit Unions
  • Privacy
  • Security

posted by
Christopher Rinaldi
Christopher Rinaldi

ZAG Interactive is a full-service digital agency in Glastonbury, CT, offering website design, development, marketing and digital strategy to clients nationwide. See current job openings.
Related Article
Form Encryption: What Fields Are PII?