About a year ago, the Transport Layer Security (TLS) authentication protocol was slated to become the successor to the SSL protocol that is commonly used to encrypt Web site content. Today, though, confusion and misinformation regarding TLS abound. In this article, I give you the straight scoop regarding what TLS is and is not, and talk about the state of the TLS protocol today.
One common misconception about TLS is that it is the same thing as the SSL protocol. I have seen several Web sites that claim SSL 3.0 and TLS 1.0 are "substantially the same." The truth is that the TLS protocol was based on SSL 3.0, but it is a different protocol. There are no huge differences between the two protocols, but the differences are significant enough that the protocols do not interoperate with each other directly. TLS 1.0 does, however, contain a mechanism through which it can revert to SSL encryption if a client does not support TLS encryption.
TLS was introduced as a successor to SSL more than a year ago, so you may be wondering why TLS isn't more widely used. There are several reasons for this, one of which is conflicting standards. In May 2006, for example, the Wi-Fi Alliance modified the WPA and WPA2 standards so that rather than supporting a single Extensible Authentication Protocol (EAP), they now support five different EAP standards. The idea behind this move was to make the WPA and WPA2 standards more inclusive.
The problem with modifying the standards is that their names were not changed to reflect the update. This means that if a product claims to be WPA or WPA2 compliant, there is no immediate way to tell whether the compliance refers to the old standard or the new one. Consequently, some companies have been reluctant to adopt the new WPA and WPA2 standards for fear of hardware incompatibilities.
For example, there have been some compatibility problems with betas of Windows Vista and Internet Explorer 7. If a user visits a TLS-enabled Web site that does not strictly adhere to the TLS RFC, the session is typically disconnected when the TLS extensions are received during the HTTPS handshake. A Microsoft blog encourages users experiencing such problems to disable the use of TLS and Internet Explorer and to contact the owner of the Web site to talk about the availability of a fix for their TLS implementation.
In spite of the fact that TLS adoption has been slow and that there have been numerous compatibility problems, it does seem that TLS is eventually going to become the standard for HTTP encryption. As I mentioned earlier, Internet Explorer 7 is configured by default to support TLS 1.0. Likewise, TLS will be fully supported in both Windows Vista and Longhorn Server.
About the author:
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com.