Commercial SSL certificates are often described in quite simple terms, for the sake of clarity. This is so the basic idea behind them can be understood by everyone, not just those with a web tech background. But when a web browser connects to a website with an SSL certificate, there’s actually a lot going on behind the scenes in order to establish a secure HTTPS connection. Today we’re going to focus on an integral part of that connection: Cipher Suites.
You may have heard the term before but didn’t know what it was. Maybe you thought it was a little too complicated to understand. While it is complicated, we’re going to define them in as simple terms as possible so you gain a fuller understanding of how SSL certificates and their protocols work.
Defining ciphers and cipher suites
A cipher is a type of algorithm which outlines the sequence of steps that need to be followed in order to perform a cryptographic function, such as encryption or decryption. For SSL encryption, the actions are actually carried out by keys, but ciphers provide the rules of the cryptosystem, and the order in which the keys perform the necessary cryptographic functions.
When a HTTPS connection is established, several of these ciphers work in tandem. This is known as a Cipher Suite. Essentially, a collection of different ciphers that perform various cryptographic functions, such as key generation and authentication, and provide the order in which they should occur.
When a web browser tries to connect to the server where your site is hosted, they negotiate which cipher suite should be used to establish a secure connection during a process known as the SSL handshake.
Cipher suites and the SSL handshake
The SSL handshake is a pretty complicated process, but basically when all is said and done, a session key is created, which encrypts the connection between the client and the server. The process of the handshake is outlined in the specific set of ciphers used. You can read a more detailed account of the ins and outs of the SSL handshake here. Here’s a simplified version where we focus solely on the Cipher Suite element:
When a browser (also known as a client) connects to a server, they exchange messages about which cipher suites they should use to perform the SSL handshake. The client sends the server a list of its supported Cipher Suites. The server selects a mutual cipher suite from the list that it deems the most secure. It then informs the client of its decision and the handshake begins.
What a cipher suite looks like
The anatomy of a cipher suite is dependent on the TLS protocols enabled on both the client and the server. Short for Transport Layer Security, TLS is the protocol that underpins how SSL certificates work. The latest version of the protocol is 1.3, but the previous version, 1.2, is still widely used. While TLS 1.2 is still incredibly secure, 1.3 has made some improvements and less at risk to certain vulnerabilities. One big difference is the number of Cipher Suites they support. TLS 1.2 has 37 ciphers, while 1.3 has just five. In 1.2, a cipher suite contains four ciphers, while 1.3 has only two. With 1.2, some cipher suites are more secure than others.
Here is an example of a cipher suite supported by TLS 1.2:
Here is an example of a cipher suite supported by TLS 1.3:
As you can see, the TLS 1.3 cipher suite is a lot shorter. So, what does all this mean? Without diving too deeply into the technicalities, while both protocols are still very secure, 1.3 cipher suites shorten the time the handshake takes significantly, have a more simplified key exchange, and are more secure throughout the whole process.
Cipher suites are configured on the server-side
A big misconception is that cipher suites are dictated by SSL certificates, which is not the case. The cipher suites that are used during the SSL handshake are based on what’s supported by the server and not the SSL certificate itself.
While TLS 1.3 is the most up-to-date version of TLS, 1.2 is still widely used across the web, so you should have it configured on your server too, otherwise, users with older versions of clients may not be able to connect to your site. While older versions like TLS 1.0 and TLS 1.1 are still being used by some sites and browsers, their use will soon be phased out entirely, so you should avoid configuring these protocols on your server if possible.
To check what TLS protocols and cipher suites are enabled on your server, you can use the Qualys SSL Server Test. This will also assess the strength of your SSL certificate and your server’s configurations.
To change your cipher suites, you will need to set up admin access to the server and edit the configuration of the domain’s Virtual Host. You can do this by using this great tool from Mozilla. Simply select your server from the list of options, the level of security you would like (the options are modern, intermediate, and old) and they will give you an example of the Virtual Host setting you can use to edit the configurations.
If you have any further questions about TLS configurations and cipher suites, contact your web hosting provider. If you are uncomfortable with editing cipher suite configurations yourself, it’s probably best to enlist the help of a systems administrator to check and configure it for you.