A Beginner’s Guide to TLS Cipher Suites - Namecheap Blog (2024)

Table of Contents
What is a cipher suite? Cipher suites and the SSL/TLS handshake A closer look at what makes up a cipher suite Can you choose your preferred cipher suites? Wrap up FAQs

If you have a website, you likely have an SSL certificate (if you don’t, be sure to remedy that immediately). You probably know what an SSL does in a broad sense. Using the TLS (Transport Layer Security) protocol, SSL certificates ensure that the connection between your site and a user’s browser is secure and cannot be compromised by any third party. This is known as encryption. It’s less likely that you know what happens behind the scenes when an SSL certificate creates this connection.

That’s why today, we’re going to focus on a key aspect of the encryption process — cipher suites. By the end of this article, you should have a better idea of how SSL certificates work in relation to ciphers and cipher suites.

Read on to learn more!

What is a cipher suite?

Before we dive into cipher suites, we should take a moment to explain what a cipher is. In cryptography, a cipher is an algorithm that lays out the general principles of securing a network through TLS (the security protocol used by modern SSL certificates). A cipher suite comprises several ciphers working together, each having a different cryptographic function, such as key generation and authentication.

While the acts of encryption and decryption themselves are performed by keys, cipher suites outline the set of steps that the keys must follow to do so and the order in which these steps are executed. There are numerous cipher suites out there, each one with varying instructions on the encryption and decryption process. The cipher suites used are dictated by the version of TLS that’s configured on your server (we’ll talk more about that in a little bit).

See Also
What is the DES Algorithm? Understanding Data Encryption Standard - BPI - The destination for everything process relatedA look at Security Vulnerabilities in Code - CodegripWeak SSL Ciphers Suites Enabled Vulnerability Fix | Beyond SecurityEncryption Protocols and Ciphers - Pleasant Solutions

So what exactly does a cipher suite look like in action? As you may already know, when someone visits a website with an SSL, their browser will connect to the server where the website is hosted to form an encrypted connection. This connection is negotiated through a process known as the SSL handshake. Cipher suites play an integral role in the handshake process.

A Beginner’s Guide to TLS Cipher Suites - Namecheap Blog (1)

Cipher suites and the SSL/TLS handshake

We won’t be delving too deeply into the finer details of the TLS handshake as it’s a very complicated, technical process. In the most simple terms, it’s a series of messages exchanged between the browser (client) and website (server) wherein the server’s public key and SSL certificate is authenticated, culminating in the creation of a session key, which is what encrypts the connection between the client and the server.

Cipher suites dictate how the entire process plays out. The client sends the server a list of the cipher suites it supports, and the server will choose a mutually supported cipher suite that it deems most secure. Depending on the version of TLS being used, this may happen before the handshake or in the very first step.

A closer look at what makes up a cipher suite

As we mentioned earlier, a cipher suite looks different depending on which version of the TLS protocol is being used. The current standards are TLS 1.2 and 1.3. While 1.3 is the newer and more secure version, 1.2 is still widely used. The difference between these two versions is evident from the number of Ciphers they use and the length of their cipher suites. There are 37 ciphers for TLS 1.2, while TLS 1.3 only has five. Take a look at these two cipher suite examples:

  • TLS 1.2 cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS 1.3 cipher suite: TLS_AES_256_GCM_SHA384

As you can see, the TLS 1.3 suite is a lot shorter, but why is that better? To explain, let’s go through what some of those letters and numbers mean.

See Also
Online calculator: Substitution cipher decoder

In TLS 1.2, a cipher suite is made up of four ciphers:

  1. A key exchange algorithm: This is represented by ECDHE (Elliptic Curve Diffie Hellman) in the example above. This outlines how keys will be exchanged by the client and the server. Other key exchange algorithms include RSA and DH.
  2. An authentication algorithm: This is represented by ECDSA (Elliptic Curve Digital Signature Algorithm) in the example above. It is a digital signature that shows the type of certificate and helps the client verify that the website’s SSL is legitimate. Other authentication algorithms include RSA and DSA.
  3. Bulk Data Encryption: This cipher ensures that data is transferred between the client and server securely. It’s represented by AES_256_GCM in the example above.
  4. A message authentication code (MAC) algorithm: This is represented by SHA384 in the example above. This is a hashing algorithm that both authenticates messages and ensures data integrity.

In comparison, a TLS 1.3 cipher suite only has two ciphers: Bulk data encryption and the MAC algorithm. How is it more secure if it uses two rather than four? It’s because there’s no need to display the type of key exchange algorithm and, by extension, authentication algorithm, as there is only one accepted type of key exchange algorithm, which is the ephemeral Diffie-Hellman method.

This cuts down the number of messages exchanged during the TLS handshake from two round trips in TLS 1.2 to one round trip in 1.3, simplifying the entire process. In addition, the 37 cipher suites supported by TLS 1.2 can vary in quality, with some being weaker than others. TLS 1.3 cipher suites are more robust in comparison. All in all, this adds up to reduced latency and faster, more secure connections.

A Beginner’s Guide to TLS Cipher Suites - Namecheap Blog (2)

Can you choose your preferred cipher suites?

Yes, you can. To do this, you will need to have access to your server settings. Contrary to common belief, the version of TLS used is not dictated by the SSL certificate you use, but your server configurations. The cipher suites you can choose are dependent on which TLS version is enabled on your server. You can check which TLS protocol and cipher suites are supported on your server by using this free online service.

You can change your cipher suites with the help of this handy tool from Mozilla. It shows templates of server configurations that will help you more easily edit the configuration of your domain’s Virtual Host. You just need to choose your server from the list of options and the security level you would like (modern, intermediate, or old). You will be given an example of the Virtual Host setting you can use to edit the configurations.

Wrap up

While this has been a very basic overview of cipher suites and what they do, hopefully you come away with a better understanding of the TLS protocol and the website encryption process. To ensure your website uses the most up-to-date cipher suites, ensure that your server supports TLS 1.3 and update the configurations to your preferred cipher suites.

Was this article helpful?

39

A Beginner’s Guide to TLS Cipher Suites - Namecheap Blog (2024)

FAQs

What is the difference between TLS and cipher suites? ›

In cryptography, a cipher is an algorithm that lays out the general principles of securing a network through TLS (the security protocol used by modern SSL certificates). A cipher suite comprises several ciphers working together, each having a different cryptographic function, such as key generation and authentication.

Read On
How do you disable SSL 2.0 and 3.0 use TLS 1.2 with approved cipher suites or higher instead? ›

In the Internet Options window on the Advanced tab, under Settings, scroll down to the Security section. In the Security section, locate the Use SSL and Use TLS options and uncheck Use SSL 3.0 and Use SSL 2.0. If they are not already selected, check Use TLS 1.0, Use TLS 1.1, and Use TLS 1.2.

Discover More Details
How to configure TLS cipher suites? ›

Configure allowed cipher suites

Do the following to specify the allowed cipher suites: Open regedit.exe and go to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002. Edit the Functions key, and set its value to the list of Cipher Suites that you want to allow.

Continue Reading
What is an SSL certificate on Namecheap? ›

An SSL certificate is a certified piece of code on a website that binds this encryption to the organization responsible for the website. An SSL-certified website runs on https protocol. This activates the browser padlock or a prominent green browser bar to show visitors it is safe to browse.

See Details
What is the best cipher suite to use? ›

Currently, the most secure and most recommended combination of these four is: Elliptic Curve Diffie–Hellman (ECDH), Elliptic Curve Digital Signature Algorithm (ECDSA), AES 256 in Galois Counter Mode (AES256-GCM), and SHA384. See the full list of ciphers supported by OpenSSL.

Find Out More
Which TLS ciphers are recommended? ›

While TLS 1.2 is currently the most widely-used version of the SSL/TLS protocol, TLS 1.3 (the latest version) is already supported in the current versions of most major web browsers. Use a Short List of Secure Cipher Suites: Choose only cipher suites that offer at least 128-bit encryption, or stronger when possible.

Tell Me More
Should SSL 3.0 be enabled? ›

You should most definitely disable SSL version 3. It is not secure.

Show Me More
Should SSL 2.0 be disabled? ›

Depends on the client - even with SSL 2.0 enabled they should use TLS 1.2 or 1.3 because they'll always try to use the newest protocol version. Having 2.0 enabled is bad because a client can force a connection on 2.0 then crack the encryption which could compromise the host.

Explore More
How do I check my TLS cipher suite? ›

Find the cipher using Chrome

Select More tools > Developer tools > Security. Look for the line "Connection...". This will describe the version of TLS or SSL used.

Continue Reading
How do I get TLS cipher suite? ›

The Get-TlsCipherSuite cmdlet gets an ordered collection of cipher suites for a computer that Transport Layer Security (TLS) can use. For more information about the TLS cipher suites, see the documentation for the Enable-TlsCipherSuite cmdlet or type Get-Help Enable-TlsCipherSuite .

Show Me More

What is a cipher suite in TLS? ›

A cipher suite is a set of cryptographic algorithms. The schannel SSP implementation of the TLS/SSL protocols use algorithms from a cipher suite to create keys and encrypt information. A cipher suite specifies one algorithm for each of the following tasks: Key exchange. Bulk encryption.

Read The Full Story
Why is Namecheap SSL so cheap? ›

In fact, often the process is entirely automated, which accounts for why they are so much cheaper than EV SSL certificates for example which requires a degree of human work to issue. While domain validation certificate verify the consent of a domain owner, they don't make any effort to verify who the domain owner is.

See Details
Is Namecheap trustworthy? ›

Yes, Namecheap is a legitimate web hosting provider and domain registrar. It's been used by more than two million customers for a wide range of website and business needs. Namecheap has been around for more than 20 years, providing services across 18 countries worldwide.

Get More Info Here
What is the lifetime limit of SSL certificate Namecheap? ›

The lifetime limit of an SSL certificate is 398 days, which is a 1-year certificate.

Continue Reading
What is the difference between TLS 1.2 and 1.3 cipher suites? ›

Simpler, Stronger Cipher Suites

In TLS 1.2 and earlier versions, the use of ciphers with cryptographic weaknesses had posed potential security vulnerabilities. TLS 1.3 includes support only for algorithms that currently have no known vulnerabilities, including any that do not support Perfect Forward Secrecy (PFS).

View More
What is the difference between TLS 1.2 and TLS 1.3 cipher suites? ›

While TLS 1.2 is still incredibly secure, 1.3 has made some improvements and less at risk to certain vulnerabilities. One big difference is the number of Cipher Suites they support. TLS 1.2 has 37 ciphers, while 1.3 has just five. In 1.2, a cipher suite contains four ciphers, while 1.3 has only two.

View Details
Is TLS a cipher or protocol? ›

Transport Layer Security, or TLS, is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website.

See More
What is the difference between TLS and encryption? ›

Understanding the difference between transport-layer encryption and end-to-end encryption. While Transport-layer encryption only delivers encryption between service providers and individual users, end-to-end encryption encrypts communication transmissions directly between users.

Learn More
Top Articles
Illegal coin pushers showing up at locations throughout California
4 reasons why your debit card might be denied even when you have money
Boats For Sale By Owner Craigslist
Boar Bg3
Latest Posts
Lucky Pusher App Review - Is It Legit? Users Get Stuck
How do I transfer my game progress to a new device? — Other Games Help Center
Article information

Author: Rueben Jacobs

Last Updated:

Views: 5857

Rating: 4.7 / 5 (77 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Rueben Jacobs

Birthday: 1999-03-14

Address: 951 Caterina Walk, Schambergerside, CA 67667-0896

Phone: +6881806848632

Job: Internal Education Planner

Hobby: Candle making, Cabaret, Poi, Gambling, Rock climbing, Wood carving, Computer programming

Introduction: My name is Rueben Jacobs, I am a cooperative, beautiful, kind, comfortable, glamorous, open, magnificent person who loves writing and wants to share my knowledge and understanding with you.