Behind that little padlock is cryptographic code that guarantees the security of data passing between you and, for example, the website you are looking at.

In fact, TLS guarantees security on three fronts: authentication, encryption and integrity. Authentication, so that your data goes where you think it is going; encryption, so that it does not go anywhere else; and integrity, so that it is not tampered with en route.

‘It’s the most popular security protocol on the internet, securing essentially every e-commerce transaction,’ Eric Rescorla, chief technology officer at US technology company Mozilla, told Horizon over email.

In the two decades leading up to 2018, there were five overhauls of TLS to keep pace with the sophistication of online attacks. After that, many experts believed that the latest incarnation, TLS1.2, was safe enough for the foreseeable future, until researchers such as Dr Karthikeyan Bhargavan and his colleagues at the French National Institute for Research in Digital Science and Technology (INRIA) in Paris came along.

Scaffold

As part of a project called CRYSP, the researchers had been working on ways to improve the security of software applications. Usually, software developers rely on TLS like a builder relies on a scaffold – in other words, they take its safety for granted.

To improve security at the software level, however, Dr Bhargavan and colleagues had to thoroughly check that the underlying assumptions about TLS1.2 – that it had no serious flaws – were justified.

‘At some point, we realised they weren’t,’ he said.[…]