TLS vs. SSL: 4 Must-Know Facts
- TLS has been an open standard of the IETF since version 1.0.
- The latest version of TLS is more secure than SSL overall.
- SSL originated within Netscape.
- Although SSL helped lay the foundation for internet security, it is not somewhat obsolete due to TLS.
Some of the most well-known internet security protocols are the Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols.
TLS and SSL are cryptographic protocols for establishing a secure connection between computer networks. Everyone uses their computer differently, so complete security when you browse the internet is important.
Both protocols are used to keep a variety of communication channels secure, such as web browsing, email, instant messaging, and more. Websites that use a TLS certificate are secured with a Hypertext Transfer Protocol (HTTPS) extension.
We know it can get confusing, so we’re here to clarify these protocol types, look at the differences between TLS and SSL, and discuss how these technologies protect your computer network, even when you use shared networks, like a WiFi access point.
TLS vs. SSL: A Side-by-Side Comparison
|Latest Version||TLS 1.3||SSL 3.0|
|Algorithms||Does not support Fortezza||Supports Fortezza|
|Record||TLS uses Hashed MAC||SSL uses the Message Authentication Code|
|Alert||Eliminates the warning description and inserts more values||“No certificate” warning enabled|
|Certificate||Complex Verification||Simple Verification|
|Authentication||Message authentication standard||Ad hoc|
|Security||High security||Vulnerable to attacks|
The Secure Ports Layer (SSL) protocol is the predecessor of the Transport Layer Security (TLS) protocol. SSL is the first technology used widely to secure communications on the internet.
Developed in the mid-1990s by a team from Netscape, including renowned cryptographer, Taher Elgamal, this protocol laid the foundation for our current internet. Its initial versions had several weaknesses, but once it reached version 3.0, it helped support the boom in e-commerce and other online activities unimaginable without encryption.
It is mainly used collectively with the HTTP protocol, giving rise to HTTPS, or the secure version of HTTP. As mentioned, it is more common in the case of websites that use the HTTPS protocol for stable operation, using certificates issued by encrypted, specialized entities, both at the level of the certificate as your key and your certification chain.
For this reason, mail protocols have a secure use option, where they secure ports and SSL so that the exchange of hypertext can continue to be just as safe.
Some mail protocols such as Post Office Protocol 3 (POP3) and Internet Message Access Protocol (IMAP) use and support SSL, while others such as the Simple Mail Transfer Protocol (SMTP), make exclusive use of the TLS protocol. The ports used in this case would be 995 for POP3, 993 for IMAP, and 465 for SMTP. These ports also cover the use of TLS.
Previously, this was known as SSL. Since SSL is more famous than TLS, it is common for us to refer to TLS with the double denomination SSL/TLS since TLS is simply the evolution of SSL.
The TLS protocol is a process that encrypts internet data flow so that only their legitimate recipients can read them, which is why the SMTP protocol is used in mail, just as it is used in any field that uses SSL, due to its type of encryption. TLS is the most widely used protocol for securing communications between devices on a network.
The goal was to ensure the confidentiality and integrity of the information transmitted, even when the network links are not perfectly reliable. Most often, TLS is used to secure sessions between a browser and a web server, but it can also be used for VPNs or even video chats.
Version 1.0 of the TLS protocol appeared in 1999. It was then largely based on the SSL protocol, developed a few years earlier by Netscape. This new version’s distinct name is to make it clear that it is an open standard that all companies and projects can use.
At the time, Netscape used SSL in its proprietary web server software (Netscape Enterprise Server) to encrypt data in transit. This open protocol has subsequently been updated several times. The latest version available, TLS 1.3, was created in 2018.
The History of TLS vs. SSL
Many of the standards and protocols used on the internet today were developed when computer security was of little importance.
This mindset explains why the network-layer IP protocol and the HTTP protocol that underpin the web do not include encryption or authentication. This lack of security has a direct consequence: anyone placed between you and a web server can eavesdrop or even manipulate the traffic.
It wasn’t a real problem when our most sensitive activity was hanging around Lycos and exchanging Star Trek-themed ASCII artwork. On the other hand, our modern activities, whether managing our bank accounts or making medical appointments, require reinforced security.
In the late 1980s and early 1990s, IT experts and researchers from academia, government agencies, and corporations examined where and how to implement encryption while maintaining compatibility with the network infrastructure and applications already in use worldwide.
They brainstormed several solutions and protocols, but none of their first tries really caught on. Not coincidentally, many general concepts imagined at the time were subsequently applied to SSL, and then TLS.
- 1986-1995: Various groups study the question of the protection of confidential information in transit on the network. Several techniques are proposed, but the major internet traffic is still exchanged with a clear view.
- 1995: Netscape introduces Secure Sockets Layer (SSL) to secure web traffic.
- 1999: Transport Layer Security (TLS) 1.0 becomes an open standard and the default choice for securing e-commerce sites and heavy traffic.
- 2008: TLS 1.2 is released. This new version reinforced security, new cryptographic suites, and the possibility of determining the order of use of security algorithms.
- 2012-2017: Concerns about monitoring and listening to traffic grow. Voices are rising to demand the encryption of all web traffic. In 2017, Google started to include the use of SSL/TLS encryption in its ranking criteria.
- 2018: TLS version 1.3 is released. It further enhances traffic privacy. Some governments and companies criticize this new version, judging that it goes too far.
- Today: TLS 1.2 is the minimum version acceptable in production.
Key Differences between TLS and SSL
There is some confusion about the difference between TLS vs. SSL. It is important to note that the second one appeared later and is the successor to SSL.
The Open Standards Organization Internet Engineering Task Force (IETF) moved away from SSL, banning the 2.0 standard in 2011 and the newer 3.0 in 2015. In other words, TLS is now the dominant and widely accepted protocol for securing network communications.
TLS and SSL are fundamentally similar. In Protected Web Browsing, both protocols use certificates to authenticate and encrypt connections between the browser and servers. They are used on sites that collect sensitive user information, such as identity and payment details.
TLS has become the standard for e-commerce sites or online stores, as well as email applications, among others.
Each iteration of TLS from version 1.0 to version 1.3 has fixed vulnerabilities in the immediately prior version. Not only is TLS 1.3 much more secure, but other changes have been implemented, including performance improvements and the removal of cipher suites whose security is considered obsolete.
Should I use TLS or SSL?
All SSL versions are now considered obsolete and should no longer be used.
Modern browsers consider SSL connections, or even connections made with an older version of TLS, to be insecure because these protocols contain many known vulnerabilities.
However, the terminology is used in a very fluctuating way, and the term “SSL” is very often used as a synonym for “security system of web communications.” For example, it is very common to talk about “SSL certificates” in reference to certificates used for asymmetric cryptography, even when these certificates are actually used with the most recent versions of TLS.
This aside, it is important to disable support for all versions of SSL on your web server and other applications. Failure to do so will violate several security standards, including PCI DSS. Beyond compliance issues, SSL and early versions of TLS contain vulnerabilities severe enough to no longer effectively protect communications.
TLS and SSL are network encryption protocols that fulfill the same objective: they ensure network protection and encryption between TCP and applications. SSL 3.0 was developed first, then TLS 1.0 was developed. TLS includes all the features of SSL but also has advanced security features, making it the go-to encryption method for everyday internet use.
- Hinge vs Tinder: What’s the Difference? Comparing Dating Apps
- Apple vs Samsung: Tech Titans Compared – Which Makes Better Products?
- DuckDuckGo vs Google: Which is Safer, and Better For Everyday Use?
The image featured at the top of this post is ©iStock.com/Urupong.