SSL & HTTPS

SSL vs TLS Explained: What's the Difference?

Robert-George
Robert-George
7 min read
SSL vs TLS Explained: What's the Difference?

You've likely heard both SSL and TLS if you've worked with websites, bought an SSL certificate or anything to do with web security.

Many people use the two terms synonymously but in reality they aren't actually the same.

SSL was previously the go-to protocol for securing internet communications, but it has been superseded by TLS quite some time ago. Still, "SSL certificate" remains a term widely used online.

We'll be breaking down the differences between SSL and TLS, looking at why SSL has been abandoned, and why TLS is what all modern sites use to secure their communication.

What is SSL?

SSL (Secure Sockets Layer) was the first protocol designed for securing communications across the internet.

Developed by Netscape in the 1990s, SSL provided three main security benefits:

  • Encryption
  • Authentication
  • Data Integrity

This allowed users to send sensitive information such as passwords, credit card details and personal information securely over the web from their browser to the web server.

Back then, this was a huge leap in web security.

What is TLS?

TLS (Transport Layer Security) is the modern successor to SSL.

It was first introduced in 1999 as a successor to SSL 3.0 and has been updated several times to improve on its predecessors, and fix security vulnerabilities.

Today, TLS is the protocol used to secure:

  • HTTPS websites
  • Online banking
  • Email
  • APIs
  • Messaging apps
  • Cloud storage

When you see HTTPS in the address bar on a website, you are more than likely to be using a TLS connection.

Why Was SSL Replaced?

ThoughSSL was revolutionary at the time, researchers discovered various flaws within its design and implementation over time, with attackers finding ways to exploit them.

Notable weaknesses were found in:

  • Encryption algorithms
  • Handshake mechanisms
  • Vulnerability to attacks like POODLE
  • Limited support for modern cryptography

These problems led to the phased abandonment of SSL, replaced with the superior TLS.

All SSL versions have since been declared obsolete.

SSL vs TLS: What's the difference?

Though TLS came from SSL, there are many differences between the two protocols:

  • Security

TLS provides far superior security to SSL. This is due to the newer encryption methods and more advanced cryptographic techniques available, all of which are far better protected against contemporary cyber threats.

  • Performance

TLS is far quicker than SSL. With newer versions like TLS 1.3 reducing the handshake process significantly, the result is faster web pages, and overall quicker browsing.

  • Cipher Suites

TLS is able to utilize stronger cipher suites providing better encryption and forward secrecy, whereas SSL uses out-of-date methods.

  • Message Authentication

The method used by TLS to ensure messages haven't been tampered with is more secure than the method used by SSL.

  • Support

SSL is no longer supported by browsers, operating systems, and web servers.TLS, however, is the standard security protocol used by all of these.

TLS versions explained

TLS 1.0

First released in 1999, this version includes various security updates to its predecessor SSL, however it is now an obsolete and insecure version of TLS.

TLS 1.1

A minor update on TLS 1.0, and fixes numerous weaknesses found in 1.0, it has also been deprecated.

TLS 1.2

For many years this has been the workhorse of internet security and remains highly supported. It includes stronger encryption than 1.0/1.1.

TLS 1.3

The latest official version of the TLS protocol. TLS 1.3 reduces the time to establish a secure connection through its use of a faster handshake. It uses stronger encryption than 1.2 and has fewer features for attackers to exploit, thus minimizing the vulnerability to certain attacks. Most modern sites will be using this version.

Why do people still say "SSL Certificate"?

This is perhaps the most confusing part of SSL/TLS for many, and it's due to legacy and marketing. Even though it is TLS that's providing the security on most sites, the term "SSL certificate" is still widely used by:

  • Hosting companies
  • Certificate authorities
  • Website owners
  • Security vendors

In practice, all these people mean "TLS certificate." The only real reason for this is history, but we're moving forward into an SSL-free future, slowly.

How TLSsecures HTTPS connections

When a user accesses a website using HTTPS the browser and the web server use TLS for a range of security purposes. The browser authenticates the web server it's connecting to and verifies its identity against its certificate, encrypts all information before transmitting it across the internet, and encrypts information when received back from the web server to ensure data is not being tampered with.

Should you ever use SSL today?

No. All versions of SSL are deprecated and shouldn't be used by anyone. Organizations should utilize either TLS 1.2 or TLS 1.3, with modern best practice stating that TLS 1.3 should be favored if available. Using outdated SSL/TLS versions can create major security vulnerabilities and possibly go against various security compliance requirements.

Best practices for web owners

For website owners that wish to maintain the best possible web security they should:

  • Ensure they have TLS 1.3 enabled
  • Disable SSL entirely
  • Disable obsolete versions of TLS
  • Use a Certificate Authority you trust
  • Allow for automatic certificate renewal
  • Configure a suitable set of cipher suites
  • Use HTTP Strict Transport Security (HSTS)

Conclusion

SSL and TLS are both protocols used to secure internet communication. While SSL was the original protocol, TLS is its successor. Today, TLS is the standard protocol used to secure websites and other online services, and SSL is considered outdated and insecure.