The Difference Between SSL and TLS
What is the relationship between an SSL vs TLS? Most of us are familiar with SSL (Secure Socket Layer) but not TLS (Transport Layer Security). Both protocols are used to transmit online data securely between two endpoints. SSL is older than TLS, but all SSL certificates can use both SSL and TLS encryption. TLS is the replacement protocol to SSL as TLS is the updated version of the SSL protocol. TLS operates similarly to SSL by using encryption methods to ensure secure communication.
We will call the actual certificate an SSL certificate to distinguish the encryption type, from the credentials. SSL has its origins in the early 1990s. Netscape and AOL first coined the term SSL.
TLS issues generally arise when the Apache service fails a PCI scan. You may have also noticed that your SSL certificate mentions TLS when you are ordering the certificate. Two questions now arise:
- What is TLS as it relates to an SSL?
- Which of the two should you be using?
In the upper left corner of a web page, you can see a green lock. This indicates the site is secured and communication is encrypted. While it may not appear to play a pivotal role, it actually plays a critical part in securing the site. The SSL is what your web browser uses to indicate the data being sent and received is secure. An SSL creates a secure tunnel for HTTPS communication to occur. TLS is the updated version of SSL and should be used. TLS version 1.3 is the latest implementation of this protocol.
HTTPS stands for Hyper Text Transfer Protocol Secure. This is different from regular HTTP which does not have SSL present. In the web browser's address bar, a red lock or a yellow triangle may be seen. This indicates that the connection is not encrypted.
A secure connection happens utilizing what's called a “handshake” between your browser and the web server. The server and a browser agree on a “secret” handshake between each other based upon the type of encryption used. This handshake forms the encryption from the interaction of the public and private certificate keys. The endpoints use this handshake to confirm the information transferred is only from the authenticated connection sources.
In the first connection process. The first transfer deals with the browser, using a browserhello, which is the first exchange in the handshake. The browser then states the version of TLS it accepts. The server then replies with a serverhello, which is the second exchange in the handshake. The server states the version of encryption that is used for the rest of the interaction. This is based upon the TLS level first connection.
This interaction usually forces the latest version of SSL/TLS that both the server and browser can share. Older browsers may not use the latest versions of TLS. If so, the server can disable specific outdated TLS/SSL versions. This ensures the connection to the server is more secure. In this way, new servers should disable the use of all SSL versions and even some older TLS versions. As of September 2018, PCI certification requires all SSL versions and TLS v1.0 disabled.
Recently, both Google and Firefox have penalizing non-SSL/TLS encrypted websites. The change now shows an explicit warning within the browser not using an SSL certificate. The browser will force an acknowledgment before proceeding to an insecure website prior to showing any content.
For sites that accept online payments, it is critical to use an SSL, and also enforce the latest TLS version. A PCI compliance scan requires that the domain use only newer TLS versions.
An Overview of SSL vs TLS Versions
SSL and TLS each have specific version types which declare the type of encryption that the SSL certificate will use. The SSL versions are:
- SSL v1
- SSL v2
- SSL v3
SSL v1 was never released to the public but notated in SSL v2. This was an improvement upon SSL v1 but was still problematic. SSL v3 fixed many of these initial bugs but was still exposed to attacks like the POODLE or DROWN vulnerabilities. SSL v3 reached End of Life in 2015.
Modern TLS encryption has evolved from v1.0 to the latest version v1.3 which was finalized on March 21st, 2018. The current evolution of TLS 1.3 was finalized as of August 2018 which was published in RFC 8446. The fuller iteration of TLS is reflected in the versions listed below.
- TLS v1.0
- TLS v1.1
- TLS v1.2
- TLS v1.3
Each of these versions addresses flaws from a previous edition onto the next. The newer encryption models are more modern and secure methods to encrypt data transport security. The later releases include the latest encoding which makes decryption by malicious third parties incredibly difficult. Conversely, the older versions have vulnerabilities that can easily be exploited to collect private data.
So, what is the difference between SSL and TLS?
To surmise, TLS is the next logical progression of SSL and the safer of the two protocols. Beyond this, they work in the same manner, but the newer versions use stronger encryption types. TLS version 1.3 is the newest and preferred protocol currently.
Do you have further questions related to security matters like this?
For Liquid Web customers, our talented Support Teams are full of experienced Linux technicians and System administrators who have intimate knowledge of the security technology discussed in this article. We are always available to assist with any issues 24 hours a day, 7 days a week 365 days a year.
If you are a Fully Managed VPS server, Cloud Dedicated, VMWare Private Cloud, Private Parent server, or a Dedicated server owner and you are uncomfortable with performing any of the steps outlined, we can be reached via phone at 800.580.4985, via chat, or support ticket to assisting you with this process.
Our Sales and Support teams are available 24 hours by phone or e-mail to assist.