What is Transport Layer Security (TLS)?
Transport layer security (TLS) is another security protocol designed for privacy and data security among Internet communications. It encrypts communication between web apps and servers and is also used to encrypt email, messaging, and voice over IP (VoIP).
What is Secure Sockets Layer (SSL)?
Secure Sockets Layer (SSL) is an encryption-based security protocol that ensures privacy, authentication, and data integrity in Internet communications. Its implementation is via hypertext transfer protocol secure (HTTPS) instead of the unencrypted hypertext transfer protocol (HTTP), creating a secure communication tunnel.
The Difference Between TLS vs SSL
TLS is the updated version of the SSL protocol. The differences between TLS vs SSL lie in the iterations or updates to the protocols themselves. Updated versions, new features, and patches to vulnerabilities allow improved security and encryption.
Even though TLS operates similarly to SSL, the certificate is still referred to as an SSL certificate to distinguish the encryption type from the credentials.
An Overview of TLS vs SSL Versions
TLS and SSL each have specific version types which declare the type of encryption that the SSL certificate will use. Each version brought about various changes over the years. The older versions had easily exploited vulnerabilities that enabled private data collection. Conversely, the later releases include the latest encoding, making decryption by malicious third parties incredibly difficult.
The SSL/TLS versions are:
- SSL v1: Never released to the public but was notated in SSL v2.
- SSL v2: An improved version though still problematic.
- SSL v3: Fixed many bugs but was vulnerable to the POODLE or DROWN vulnerabilities. It reached end of life in 2015.
- TLS v1.0: An upgraded version of SSL v3.
- TLS v1.1: Brought protection from cipher-block chaining (CBC) attacks and support for IANA registration of parameters.
- TLS v1.2: Brought sophisticated encryption enhancements and improved workstation and server ability to specify which hashes and signature algorithms they accept.
- TLS v1.3: Finalized on March 21, 2018, v1.3 brought newer encryption models for more modern and secure methods to encrypt data transport. The current iteration of TLS v1.3 was published in RFC 8446 as of August 2018.
Is Your Site Secure?
The address bar icons in a web browser determine if your site is secure:
- Solid Padlock: The site is secured, and communication is encrypted.
- Warning Triangle: Only partially secured or encrypted. Avoid sending sensitive information.
- Padlock With Red Strike: Not secure or encrypted. Avoid sending sensitive information.
To the left of the address bar is a solid padlock. It indicates the site is secured and communication is encrypted.
Explaining the Handshake
A secure connection happens using what is known as a handshake between your browser and the web server. It forms the encryption from the interaction of the public and private certificate keys. The endpoints use the handshake to confirm the information transferred is only from the authenticated connection sources.
Here would be the progression of the handshake:
- The first exchange in the handshake comes from the browser via the client, stating the version of TLS it accepts.
- In the second exchange, the server states the encryption version used the rest of the interaction based on the first connection’s TLS level.
The interaction forces the latest version of SSL/TLS that both the server and browser can share. However, older browsers may not use the latest versions of TLS. If so, the server disables specific outdated TLS/SSL versions, ensuring a secure connection to the server.
This version control is crucial for sites accepting and storing online payments. Current PCI certification requires disabling all SSL versions and TLS v1.0 and using TLS v1.1 or higher. The use of TLS v1.1 requires proper configuration.
Both Google and Firefox have penalized non-SSL/TLS encrypted websites. The change shows an explicit warning within the browser for sites not using a valid SSL certificate. In addition, it forces an acknowledgment before proceeding to an insecure website and showing any content.
Considering TLS vs SSL, the latter is the next logical progression of SSL and the safer of the two protocols. However, while they work in the same manner, the newer versions use more substantial encryption types. Therefore, TLS v1.3 is not only the latest but the preferred protocol.
There are several kinds of SSL certificates from which to choose. If you are already hosting with Liquid Web, our support team can assist you with the best one for your needs. If you are not a Liquid Web customer yet, check out our managed hosting options or contact our sales team to get started and set up your SSL certificate.
Our Sales and Support teams are available 24 hours by phone or e-mail to assist.