When considering the difference between SSL and TLS, you’ll find that the main difference lies in what is still in use. SSL has been deprecated, but because SSL evolved into the brand new and “shiny” TLS, the industry has decided to refer to it as SSL/TLS or only TLS. However, there are technical differences between the two types of cryptographic protocols as well.
SSL vs TLS
SSL (secure sockets layer) and TLS (transport layer security) were developed to provide a secure, encrypted communication channel to protect end users’ privacy and data integrity. SSL is the older of the two encryption protocols. TLS is the is not just used with the unencrypted, insecure HTTP protocol for web browsing but also with the file transfer protocol (FTP) or virtual private networks (VPNs), making it an essential protocol for internet security.
SSL, initially developed by Netscape, has two publicly released versions: SSL 2.0, published in 1995 and SSL 3.0, released in 1996. TLS 1.0 was released in 1999 with an SSL fallback mechanism that made it backward compatible and very similar to SSL v3.0. The most plausible reason to rename the suite of protocols as TLS was to develop it as an open standard and to avoid lawsuits with Netscape.
|SSL Versions||TLS Versions|
|SSL 1.0 – This was never released due to known, serious security flaws in the protocol.||TLS 1.0 – This was released in 1999 as an upgrade to SSL v3.0.|
|SSL 2.0 – The first public release of SSL occurred in 1995.||TLS 1.1 – Released in 2006, TLS 1.1 offered protection against cipher block chaining (CBC) attacks.|
|SSL 3.0 – This version of SSL, released in 1996, was deprecated in June 2015 due to vulnerabilities such as the POODLE.||TLS 1.2 – Released in 2008, this version of TLS made several improvements in security such as support for authenticated encrypted, began using SHA-2 in addition to SHA-1, etc.|
|TLS 1.3 – published in 2018; disables support for insecure and legacy features in addition to improved security|
How TLS Works
TLS establishes a two-way encrypted tunnel between the client (end user’s browser) and your web server for data transfer. It is used in combination with other internet protocols such as HTTPS (HTTP over TLS), FTPS, etc.
It is composed of two layers:
- The TLS handshake protocol manages the authentication for server and client and allows them to negotiate an encryption algorithm and exchange cryptographic keys. The handshake process is performed only once before the data transmission to establish a secure, encrypted connection between both parties.
- The TLS record protocol ensures that the connection is private and reliable. It acts as an encapsulating layer of higher-level protocols. It encrypts the data from the user applications, fragments it based on the cipher, and sends it to the network transport layer.
HTTPS and TLS
HTTP is the non-secure protocol that is used for viewing web pages. The problem with HTTP is that the information exchanged between the client and server is sent over the wire in plaintext, making it susceptible to man-in-the-middle (MitM) attacks. If a hacker were to sniff the traffic between your machine and the webserver, he would be able to read all the information you typed into the web page.
With a secure hypertext transfer protocol (HTTPS), the data on the network is being encrypted using encryption algorithms before being sent to the webserver. This is especially relevant for e-commerce websites or any webpage where the user enters sensitive information such as passwords or credit card details. In the case of HTTPS, this data is scrambled into an unreadable form before being sent over the network. If a hacker sniffs the network, he’ll end up with encrypted, garbled, and meaningless data that can’t be cracked without the decryption key.
When a computer connects to a web server, the client will ask the server to identify itself. The server then sends a copy of its SSL/TLS certificate that was issued by a trusted third party (your certificate authority) that is used to authenticate the identity of a website. Once the trust of a server is established, an SSL session can proceed, and encrypted data can be exchanged securely between the client and the server.
In an attempt to phase out non-encrypted websites, Google is now flagging sites with a not-secure warning if they are not SSL/TLS secured and using HTTPS.
Clearly, SSL/TLS certificates are integral to the process of securing your domain. But what exactly is an SSL or TLS certificate, and what types of SSL certificates are available?
SSL/TLS certificates are x.509 digital security certificates that are installed on your web server to facilitate the SSL/TLS handshake process we mentioned earlier. But what is the difference between an SSL certificate and TLS certificate? When IETF, the Internet Engineering Task Force, deprecated both SSL 2.0 and 3.0 to make way for TLS, SSL certificates were replaced by TLS certificates.
So, why do people still refer to TLS certificates as SSL certificates? Frankly, our industry is a bit slow when it comes to adapting to new terminology and vendors continue to use the phrase “SSL/TLS certificate.” they are essentially one and the same in a general sense.
SSL/TLS certificates are typically identified by their validation level or functionality.
The Validation Levels of SSL/TLS Certificates
SSL/TLS certificates are offered with three levels of validation:
- Domain Validation (DV): The CA verifies whether the applicant has rights to the specific domain name (typically through email verification). No additional information is vetted, and DV certificates can be issued within minutes.
- Organization Validation (OV): The CA not only verifies that the applicant has rights to the specific domain name but also conducts additional investigations of the applicant’s organization on a basic level. This information is displayed on the certificate for enhanced trust from the site’s end users.
- Extended Validation (EV): The CA will verify the business ownership and acceptable documents with regards to the company as well as ownership needs to be provided by the applicant. Apart from assuring that the applicant has the rights to the specific domain a thorough investigation is done on the company and this information is displayed on the certificate.
SSL/TLS Certificates, Listed by Functionality
Based on their functionality SSL/TLS certificates can be categorized as follows:
- Single Name SSL Certificate: One certificate to cover one fully qualified domain name (i.e., www.yourdomain.com). It does not include any other domain though if generated with www most CAs secure the non-www version as well. It is available for all levels of validation.
- Multi-Domain/SAN/UCC: One certificate to cover multiple domains (i.e., www.yourdomain.com, www.site.com, www.example.net, etc.) and applicants can add or delete SANs as per their requirements. All domains will have the same level of validation.
- Wildcard SSL Certificate: Issued to use one certificate on an unlimited number of subdomains at a specific level. EV certificates are not issued in conjunction with wildcard SSL certificates. For example, *.site.com will secure blog.site.com, products.site.com, dev.site.com, etc.
- Multi-Domain Wildcard SSL: Issued to secure more than one domain and multiple levels of subdomains using a single certificate. For example, can be used to secure *.site.com, *.example.com, *.blog.site.com, etc.
Secure a Website in Few Clicks – Save Up to 79%
Save 79% on Sectigo SSL Certificates. It includes unlimited server licenses, reissuances, 256-bit encryption, and more.