If you only have a general knowledge of web hosting, there’s a good chance that you both the terms SSL (Secure Sockets Layers) and TLS (Transport Layer Security) in the same context and you are not sure what the difference is between the two. There have been four iterations of the TLS protocol. SSL has been (or is supposed to be) entirely deprecated. So, what’s the difference between SSL and TLS and why are the two terms connected?
A Brief History of SSL and TLS
SSL and TLS are both cryptographic protocols that provide authentication and data encryption between servers, machines, and applications operating over a network (e.g. a client connecting to a web server). In reality, SSL is only about 25 years old. But in internet years, that’s ancient. The first iteration of SSL, version 1.0, was first developed in 1995 by Netscape but was never released because it was riddled with serious security flaws. SSL 2.0 wasn’t a whole lot better, so just a year later SSL 3.0 was released. Again, it had serious security flaws.
At that point, the guys at Consensus Development took a crack at it and developed TLS 1.0. TLS 1.0 was incredibly similar to SSL 3.0 – in fact it was based on it – but still different enough to require a downgrade before SSL 3.0 could be used. As the creators of the TLS protocol wrote:
“The differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough that TLS 1.0 and SSL 3.0 do not interoperate.”
Downgrading to SSL 3.0 was still dangerous, though, given its known, exploitable vulnerabilities. All an attacker needed to do to target a website was downgrade the protocol to SSL 3.0. Hence, the birth of downgrade attacks. That ended up being the nail in the coffin for TLS 1.0.
TLS 1.1 came out seven years later in 2006, replaced by TLS 1.2 in 2008. That hurt TLS 1.1 adoption as many websites simply upgraded from 1.0 to TLS 1.2. We are now at TLS 1.3, which was finalized in 2018 after 11 years and nearly 30 IETF drafts.
TLS 1.3 makes significant improvements over its predecessors and right now major players around the internet are pushing for its proliferation. Microsoft, Apple, Google, Mozilla, and Cloudflare all announced plans to deprecate both TLS 1.0 and TLS 1.1 in January 2020, making TLS 1.2 and TLS 1.3 the only game in town.
At any rate, we’ve been using TLS for the past couple decades. At this point, if you’re still using SSL you’re years behind, metaphorically living in a forlorn era where people still use phone lines to dial on to the internet.
Without getting too technical, the main difference between SSL and TLS is how they establish secure connections. Both do it through a process known as “the handshake”, which is how the server and the client authenticate each other before finally creating an encrypted connection. The SSL handshake is quite different to the TLS handshake.
The SSL version involves using a port to make what is known as an explicit connection. TLS, on the other hand, connects via a protocol, which is known as an implicit connection. The process of both SSL and TLS handshakes is dictated by something known as cipher suites, algorithms that outline the sequence of steps that must be performed in order to execute a cryptographic function. The cipher suites used by SSL and TLS are very different, with TLS-supported cipher suites being faster and more secure than those supported by SSL.