Cybersecurity is one of the most important aspects that any firm with an online presence needs to be on top of. Unfortunately, that’s often easier said than done. The world of cybersecurity is awash with jargon and acronyms, of which SSL and TLS are two prime examples. These acronyms are crucial in terms of cybersecurity, yet many people don’t really know what they mean, or appreciate the differences between them…
Socket to me
SSL is an abbreviation of Secure Sockets Layer. It’s a protocol first developed to transmit information privately online, maintaining message integrity and server identity. Conversely, rival protocol TLS (which stands for Transport Layer Security) was developed as a successor to SSL. This is the best-known protocol, but it’s TLS which is now the most commonly used on web browsers and email servers. Before we determine how the protocols differ, it’s worth considering what encryption and authentication are all about.
Encryption and authentication
Secure websites use encryption and authentication standards to protect confidential information. When you connect to a secure site using SSL or TLS, your browser asks the server to confirm its identity and to authenticate itself. The authentication process utilizes cryptography to verify the server via an independent and trusted third party. The site will only be verified as being secure if it holds a certificate with the third party. Protocols like SSL and TLS also encrypt data you send, to ensure privacy.
The protocols incorporate a mechanism to detect any changes to the data in transit, helping eliminate any eavesdropping or tampering with the data. This feature of SSL and TLS protocols is essential for transmitting financial and other confidential information. Nonetheless, for security standards like TLS and SSL to work, a browser and a server must both be configured to use it. A server configured for SSL cannot work with a browser configured for TLS.
Breaking with protocol
SSL was developed by Netscape in 1994. It was the first protocol to provide secure HTTP (HTTPS) for transactions between browsers and servers. SSL 2.0 was the first version of the protocol available to the public, launched in 1995, but this was replaced by the improved SSL 3.0 a year later. By contrast, TLS was created by the Internet Engineering Task Force (IETF) in 1999. They envisaged it as a successor to SSL, and it was developed primarily due to the issues related to SSL being the property of a private company.
The same but different
At the time of TLS’s introduction, a memo was released by the IETF. In it, they discussed the differences between their protocol and its predecessor:
‘The differences between the protocol and SSL 3.0 are not dramatic, but they are significant enough that TLS and SSL 3.0 do not interoperate.’
This explains why servers and browsers must each be configured to the same protocol. It also explains why there’s so much confusion as to the differences between SSL and TLS. On a practical level, TLS is simply the updated version of SSL with a new name. The older protocol has more vulnerabilities and some browsers will warn users of those risks when encountering a server using it. These sites won’t display the HTTPS padlock or might have it crossed out.
In truth, the differences aren’t particularly significant. When most people talk about SSL today, they’re really referring to its more sophisticated younger sibling. The acronyms are interchangeable, even though the older and more established term is still better-known and understood.