GlobalSign Blog

07 Jul 2016

SSL vs. TLS - What's the Difference?

Internet security is a bit like alphabet soup – SSL, TLS, ECC, SHA, the list goes on. All these acronyms can make it confusing to figure out what you actually need. Perhaps the one we get asked about the most is - what’s the difference between SSL (Secure Socket Layers) and TLS (Transport Layer Security)? You know you want to secure your website (or other type of communication), but do you need SSL? TLS? Both? Let’s break it down.

A Brief History of SSL and TLS

SSL and TLS are both cryptographic protocols that provide authentication and data encryption between servers, machines and applications operating over a network (e.g. a client connecting to a web server). SSL is the predecessor to TLS. Over the years, new versions of the protocols have been released to address vulnerabilities and support stronger, more secure cipher suites and algorithms.

SSL was originally developed by Netscape and first came onto the scene way back in 1995 with SSL 2.0 (1.0 was never released to the public). Version 2.0 was quickly replaced by SSL 3.0 in 1996 after a number of vulnerabilities were found. Note: Versions 2.0 and 3.0 are sometimes written as SSLv2 and SSLv3.

TLS was introduced in 1999 as a new version of SSL and was based on SSL 3.0:

The differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough that TLS 1.0 and SSL 3.0 do not interoperate.”

(source)

TLS is currently at v. 1.2, with TLS v. 1.3 currently in draft.

Should You Be Using SSL or TLS?

Both SSL 2.0 and 3.0 have been deprecated by the IETF (in 2011 and 2015, respectively). Over the years vulnerabilities have been and continue to be discovered in the deprecated SSL protocols (e.g. POODLE, DROWN). Most modern browsers will show a degraded user experience (e.g. line through the padlock or https in the URL bar, security warnings) when they encounter a web server using the old protocols. For these reasons, you should disable SSL 2.0 and 3.0 in your server configuration, leaving only TLS protocols enabled.

Certificates are not the same as protocols

Before anyone starts worrying that they need to replace their existing SSL Certificates with TLS Certificates, it’s important to note that certificates are not dependent on protocols. That is, you don’t need to use a TLS Certificate vs. an SSL Certificate. While many vendors tend to use the phrase “SSL/TLS Certificate”, it may be more accurate to call them “Certificates for use with SSL and TLS", since the protocols are determined by your server configuration, not the certificates themselves.

It’s likely you will continue to see certificates referred to as SSL Certificates because at this point that’s the term more people are familiar with, but we’re beginning to see increased usage of the term TLS across the industry. SSL/TLS is a common compromise until more people become familiar with TLS.

Disabling SSL 2.0 and 3.0

If you’re not sure if your servers are still supporting SSL protocols, you can easily check using our SSL Server Test.

SSL Server Test

Results of GlobalSign server test highlight any protocols that are enabled, but shouldn’t be.

For instructions on how to disable SSL 2.0 and 3.0 on popular server types, including Apache, NGINX and Tomcat, check out our related support article.

So what's the difference between SSL and TLS? In conversation, not much and many people continue to use the term SSL. In terms of your server configuration though, it's the difference between vulnerabilities, outdated cipher suites and browser security warnings. When it comes to your servers, you should only have TLS protocols enabled.

Have more questions about SSL/TLS configuration and best practices? Let us know in the comments; we’re happy to help!

Share this Post

Subscribe to our Blog