+3 votes
79 views
in security by (242k points)
reopened
SSL and TLS - what's the difference?

1 Answer

+4 votes
by (1.6m points)
 
Best answer

SSL and TLS: A Brief Introduction
The difference between SSL and TLS

Securing data connections has become an indispensable part of the Internet. But what is the difference between the SSL and TLS protocols?

image image

Image: <span> Illus_man / Shutterstock.com </span>

Both SSL and TLS are protocols that securely authenticate and transport your data on the Internet. Colloquially, TLS is still referred to as SSL today, although SSL is now out of date. You can read below why this is and how SSL and TLS actually differ.

SSL and TLS: A Brief Introduction

Both SSL (Secure Socket Layer) and TLS (Transport Layer Security) are cryptographic protocols that encrypt your data so that it can be securely transmitted over the Internet. For example, if you process credit card payments on your website, the encryption protocols can be used to process the data securely so that third parties cannot influence the process. SSL is the predecessor of TLS and no longer corresponds to the current state of the art. Before we explain the main differences between the protocols, let's give you a brief historical overview..

  • SSL 1.0: Never released to the public due to security issues.
  • SSL 2.0: Released 1995. Obsolete since 2011.
  • SSL 3.0: Released in 1996. Obsolete in 2015.
  • TLS 1.0: Released in 1999 as an upgrade to SSL 3.0. Obsolete since 2020.
  • TLS 1.1: Released in 2006. Obsolete since 2020.
  • TLS 1.2: Released in 2008.
  • TLS 1.3: Released 2018.

Based on the classification, it becomes clear that SSL is now out of date and Transport Layer Security is the currently used protocol. The TLS protocol is primarily aimed at ensuring data protection and data integrity between two or more communicating computer applications. SSL is still the common term these days, even though TLS is often used.

The difference between SSL and TLS

If you establish a connection between a client (e.g. a browser such as Google Chrome) and a server (e.g. heise.de) via TLS or SSL, you can see from a small lock symbol that you have established an encrypted connection to the website. This process is also known as a handshake. It should be noted that SSL and TLS are just the protocols. Further information on authentication (such as the unique fingerprint or the identity of the website operator) can be found in the so-called certificate..

image
The connection between the browser and heise.de is encrypted via TLS.

So are SSL and TLS the same thing? No not really. Although the terms are used synonymously in common parlance, TLS is the more secure protocol and a further development of SSL. Over the years, vulnerabilities have been and are still being discovered in the legacy SSL protocols. Each newly published version of the protocol comes with its own improvements and new functions. SSL version 1.0 was never released. Version 2.0, on the other hand, did, but had some major flaws. SSL version 3.0 was a rewrite of version 2.0 (to address these shortcomings - with limited success). On the other hand, there is TLS version 1.0, which is an improvement on SSL version 3.0. The changes were minor between TLS 1.0 and 1.1. TLS 1.2 brought some significant changes, and TLS 1.3 has optimized the entire encryption process.

One difference between the protocols is the type of key exchange. TLS uses the Digital Signature Standard and the Ephemeral Diffie-Hellmann algorithm combined with RSA, which offers better protection against later decryption. SSL uses an older encryption algorithm that could already be decrypted by attacks.

Furthermore, SSL and TLS differ in the type of log recording . SSL uses the Message Authentication Code (MAC) after encryption , while TLS uses HMAC uses - a hash-based message authentication code. In short, your messages are pseudo-randomly encrypted using TLS, which makes them more secure against attacks..

The simple reason why many websites are still talking about SSL certificates is basically just a branding problem. Most of the major certificate providers still refer to certificates as SSL certificates, which is why the naming convention remains. In conclusion, the conclusion remains: SSL and TLS are related, but not synonymous.

Tip : If you would like to find out more about SSL and issued certificates, read the relevant article.


...