What’s the Difference Between SSL and TLS?
For any new web developer or website owner, understanding the role of the SSL and TLS is an important early lesson. Why does it matter? No matter the purpose of your website, you will benefit from investing in security. From keeping customer data safe, to improving your rank in search engines, understanding SSL and TLS is a key step to success.
In this article, we'll discuss the difference between SSL and TLS to help you navigate this important area of website and server management.
Overview on Encrypted Connections
When your browser connects to a website, you may transmit sensitive information such as payment details to the server hosting the website you are connected to. Without encryption technology in place to obfuscate the data, this information could be intercepted in transit to the server and be read just like a postcard. Encryption is a process by which useful data is scrambled into useless data.
This data is encrypted using algorithms. If you know the algorithm that has been used, and you have access to the encrypted data, you can unscramble the data and reveal the contents. SSL and TLS are both encryption protocols used for this process.
How Encryption Works
In order to facilitate this encryption process between client and server, a product called an "SSL Certificate" is used. This process involves the website owner ordering a certificate from a Certificate Authority such as Comodo or DigiCert.
First, the website owner will generate a private key which will be stored on the server. Based on the private key, the website owner will generate a Certificate Signing Request and send it to the Certificate Authority. The Certificate Authority will validate the order based on the validation methods discussed at the end of the article, and issue the SSL Certificate. Finally, the website owner will install the SSL Certificate on their server.
SSL and TLS are the encryption protocols which facilitate this process.
What is SSL?
SSL stands for Secure Sockets Layer. Since its introduction in 1995 by Netscape, SSL has become one of the fundamental components of website security. The SSL protocol has largely been replaced by TLS due to security vulnerabilities.
What is TLS?
SSL is the predecessor of TLS (Transport Layer Security). TLS was introduced in 1999 based on the SSL 3.0 protocol and developed to address security concerns with the SSL protocol.
Since the introduction of TLS, further vulnerabilities with SSL 2.0 and SSL 3.0 have been discovered and these protocols should no longer be used. Browsers will display a warning that the connection is unsecure if these protocols are still in use by a website to encrypt the connection.
On a technical level, SSL and TLS are quite different. However, the steps involved in establishing a secure connection between a client and a server are the same regardless of which protocol is used. The ‘handshake’ is the process that occurs when a computer connects to a website with an SSL certificate is the same, regardless of whether the website uses SSL or TLS.
Why do we still call them SSL Certificates?
You may be wondering why providers continue to refer to these security certificates as SSL certificates when the SSL protocol has been largely replaced by TLS.
The deprecation of the SSL protocol has only received large acceptance in 2014 after the discovery of the POODLE vulnerability. As such, the term "SSL Certificate" has been in use for many years and will likely continue to be used out of habit. While the more appropriate term would be "TLS Certificate" or "Security Certificate", we will see if this ever catches on.
Why it’s Important
SSL certificates are needed for your computer to be able to open up a secure connection with a web server. SSL certificates let your browser know that it can trust websites with your sensitive data. Websites with SSL certificates can be accessed by using https:// instead of http://. The added ‘s’ denotes the secure layer. If you can’t access this page, the website uses unencrypted connections. When you are using a secure connection, you will see a padlock icon next to the URL in most web browsers.
SSL certificates aren’t just for e-commerce stores, however. There are a number of reasons it is worth investing in an SSL certificate for your website at the earliest opportunity. For one thing, Google likes them. As time has gone on, Google’s algorithms have got a lot smarter about the way that they rank websites. Having an SSL certificate is an easy way to bump up your general SEO.
Google’s Chrome browser, since version 62, will mark any websites that contain text fields but no SSL certificate as being insecure. Some browsers allow users to set them to only connect to websites that support secure connections.
Is SSL Dead?
In short - no. The latest version of TLS is considerably more secure than SSL. Most devices today support TLS but there are still exceptions. It is also possible for a malicious actor to force an SSL connection between their computer and a server. This is known as a “downgrade attack” and can seriously undermine the security of a connection.
However, it should be noted that since version 1.3 of TLS, these downgrade attacks have become theoretically obsolete. SSL is beginning to catch up to the landscape of the modern internet, but TLS is always preferred nowadays.
Using TLS
In order to utilize TLS for your website, you will need to secure hosting on a server with TLS support. The vast majority of web hosting providers today offer TLS by default. You should aim to use the latest version of TLS and should never use any version before TLS 1.1.
There are different types of SSL certificate available, which we will cover below, but they all function in the same way. These different certificate types represent different levels of trust, you need to trust an e-commerce site that you buy from much more than you do a blog that you read. Whether you use a free SSL certificate or a paid one, your website will use encrypted connections.
Certificate Types
All SSL and TLS certificates are referred to as SSL certificates. Unless a specific version of SSL or TLS is mentioned, they are generally interchangeable.
Domain Validated Certificates
These are the most basic type of SSL certificate available. A domain validated certificate is verified by contacting an email address based on the domain name, or an email listed on the public whois directory.
This type of certificate is the cheapest and accounts for most of the free SSL certificates out there. As these certificates are not manually validated, they don't trigger a green bar or lock to display in a browser, signifying a higher level of "trust" in the website.
Organization Validated Certificates
Organization validated certificates are used by commercial businesses that operate online. When you register for an OV certificate, the Certificate Authority will check against government registry databases to ensure that the site is real. Once this is done, browsers will display a green bar or the organization name next to the website URL.
Extended Validation Certificate
EV certificates are vetted like OV certificates are, albeit much more stringently. While an OV is vetted once, an EV is continually monitored to ensure that the certificate remains valid and the information therein verified.
This strict verification process and monitoring are not cheap, which is reflected in the price you will pay.
Cybersecurity is one of the most complex subjects that new website owners will have to familiarise themselves with. The confusion surrounding TLS and SSL only makes this more difficult. The good news is that as long as you use a reputable web hosting provider, securing your site with an SSL certificate is as easy as checking a box. Regardless of your website type or size, you should always have an SSL certificate in place.