Internet security is filled with various terms and acronyms - it's easy to get lost. If you're looking for differences between SSL and TLS, it is very likely that you're having the same difficulties many others have as well.
You already know - online security is very important and you need the right tools and certificates to ensure your visitors' data is well encrypted and protected. But which one do you need? Is it SSL? Or TLS? Maybe both, or maybe neither? In order to find the differences between these terms, we decided to get some help from a serious expert.
To get a good insight into web security and the benefits/negatives of SSL vs TLS, we brought in an expert to help us out. It's Žilvinas Radzevičius, who holds a Master's degree in Systems Security and is currently a DevOps Engineer at Oracle Zenedge.
SSL vs TLS - which one is better?
SSL and TLS are not two separate products. It's not like comparing hosting providers, sports teams or chocolate bars. There is no rivalry and no #TeamSSL or #TeamTLS.
This is because SSL was replaced by TLS.
Strictly speaking, the rivalry of SSL vs TLS shouldn’t actually exist. This is because SSL is obsolete, but the term is still widely used. TLS is an industry standard, and currently there is no other protocol that could surpass it.
SSL (secure socket layer) protocol was invented by Netscape in 1994 and was an early attempted to encrypt incoming and outgoing data between the website and its visitor. Technologically more advanced TLS was released in 1999 and was based on SSL 3.0 and was doing the exact same thing as SSL - only better.
However, kept using the same SSL term for both SSL and TLS. So these days, if you get an SSL for your domain from some company, you're actually getting a TLS - just named differently.
What is an SSL then?
So now that we know the main differences, let's stick to one term - and call both TLS and SSL in one universal term, which is SSL.
SSL guarantees security. But how does it do that?
SSL takes a regular HTTP internet site and upgrades it to a more secure, HTTPS protocol. This protocol enables data encryption of the data sent to and from your website.
Fundamental to website security, HTTPS protocols encrypt all data that is sent from the server to the end user over the internet. If your website doesn't use an HTTPS certificate and a strong cryptographic protocol, the chances are that the information of your clients is being transferred via plain text format.
Without HTTPS, there is a possibility that anyone over the public network could be listening in on the sessions that your server and user's browser communicates through. Needless to say - it's a very big issue that needs to be taken seriously. And SSL helps encrypt the data and help the website with that.
I have met various website developers with different mindsets towards website security. Some developers just develop the functionality of the website, such as the look, the functions, and they do not think about the security issues that lurk behind front-end or back-end functions.Žilvinas Radzevičius
Are SSL and TLS out of date?
SSL certificates are out of date, while TLS ones are not. SSL certificates are obsolete due to the old technology and ciphers used in this protocol. For example, SSL 3.0 was actually prohibited back in June 2015, and previous versions of SSL were stopped even earlier.
Nowadays, if someone talks about SSL, they're most likely thinking about TLS instead. Released in 1999, TLS 1.0 was proposed as an upgrade to SSL 3.0.
Since 2008, most websites are using TLS 1.2, which is now the latest version of TLS. This particular version added even more robust security features to the protocol. And on March 21st 2018, TLS 1.3 was proposed by IETF. Based on version 1.2, it includes a lot of upgrades on the technology itself and its cipher mechanisms.Žilvinas Radzevičius
If you are using TLS 1.1 you should be somewhat worried about the security of your HTTPS protocol. Using just the SSL certificate doesn’t mean your website is invulnerable, it just makes the connection secure and encrypted.
The two types of SSL keys
In simple terms, as you probably noticed, SSL certificates are keys, locking out all the important information. It's also the same term used for unique cryptographic sequences, which encrypt the website's information. When purchasing the SSL, you'll get access to public and private keys.
Here's what they do.
The public key is a key that's accessible for everyone, via a repository or directory. Comodo Security shows an example of how such a key could look like.
2147 0241 00C9 18GA CA8D RB3D EFD5 VD69 42B1 B420 EA97 FC20 5E35 F577 EE31 C4FB C6E4 4811 7D86 BC8F MOFO 362F 911B F01B 2F40 C744 2654 C0DD 2661 D673 CA2B 1984 C266 E2CD CB69 0301 4201
In order to decrypt information secured by a public key, you'll need access to a private key.
It is securely generated by the issuer and has to be kept private, available to as few eyes as possible. With access to a private key, the information sent to the website can be decrypted.
Understandably, a private SSL key is also much more complex than a public one, making most cracking attempts pretty much impossible for many years to come.
As you can see in the picture here, it's a very complex combination of letters, numbers, and symbols. Don't try to memorize that - better keep it where no one can reach it.
Should you have a reason to think the SSL private key has been compromised, there is a thing you can do to ensure full security.
It's called "re-keying", where you issue a new private key and render the previous one useless. When choosing an SSL provider, make sure that re-keying is available as a free-of-charge lifetime service.
There's another thing a good SSL provider can give, and that's a digital certificate.
In short, it's a small data file which binds a key to the details of the organization - and lets every visitor know that your website is properly secured.
Digital certificates make your key pair trusted for public use. Different companies use different certificate authorities, therefore, you might see padlocks next to the URL of your website, or not. Employing the services of a well-known company may make your SSL certificate appear more trustworthy, but normally it won't make a difference to it's cryptographic strength.Žilvinas Radzevičius
So this is what public and private keys are, and this what digital certificates do to your website's security and trustworthiness.
So that's about it - these are the main differences between SSL and TLS, and the things which make these certificates work. We hope that after reading this, you'll know the "answer" to the SSL vs TLS question - which simply doesn't have a winner!