Skip to main content
banner image
venafi logo

Understanding the Difference between SSL and TLS

Understanding the Difference between SSL and TLS

what is ssl
February 12, 2019 | David Bisson

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are both cryptographic protocols that help secure communications over a computer network. There are many similarities between the protocols, so much so that many applications configure their implementation together as "SSL/TLS." But SSL and TLS do differ from one another in some respects.
 

In the early 1990s, researchers at Netscape Communications wanted to develop a protocol for securing communications between clients and server applications over an unprotected network. This desire gave birth to the first version of SSL in 1994. As explained by Venafi's knowledge base, SSL works by using a short piece of information called a message authentication code (MAC) to authenticate a message. This MAC therefore helps to ensure the integrity and authenticity of a message.
 

SSL has gone through two major updates as of this writing. Version 2.0 of the protocol arrived in 1995, whereas SSL 3.0 arrived in 1996. The designers of SSL released the two new versions with backward compatibility to ease the burden of adoption. But this effort, not to mention the overall design of the protocol, has hampered the ability of SSL to provide secrecy, integrity, and authenticity.
 

In 2014, SSL 3.0 suffered a huge blow when the National Institute of Science and Technology declared in a report (PDF) that protocol was "not approved for use in the protection of Federal information." The nail on the coffin arrived later that year with the discovery of the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. Under this exploit, an attacker abuses how blocks of data are encrypted under a specific type of encryption algorithm within the SSL protocol to decrypt content within an SSL session.
 

How are cybercriminals abusing TLS certificates? Find out.
 

Today, many consider SSL 3.0 to be an old encryption standard and TLS to be its successor. An Internet Engineering Task Force (IETF) standards track protocol first defined in 1999, TLS uses a keyed-hash message authentication code (HMAC), or a MAC calculated using a cryptographic hash function and a secret cryptographic key. Most of the time, TLS is also known as "By Program" or "implicit" security, where a program connects insecurely first then uses special commands to enable encryption. Dr. Erik Kangas explains this is different than "By Port" or "explicit" security (SSL), or an explicit connection to a port that expects a session to start with a security negotiation.
 

TLS has undergone two revisions in TLS 1.1 (2006) and TLS 1.2 (2008). In 2011, the IETF revised all three versions in RFC 6176 by removing their backwards compatibility with SSL 2.0. Some TLS implementations remain backward compatible with SSL 3.0. That's because while the protocols don't interoperate, the differences separating SSL 3.0 and TLS 1.0 aren't major.
 

TLS and SSL both help to encrypt data that's exchanged over the web. As such, organizations can purchase certificates for servers that support the protocols. They must then make sure they secure these certificates and don't allow them to expire.
 

Learn more about machine identity protection. Explore now.


Read more.

 

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat