Skip to main content
banner image
venafi logo

SSL and TLS: What Is the Difference?

SSL and TLS: What Is the Difference?

difference between ssl and xls
September 18, 2020 | David Bisson

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are both cryptographic protocols that help secure communications over a computer network. There are many similarities between the protocols used in SSL and TLS, so much so that many applications configure their implementation together as "SSL/TLS."

Both types of certificates are machine identities that are used for data encryption and authorization and verification. But SSL and TLS do differ from one another in some respects.

Machine identities have two specific functions:

  1. Authentication and Verification: TLS and SSL certificates have information about the authenticity of details around the identity of a host or site. When you click on the padlock displayed or check the trust mark the certificate chain details prove where the certificate is generated from.
     
  2. Data Encryption: TLS and SSL certificates enable encryption, which means that the sensitive information exchanged via the web site cannot be intercepted and read by anyone other than the intended recipient.

A TLS/SSL certificate is most reliable when issued by a trusted Certificate Authority (CA). The CA has to follow very strict rules and policies about who may or may not receive an SSL Certificate. So, when you have a valid SSL certificate from a trusted CA, there is a higher degree of trust.

The origins of SSL protocols

In the early 1990s, researchers at Netscape Communications wanted to develop a protocol for securing communications between clients and server applications over an unprotected network. This desire gave birth to the first version of SSL in 1994. As explained by Venafi's knowledge base, SSL works by using a short piece of information called a message authentication code (MAC) to authenticate a message. This MAC therefore helps to ensure the integrity and authenticity of a message.

SSL has gone through two major updates as of this writing. Version 2.0 of the protocol arrived in 1995, whereas SSL 3.0 arrived in 1996. The designers of SSL released the two new versions with backward compatibility to ease the burden of adoption. But this effort, not to mention the overall design of the protocol, has hampered the ability of SSL to provide secrecy, integrity, and authenticity.

In 2014, SSL 3.0 suffered a huge blow when the National Institute of Science and Technology declared in a report (PDF) that protocol was "not approved for use in the protection of Federal information." The nail on the coffin arrived later that year with the discovery of the Padding Oracle On Downgraded Legacy Encryption(POODLE) attack. Under this exploit, an attacker abuses how blocks of data are encrypted under a specific type of encryption algorithm within the SSL protocol to decrypt content within an SSL session.

Today, many consider SSL 3.0 to be an old encryption standard and TLS to be its successor. An Internet Engineering Task Force (IETF) standards track protocol first defined in 1999, TLS uses a keyed-hash message authentication code (HMAC), or a MAC calculated using a cryptographic hash function and a secret cryptographic key. Most of the time, TLS is also known as "By Program" or "implicit" security, where a program connects insecurely first then uses special commands to enable encryption. Dr. Erik Kangas explains this is different than "By Port" or "explicit" security (SSL), or an explicit connection to a port that expects a session to start with security negotiation.

TLS has undergone three revisions: TLS 1.1 (2006), TLS 1.2 (2008), and TLS 1.3 (2018). In 2011, the IETF removed backward compatibility with SSL 2.0. Some TLS implementations remain backward compatible with SSL 3.0. That's because while the protocols don't interoperate, the differences separating SSL 3.0 and TLS 1.0 aren't major. However, TLS 1.3 was not built as an evolution of TLS 1.2, but from the ground up it was redesigned to disable legacy features and speed up performance on a secure connection. Instead of negotiating an encryption model, the server provides the encryption key with TLS 1.3. By sidestepping downwards compatibility, TLS 1.3 aims to eliminate the threat of downgrade attacks, which force the server to use an older, less secure protocol.

TLS and SSL both help to encrypt data that's exchanged over the web. As such, organizations can purchase certificates for servers that support the protocols. They must then make sure they secure these certificates and don't allow them to expire.
 

Learn more about machine identity management. Explore now.
 

NOTE: This blog was originally posted on February 12, 2019, by David Bisson.
 

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

eBook

TLS Machine Identity Management for Dummies

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat