A point of confusion for many people is the difference between TLS and SSL certificates. It’s an understandable confusion, especially when you consider the fact that in 2020, SSL certificates actually work by using the TLS protocol. What exactly does all that mean?
Read on and you’ll find out. In this article we’ll explain what SSL and TLS are, the differences between the two, and how these days, “SSL certificate” really means “TLS certificate”.
What is SSL?
SSL (secure sockets layer) is a cryptographic protocol that facilities secure, encrypted connections on the Internet. The most well-known use of SSL is web browsers connecting to websites, where SSL is used on top of HTTP to create a HTTPS connection.
SSL was first created in the mid-90s, when the need for better security across the web became apparent. As more and more of the general population began using the World Wide Web, so too did businesses and financial institutions. As a result, there was a growing need for encrypted connections to safeguard sensitive data like credit card information from being intercepted by malicious third parties.
So far, you’re probably thinking that this sounds a lot like the SSL certificates we’ve all come to know and love. Where does TLS come into all this? Well, contrary to what the name of these digital certificates we use today would have you believe, the SSL protocol actually began being phased out back in 1999. It was replaced by a newer, more secure protocol — the TLS protocol.
Although SSL was a game changer in terms of online encryption, it wasn’t perfect. The first version, SSL 1.0 was so riddled with security flaws that it was never released to the public. The following versions, SSL 2.0 and 3.0, released in 1995 and 1996 respectively, improved upon these flaws, but still weren’t perfect. So, in 1999, the TLS protocol was born, eventually replacing the use of the SSL protocol almost entirely.
Short for Transfer Layer Security, TLS is basically an upgraded version of SSL. Beginning with TLS version 1.0, in the years since, several more versions have been released. The latest of TLS, 1.3, was released in 2018. Each successive version has had significant security upgrades, and are a far cry from the first version of SSL released way back in 1995.
SSL vs TLS
Without getting too technical, the main difference between SSL and TLS is how they establish secure connections. Both do it through a process known as “the handshake”, which is how the server and the client authenticate each other before finally creating an encrypted connection. The SSL handshake is quite different to the TLS handshake.
The SSL version involves using a port to make what is known as an explicit connection. TLS, on the other hand, connects via a protocol, which is known as an implicit connection. The process of both SSL and TLS handshakes is dictated by something known as cipher suites, algorithms that outline the sequence of steps that must be performed in order to execute a cryptographic function. (You can read more about cipher suites here). The cipher suites used by SSL and TLS are very different, with TLS-supported cipher suites being faster and more secure than those supported by SSL.
So, why do we even call them SSL certificates?
The term “SSL certificate” basically became an industry wide brand name that stuck. Although SSL has basically become obsolete, the name is synonymous with Internet security and encryption, even among less tech savvy individuals.
The argument about whether to call the SSL or TLS certificates, however, misses a crucial point. This point is that the cryptographic protocol used to connect a website and browser is actually configured in the server and client settings, and not dictated by the certificate itself. Installing an SSL certificate on your site facilitates authentication and validation, but not how a server and client go about doing it.
To ensure your server settings are configured to use the latest version of TLS, you can check by using this website. Alternatively, contact your web hosting provider or hire a systems administrator to do it for you.
While the SSL protocol and the TLS protocol are not the same thing, SSL certificates and TLS certificates do refer to the same thing. It is a digital certificate you install on your server so that web browsers can connect with your site via HTTPS. All modern SSL certificates should work by doing this via the TLS protocol. To ensure that your website is configured to use the latest version of TLS, check your server settings.