SSL & TLS – what’s the difference?

Here at Trustico, we are often asked by our customers if we offer TLS certificates, as our website only advertises ‘SSL certificates’.

This is a completely reasonable question for those not well-versed in cryptographic protocols.

After all, if your web host asks you for a TLS certificate and you see search results mostly for SSL certificates, you might get confused.

However, the case is that such digital certificates aren’t truly ‘SSL certificates’ nor ‘TLS certificates’.

So what are they then?

Well, let’s break down what the differences are between the two, and their relation to digital certificates, to get our answer.

SSL vs TLS

Secure Sockets Layer (SSL) is a cryptographic protocol developed by Netscape in 1993 to provide security for communications over computer networks.

For example, to secure the information exchanged between a server and a Web browser.

However, it was never publicly released due to serious security flaws.

Thus, in 1995, Netscape released their new and improved version 2.0 — which was swiftly replaced by version 3.0 a year later due to the discovery of a number of vulnerabilities.

Most importantly though, SSL is the now-depreciated predecessor of TLS.

TLS supports stronger, more secure cipher suites and algorithms, and has seen multiple updates too.

The latest version is 1.3, released in August 2018.

Most modern servers have TLS enabled by default, though they may not be using the most up-to-date version.

Which protocol should you use?

You should disable all SSL versions on your server, leaving only TLS protocols enabled.

This is because, as previously mentioned, SSL has many easily exploited vulnerabilities which will leave your server extremely unsecure.

Certificates and protocols

Although your server will be configured with SSL/TLS, to activate the protocol on your websites, you require a digital certificate.

Digital certificates aren’t formatted in any one protocol — they simply conform to your server’s protocols.

For example, if your server is running TLS 1.3 (and has only TLS enabled), your digital certificate will use that protocol for encryption on your website/s.

Conversely, installing the same certificate on a server with only SSL protocols enabled will mean the certificate uses that protocol for encryption.

It would stand to reason then that ‘TLS certificate’ should be the most commonly seen terminology, due to the SSL protocol’s depreciation.

However, ‘SSL certificate’ remains more widely used by vendors because it is the most recognizable name.

Though, increasingly, SSL/TLS certificate is a commonly seen compromise.

Hopefully, with enough time, TLS certificate will become the normal terminology industry-wide to alleviate confusion.

But, in the meantime, all that is important is that users know that their certificate is bound to neither protocol, and is beholden only to their server’s configuration.

How Useful Was This Post?

Let Us Know How We Are Doing - Click A Star To Rate This Post

Average Vote Rating 5 / 5. Vote Count : 2