Transport Layer Security (TLS) is the latest version of the Secure Socket Layer (SSL) protocol. Both protocols ensure the confidentiality and authenticity of Internet data. They provide end-to-end security by applying encryption to communication via the web. However, despite their similarities, the two TLS and SSL protocols also have significant differences.
Below we will see how the two encryption protocols TLS and SSL work, their importance, how they differ and why it is the right time to switch to the TLS protocol.
The historical background of TLS and SSL
The Internet Engineering Task Force (IETF), an organization responsible for developing Internet standards, published in 1984 a request (RFC-1984) for discussion, recognizing the importance of protecting personal data in the evolving Internet, Netscape Communication Corporation has for the first time developed SSL for secure Internet communication, which has undergone numerous upgrades.
SSL 1.0 was never released due to security issues, and SSL 2.0 was the first public release by Netscape in 1995. However, due to vulnerabilities, it was replaced "quickly" by SSL 3.0 in November 1996.
The latest version of SSL is no longer in use since October 2014, due to its inability to attack POODLE and was officially abolished in June 2015.
TLS was released in 1999 as an independent protocol, with a upgrade in the SSL 3.0 version made by the IETF. The idea was to implement TLS over TCP to encrypt applications using FTP, IMAP, SMTP, and HTTP protocols. For example, HTTPS is a secure version of HTTP as it implements the TLS protocol for secure data delivery avoiding content changes and eavesdropping.
Basic operation of TLS and SSL protocols
Communication between two or more parties (e.g. your computer browser and a website or client-server) begins by determining whether one of the TLS / SSL protocols is used or not, so that both parties can determine the use of encryption with:
- Defining the port that supports SSL communication encryption
- or how to create a connection through the TLS protocol
However, websites require a TLS / SSL certificate installed on their hosting server to be able to use the protocol. A trusted third party issues a certificate and has a public key in the domain that has the corresponding private key that allows it to encrypt and decrypt any communication.
After the two parties (client-server) agree to use TLS or SSL for their communication, they proceed to a "handshake" or "handshake". The handshake determines the specifications required for messaging. Let's briefly look at the sequence of information exchanges to enable a TLS / SSL connection:
- The two parties agree on the version of the protocol they will use
- Next, decide on the cryptographic algorithms or encryption suite
- Post controln the identity of the communicating parties with their public key and the digital signatures of the certificate issuing authority
- They exchange session keys to use in future communication. Both TLS and SSL use asymmetric cryptography to generate public and private keys.
If the browser cannot validate the TLS / SSL certificate, it returns the "Connection is not private" error.
Thus the protocols achieve three fundamental security goals:
Confidentiality: They encrypt data to hide it from third parties. This way only an expected recipient can see the content.
Integrity: They use the authentication code to verify the encrypted message content.
Authentication: They authenticate the client-server with the help of a certificate to ensure that the two parties exchanging information they really are what they claim to be.
What is the difference between TLS and SSL?
As mentioned before, the main difference between the two protocols is the way they make connections. The TLS handshake uses a silent way to establish a protocol connection, while the SSL handshake makes explicit connections to a port.
Regardless of all the differences, the key feature that differentiates both TLS / SSL connections is the use of an encryption suite that decides the overall security of the connection.
A TLS / SSL connection must agree to use an encryption suite that defines a set of algorithms for key exchange, authentication, bulk encryption, and an authentication code that uses HMAC (hash-based message authentication code) or algorithms message authentication codes etc. for a specific session.
Each TLS / SSL version supports different encryption sequences for a communication session. So each encryption suite supports its own algorithms that improve the security and overall performance of a connection.
| SSL | TLS |
|---|---|
| SSL is a complex protocol | TLS is simpler |
| SSL has three versions, of which SSL 3.0 i is the last | TLS has four versions, of which TLS version 1.3 is the latest |
| SSL All versions are vulnerable to attacks | TLS offers higher security |
| SSL uses a message authentication code (MAC) after encrypting a message for data integrity | TLS uses a hash-based authentication code |
| SSL uses message summaries to create a master secret. | TLS uses a pseudo-random function to create a master secret. |
Why did TLS replace SSL?
TLS encryption is now a standard practice for protecting web applications or data. We can not say that TLS is a completely secure protocol, as there have been attacks like heartbleed in 2012 and 2014, but has many improvements in performance and safety.
TLS has replaced SSL since almost all versions of SSL have been removed due to known vulnerabilities. Google Chrome is one such example that stopped using SSL 3.0 in 2014. Today, most modern browsers do not support SSL at all.
Use TLS for encrypted communication
TLS helps secure the transfer of sensitive information such as credit card information, email, voice over IP (VOIP), file transfer, and passwords. Although both certificates encrypt data in transit, they differ in functionality.
It is important to note that TLS is still referred to as SSL only because SSL is the most commonly used terminology. Additionally, you do not need to worry about using SSL or TLS certificates, as all you need to do is install a certificate on your server. It supports both protocols and decides which one to use.
