TLS and SSL: what's the difference and how do they work?

Transport Layer Security (TLS) is the latest version of the Secure Socket Layer (SSL) protocol. Both protocols ensure the and the authenticity of Internet data. They provide end-to-end security by applying encryption to communication over the web. However, despite their similarities the two protocols TLS and SSL have significant differences.

Below we will see how the two encryption protocols TLS and SSL work, their importance, how they differ and why it is the right time to switch to the TLS protocol.ssl-tls

The historical background of TLS and SSL

The Internet Engineering Task Force (IETF), an organization responsible for developing Internet standards, published in 1984 a request (RFC-1984) for discussion, recognizing the importance of protecting personal data in the evolving Internet, Netscape Communication Corporation has for the first time developed SSL for secure Internet communication, which has undergone numerous upgrades.

SSL 1.0 was never released due to security issues, and SSL 2.0 was the first public release by Netscape in 1995. However, due to vulnerabilities, it was replaced "quickly" by SSL 3.0 in November 1996.

The latest version of SSL does not since October 2014, due to his weakness in attacks POODLE and was officially abolished in June 2015.

TLS was released in 1999 as a standalone protocol, with an upgrade to SSL 3.0 by the IETF. The idea was to implement TLS via TCP for application encryption using FTP, IMAP, SMTP and HTTP protocols. For example, HTTPS is a secure version of HTTP as it implements the TLS protocol for secure data delivery by avoiding content changes and eavesdropping.

Basic of the TLS and SSL protocols

The communication between the two or more parties (eg your computer's browser and a website or client-server) begins by determining whether or not one of the TLS/SSL protocols is used, so that the two parties can specify the use of encryption by:

  • Defining the port that supports SSL communication encryption
  • or how to create a connection through the TLS protocol

However, websites require a TLS / SSL certificate installed on their hosting server to be able to use the protocol. A trusted third party issues a certificate and has a public key in the domain that has the corresponding private key that allows it to encrypt and decrypt any communication.

After the two parties (client-server) agree to use TLS or SSL for their communication, they proceed to a "handshake" or "handshake". The handshake determines the specifications required for messaging. Let's briefly look at the sequence of information exchanges to enable a TLS / SSL connection:

  • The two parties agree on the version of the protocol they will use
  • Next, decide on the cryptographic algorithms or encryption suite
  • They then check the identity of the parties communicating their public key and the digital signatures of the issuing authority.
  • They exchange session keys that they will use in the upcoming communication. Both TLS and SSL use asymmetric encryption to generate public and private keys.

If the browser cannot validate the TLS / SSL certificate, it returns the "Connection is not private" error.

Thus the protocols achieve three fundamental security goals:

Confidentiality: They encrypt data to hide it from third parties. So only an expected recipient can see it .
Integrity: They use the authentication code to verify the encrypted message content.
Authentication: They verify the identity of the client-servers with the help of a certificate to ensure that the two parties exchanging information are really who they claim to be.

What is the difference between TLS and SSL?

As mentioned before, the main difference between the two protocols is the way they make connections. The TLS handshake uses a silent way to establish a protocol connection, while the SSL handshake makes explicit connections to a port.

Regardless of all the differences, the key feature that differentiates both TLS / SSL connections is the use of an encryption suite that decides the overall security of the connection.

A TLS / SSL connection must agree to use an encryption suite that defines a set of algorithms for key exchange, authentication, bulk encryption, and an authentication code that uses HMAC (hash-based message authentication code) or algorithms message authentication codes etc. for a specific session.

Each TLS / SSL version supports different encryption sequences for a communication session. So each encryption suite supports its own algorithms that improve the security and overall performance of a connection.

SSL TLS
SSL is a complex protocol TLS is simpler
SSL has three versions, of which SSL 3.0 i is the last TLS has four versions, of which TLS version 1.3 is the latest
SSL All versions are vulnerable to attacks TLS offers higher security
SSL uses a message authentication code (MAC) after encrypting a message for data integrity TLS uses a hash-based authentication code
SSL uses message summaries to create a master secret. TLS uses a pseudo-random function to create a master secret.

Why did TLS replace SSL?

TLS encryption is now a standard practice for protecting web applications or data. We can not say that TLS is a completely secure protocol, as there have been attacks like heartbleed in 2012 and 2014, but has many improvements in performance and safety.

TLS has replaced SSL since almost all versions of SSL have been removed due to known vulnerabilities. Google Chrome is one such example that stopped using SSL 3.0 in 2014. Today, most modern browsers do not support SSL at all.

Use TLS for encrypted communication

TLS helps with security when transferring sensitive information, such as credit card information, email, voice over IP (VOIP), file transfer, and passwords. Although both certificates encrypt data during transfer, they differ in functionality.

It is important to note that TLS is still referred to as SSL only because SSL is the most commonly used terminology. Additionally, you do not need to worry about using SSL or TLS certificates, as all you need to do is install a certificate on your server. It supports both protocols and decides which one to use.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
TLS, SSL, security protocols, iguru

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).