Image credit: zviray
The chronic epidemic of face blindness that affects the population of Metropolis and prevents them from realizing that Clark Kent and the freaking flying alien who looks just like him are actually the same person extends to the tech sector where we continually argue over how pedantic to be about the difference between “SSL” and “TLS”.
Get the Free Pen Testing Active Directory Environments EBook
To be fair, the situation is less of a “SSL is from Earth” and “TLS is from Krypton” than a very positive story of how encryption standards have continually been improved and how the outdated and insecure methods of client and server communication have been deprecated to boost the overall security of the Internet.
What is SSL?
Netscape developed version 1.0 of the Secure Sockets Layer (SSL) protocol more than 20 years ago so that people could use their browser to securely cruise around Geocities and share Star Trek ASCII art securely.
Like all first efforts at shipping practical crypto, SSL versions 1.0 to 3.0 were found to have some security issues which necessitated iterative releases of more and more fundamentally secure designs.
What is TLS?
In 1999, Version 1.0 of the Transport Layer Security (TLS) protocol was released. The name change was intended to clarify that this was an open standard that any company or project could incorporate and not a proprietary product of Netscape (which at the time was still selling “Netscape Enterprise Server” web server software which used “SSL” for transport encryption). Further, TLS was designed to be application protocol independent, whereas SSL was initially designed fairly narrowly for just HTTP connections.
Which One Should I Say?
Linguistically, the term “SSL” has won in the war of “What should we call the thing that makes the lock show up and be green?” As proof, see the Google Trends comparison of “SSL vs TLS”.
Because of this, anytime you’re talking about the overall concept – or when trying to explain this to a non-technical audience – “SSL” becomes the commonly accepted blanket term, as it’s most likely what they’ve heard of and the benefits of clear conceptual communication are usually paramount.
When you’re talking about the protocol and what which versions of SSL/TLS should be enabled, “TLS” is by necessity preferred as the exact version matters due to changes in how ciphers, etc. are handled.
On a practical level, however, there are significant security and administrative benefits of knowing:
- That different versions of SSL/TLS exist.
- That older systems can’t connect to newer ones if there is a protocol mismatch. If you’ve ever wondered why Internet Explorer on a new Windows 95 install can’t connect to HTTPS sites, there’s your answer.
- That you should have an organizational policy of only enabling later versions of TLS. (TLS 1.0 is not acceptable for PCI Compliance)
- That many devices and applications still support older, insecure versions of TLS/SSL that you need to specifically disable.
Ultimately, the question of ‘what’s the difference between SSL vs TLS?’ is a great one – if only to discuss these practical points and drive home why the finer points of security protocols matter.
