Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

The Difference Between SSL and TLS

SSL and TLS are used interchangably in conversations as they are incredibly closely related. Knowing the subtle difference is key. 
Michael Buckbee
2 min read
Last updated October 22, 2021

Image credit: zviray

The chronic epidemic of face blindness that affects the population of Metropolis and prevents them from realizing that Clark Kent and the freaking flying alien who looks just like him are actually the same person extends to the tech sector where we continually argue over how pedantic to be about the difference between “SSL” and “TLS”.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

To be fair, the situation is less of a “SSL is from Earth” and “TLS is from Krypton” than a very positive story of how encryption standards have continually been improved and how the outdated and insecure methods of client and server communication have been deprecated to boost the overall security of the Internet.

What is SSL?

Netscape developed version 1.0 of the Secure Sockets Layer (SSL) protocol more than 20 years ago so that people could use their browser to securely cruise around Geocities and share Star Trek ASCII art securely.


Like all first efforts at shipping practical crypto, SSL versions 1.0 to 3.0 were found to have some security issues which necessitated iterative releases of more and more fundamentally secure designs.

What is TLS?

In 1999, Version 1.0 of the Transport Layer Security (TLS) protocol was released. The name change was intended to clarify that this was an open standard that any company or project could incorporate and not a proprietary product of Netscape (which at the time was still selling “Netscape Enterprise Server” web server software which used “SSL” for transport encryption). Further, TLS was designed to be application protocol independent, whereas SSL was initially designed fairly narrowly for just HTTP connections.

Which One Should I Say?

Linguistically, the term “SSL” has won in the war of “What should we call the thing that makes the lock show up and be green?” As proof, see the Google Trends comparison of “SSL vs TLS”.

Because of this, anytime you’re talking about the overall concept – or when trying to explain this to a non-technical audience – “SSL” becomes the commonly accepted blanket term, as it’s most likely what they’ve heard of and the benefits of clear conceptual communication are usually paramount.

When you’re talking about the protocol and what which versions of SSL/TLS should be enabled, “TLS” is by necessity preferred as the exact version matters due to changes in how ciphers, etc. are handled.

On a practical level, however, there are significant security and administrative benefits of knowing:

  • That different versions of SSL/TLS exist.
  • That older systems can’t connect to newer ones if there is a protocol mismatch. If you’ve ever wondered why Internet Explorer on a new Windows 95 install can’t connect to HTTPS sites, there’s your answer.
  • That you should have an organizational policy of only enabling later versions of TLS. (TLS 1.0 is not acceptable for PCI Compliance)
  • That many devices and applications still support older, insecure versions of TLS/SSL that you need to specifically disable.

Ultimately, the question of ‘what’s the difference between SSL vs TLS?’ is a great one – if only to discuss these practical points and drive home why the finer points of security protocols matter.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

SecurityRWD - Introduction to AWS Services
Kilian Englert and Ryan O'Boyle from the Varonis Cloud Architecture team kick off a new series diving into the various services found under the AWS umbrella. In this video, they introduce and provide an overview of some of the core services including IAM, S3, and EC2.
SecurityRWD - Introduction to AWS Lambda
Join Kilian Englert and Ryan O'Boyle from the Varonis Cloud Architecture team as they discuss AWS's serverless computing platform, Lambda. Find out what the Lambda functions allow for, see an everyday example of how it all comes together, and learn why it's so important for organizations to monitor Lambda's behavior within the entire Amazon Web Service ecosystem.
SecurityRWD - Introduction to AWS Simple Storage Service (S3)
Kilian Englert and Ryan O'Boyle from the Varonis Cloud Architecture team compare and contrast Amazon Web Services S3 to traditional on-prem storage systems. Listen in as the team discusses how AWS S3 goes beyond basic data storage, and enables programmatic access to apps and services inside and outside the AWS environment.
Social Media Security: How Safe is Your Information? 
What exactly are social media platforms doing to keep your information safe? We’ve broken down the security initiatives and features to find out!