Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis announces strategic partnership with Microsoft to acclerate the secure adoption of Copilot.

Learn more

The Difference Between SSL and TLS

2 min read
Last updated October 22, 2021

Image credit: zviray

The chronic epidemic of face blindness that affects the population of Metropolis and prevents them from realizing that Clark Kent and the freaking flying alien who looks just like him are actually the same person extends to the tech sector where we continually argue over how pedantic to be about the difference between “SSL” and “TLS”.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

To be fair, the situation is less of a “SSL is from Earth” and “TLS is from Krypton” than a very positive story of how encryption standards have continually been improved and how the outdated and insecure methods of client and server communication have been deprecated to boost the overall security of the Internet.

What is SSL?

Netscape developed version 1.0 of the Secure Sockets Layer (SSL) protocol more than 20 years ago so that people could use their browser to securely cruise around Geocities and share Star Trek ASCII art securely.

the_difference_between_ssl_and_tls_-_google_docs

Like all first efforts at shipping practical crypto, SSL versions 1.0 to 3.0 were found to have some security issues which necessitated iterative releases of more and more fundamentally secure designs.

What is TLS?

In 1999, Version 1.0 of the Transport Layer Security (TLS) protocol was released. The name change was intended to clarify that this was an open standard that any company or project could incorporate and not a proprietary product of Netscape (which at the time was still selling “Netscape Enterprise Server” web server software which used “SSL” for transport encryption). Further, TLS was designed to be application protocol independent, whereas SSL was initially designed fairly narrowly for just HTTP connections.

Which One Should I Say?

Linguistically, the term “SSL” has won in the war of “What should we call the thing that makes the lock show up and be green?” As proof, see the Google Trends comparison of “SSL vs TLS”.
ssl__tls_-_explore_-_google_trends

Because of this, anytime you’re talking about the overall concept – or when trying to explain this to a non-technical audience – “SSL” becomes the commonly accepted blanket term, as it’s most likely what they’ve heard of and the benefits of clear conceptual communication are usually paramount.

When you’re talking about the protocol and what which versions of SSL/TLS should be enabled, “TLS” is by necessity preferred as the exact version matters due to changes in how ciphers, etc. are handled.

On a practical level, however, there are significant security and administrative benefits of knowing:

  • That different versions of SSL/TLS exist.
  • That older systems can’t connect to newer ones if there is a protocol mismatch. If you’ve ever wondered why Internet Explorer on a new Windows 95 install can’t connect to HTTPS sites, there’s your answer.
  • That you should have an organizational policy of only enabling later versions of TLS. (TLS 1.0 is not acceptable for PCI Compliance)
  • That many devices and applications still support older, insecure versions of TLS/SSL that you need to specifically disable.

Ultimately, the question of ‘what’s the difference between SSL vs TLS?’ is a great one – if only to discuss these practical points and drive home why the finer points of security protocols matter.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
varonis-joins-marsh-mclennan-agency’s-cyber-resiliency-network
Varonis joins Marsh McLennan Agency’s Cyber Resiliency Network
Varonis is teaming up with Marsh McLennan Agency. Together, we'll help organizations improve their cyber resilience with industry-leading DSPM solutions.
dspm-report-highlights-risks-that-lead-to-significant-data-breaches  
DSPM Report Highlights Risks That Lead to Significant Data Breaches  
Varonis' new DSPM report reveals that typical companies are widening their blast radius by oversharing permissions, excess ghost users, lack of MFA, and more.
speed-data:-thinking-from-a-cyberattacker's-perspective-with-dalal-alharthi
Speed Data: Thinking From a Cyberattacker's Perspective With Dalal Alharthi
Dr. Dalal Alharthi talks about the importance of organizations anticipating a breach and seeing the world through the eyes of an attacker.
behind-the-varonis-rebrand
Behind the Varonis Rebrand
Discover the strategy behind Varonis' rebrand that involved a full transition to a hero archetype and the introduction of Protector 22814.