Possibly one of the most frequently asked questions is - What is the difference between SSL (Secure Socket Layers) and TLS (Transport Layer Security)? You know that you want to protect your website (or other type of communication), but what do you need SSL, TLS, or both? Let's see a little what these are for.
SSL and TLS with cryptographic protocols that provide authentication and encryption of information between servers, machines and applications that operate over a network (example a client connecting to a web server). SSL is the predecessor of TLS. Over the years, new versions of protocols have been developed to address vulnerabilities and to deliver stronger algorithms and encryption.
SSL was originally developed by Netscape and was introduced in 1995 with SSL 2.0 (1.0 was never released to the public). Version 2.0 was quickly superseded by SSL 3.0 in 1996 after a number of vulnerabilities were found. Note: Versions 2.0 and 3.0 are sometimes written as SSLv2 and SSLv3.
TLS was introduced in 1999 as a new version of SSL and was based on SSL 3.0.
The differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough that TLS 1.0 and SSL 3.0 cannot interoperate. "
TLS is currently at version 1.2, and TLS v. 1.3 is currently in draft.
Should you use SSL or TLS?
Both SSL 2.0 and 3.0 have been scorned by the IETF (in 2011 and 2015, respectively). Over the years vulnerabilities have been found in outdated SSL protocols (eg POODLE, DROWN). Most modern browsers will deliver an obscure user experience (example: security warnings) when they encounter a web server that uses these older protocols. For these reasons, you should disable SSL 2.0 and 3.0 in your server configuration, leaving only the TLS protocols enabled.
Certificates are not the same as protocols
Before you start to worry that if you need to replace your existing SSL certificates with TLS certificates, it is important to note that the certificates do not depend on protocols. In other words, you don't need to use TLS vs. an SSL Certificate. Many vendors tend to use the phrase "SST / TLS certificate", it may be more accurate to call them "certificates for use with SSL and TLS" since the protocols are determined by the server configuration, and not by the certificates.
It is very likely that you will continue to see certificates referred to as SSL Certificates since this is the most popular term at this time, but we are beginning to see an increase in the use of the term TLS in the industry. SSL / TLS is the most used for now until more people become familiar with the term TLS.
What is the difference between SSL and TLS? Within a conversation, the difference is not much, many people continue to use the term SSL. In terms of your server settings, it's the difference between vulnerabilities, outdated cipher suite, and browser security alerts. When it comes to your servers, you should only have TLS protocols enabled.
