TLS vs. SSL

Which web encryption standard is better?

With so many major data breaches in the news recently, you might wonder how your data is protected when you're online. When you go to a website to do some shopping and enter your credit card number, hopefully, in a few days, a package arrives at your door. But at that moment before you press Order, do you wonder how online security works?

TLS vs. SSL
Lifewire

The Basics of Online Security

In its basic form, online security—the security that takes place between a computer and a website—is performed through a series of questions and responses. You type a web address into a browser, and then the browser asks that site to verify its authenticity. The site responds with the appropriate information, and after both agree, the site opens in the web browser.

Among the questions asked and the information exchanged is data about the type of encryption that passes the browser information, computer information, and personal information between the browser and the website. These questions and answers are called a handshake. If that handshake doesn't take place, then the website you're trying to visit is deemed unsafe.

HTTP vs. HTTPS 

HTTP
  • Open for anyone to see along the way.

  • Easier to set up and run.

  • No security for passwords and submitted data.

HTTPS
  • Fully encrypted to hide information.

  • Requires additional server configuration.

  • Protects transmitted information, including passwords.

One thing you may notice when you visit sites on the web is that some have an address that starts with http, and some start with https. HTTP means Hypertext Transfer Protocol; it's a protocol or set of guidelines that designate secure communication over the internet.

Some sites, especially sites where you are asked to provide sensitive or personally identifying information, may display https either in green or in red with a line through it. HTTPS means Hypertext Transfer Protocol Secure, and green means the site has a verifiable security certificate. Red with a line through it means the site does not have a security certificate, or the certificate is inaccurate or expired.

Here's where things get a little confusing. HTTP does not mean data transferred between a computer and a website is encrypted. It only means the website that is communicating with the browser has an active security certificate. Only when an S (as in HTTPS) is included is the data that's transferred secure, and there's another technology in use that makes that secure designation possible.

SSL vs. TLS

SSL
  • Originally developed in 1995.

  • Earlier level of web encryption.

  • Lagged behind the rapidly growing internet.

TLS
  • Started as the third version of SSL.

  • Transport Layer Security.

  • Continued to improve on the encryption used in SSL.

  • Added security fixes for new types of attacks and security holes.

SSL was the original security protocol to ensure that websites and the data passed between the sites were secure. According to GlobalSign, SSL was introduced in 1995 as version 2.0. The first version (1.0) never made it into the public domain. Version 2.0 was replaced by version 3.0 within a year to address vulnerabilities in the protocol.

In 1999, another version of SSL, called Transport Layer Security (TLS), was introduced to improve the speed of the conversation and security of the handshake. TLS is the version that's currently in use, though it is often referred to as SSL for the sake of simplicity.

Understanding the SSL Protocol

Advantages
  • Hides information set between a computer and a website.

  • Protects login information.

  • Secures online purchases.

Disadvantages
  • Doesn't protect against all threats.

  • Can't secure you on sites not using SSL.

  • Unable to hide which websites you visit.

When you consider sharing a handshake with someone, that means there is a second party involved. Online security is much the same way. For the handshake that ensures security online to take place, there must be a second party involved. If HTTPS is the protocol that the web browser uses to ensure there is security, then the second half of that handshake is the protocol that ensures encryption. 

Encryption is the technology that's used to disguise data that's transferred between two devices on a network. It's accomplished by turning recognizable characters into unrecognizable gibberish that can be returned to its original state using an encryption key. This was originally accomplished through a technology called Secure Socket Layer (SSL) security. 

SSL was the technology that turned any data moving between a website and a browser into gibberish and then back into data again. Here's how it works:

  • You open a browser and type the address for your bank.
  • The web browser knocks on the bank's door and introduces you.
  • The doorman verifies that you are who you say you are and agrees to let you in under a set of conditions.
  • The web browser agrees to those conditions, and then you're allowed to access the bank's website.

The process repeats when you enter your username and password, with some additional steps.

  • You enter your username and password to gain access to your account.
  • Your web browser tells the bank's account manager that you would like access to your account.
  • They converse and agree that if you can provide the correct credentials, then you'll be granted access. However, those credentials need to be presented using a special language.
  • The web browser and the bank's account manager agree to the language that will be used.
  • The web browser converts your username and password into that special language and passes it to the bank's account manager.
  • The account manager receives the data, decodes it, and compares it to their records.
  • If your credentials match, you're granted access to your account.

The process takes place in nanoseconds, so you don't notice the time it takes for the conversation and handshake to take place between the web browser and website. 

TLS Encryption

Advantages
  • More secure encryption.

  • Hides data between a computer and websites.

  • Better handshake process when negotiating encrypted communication.

Disadvantages
  • No encryption is perfect.

  • Doesn't automatically secure DNS.

  • Not fully compatible with older versions.

TLS encryption was introduced to improve data security. While SSL was a good technology, security changes at a rapid rate, and that led to the need for better, more up-to-date security. TLS was built on the framework of SSL with improvements to the algorithms that govern the communications and handshake process.

Which TLS Version Is Most Current?

As with SSL, TLS encryption has continued to improve. The current TLS version is 1.2, but TLSv1.3 has been drafted, and some companies and browsers have used the security for short periods of time. In most cases, they revert to TLSv1.2 because version 1.3 is still being perfected.

When finalized, TLSv1.3 will bring numerous security improvements, including improved support for more current types of encryption. However, TLSv1.3 will also drop support for older versions of SSL protocols and other security technologies that are no longer robust enough to ensure the proper security and encryption of personal data.