You have probably already come across the two acronyms SSL and TLS, which are often combined as SSL/TLS. If you want to manually configure an email client or host website, for example, these terms cannot be avoided. In this article, you will learn what the dif­fer­ences between these two protocols are.

$1 Domain Names – Register yours today!
  • Simple reg­is­tra­tion
  • Premium TLDs at great prices
  • 24/7 personal con­sul­tant included
  • Free privacy pro­tec­tion for eligible domains

What does SSL and TLS mean?

SSL stands for “Secure Socket Layer” and TLS for “Transport Layer Security”. Both are en­cryp­tion protocols for the internet’s transport layer. Their job is to encrypt data streams between the client and server.

If com­mu­ni­ca­tion passes through this encrypted transport layer, an “s” is added to the end of the protocol name: http becomes https, imap becomes imaps, etc. The acronym SSL also appears in the term SSL cer­tifi­cate – this cer­tifi­cate is required if a website wants to com­mu­ni­cate using https, which is what the vast majority of websites use today.

Tip

For more in­for­ma­tion about TLS, check out our follow-up article.

The dif­fer­ence between SSL and TLS

SSL was in­tro­duced in 1995. After a number of serious security vul­ner­a­bil­i­ties were dis­cov­ered, the improved version 2.0 was released, followed by version 3.0 one year later. After dis­cov­er­ing security vul­ner­a­bil­i­ties, the IETF (Internet En­gi­neer­ing Task Force, re­spon­si­ble for further de­vel­op­ing the internet) rejected SSL 3.0.

Note

SSL 2.0 and SSL 3.0 are sometimes also called SSLv2 and SSLv3.

The TLS protocol is the successor to SSL. It was in­tro­duced in 1999 as an improved version of SSL 3.0 and was called SSL 3.1 at first. The current version is TLS 1.3 (as of 2018).

The jump from SSL 3.0 to TLS 1.0 was initially just a small one. “The dif­fer­ences between this protocol and SSL 3.0 are not dramatic, but they are sig­nif­i­cant enough that TLS 1.0 and SSL 3.0 do not in­ter­op­er­ate” (RFC 2246). Compared to SSL 3.0, TLS 1.0 improved cryp­to­graph­ic security and ap­pli­ca­tion in­ter­op­er­abil­i­ty. The currently used version TLS 1.2 provides increased security against hacker attacks and allows ap­pli­ca­tions much more flex­i­bil­i­ty with regard to the en­cryp­tion used (cipher suites).

The current version of TLS is more secure, flexible, and efficient than its pre­de­ces­sor SSL. Since the acronym SSL is still much more widely known than TLS, many providers of client software, routers, and so forth use the term SSL or al­ter­na­tive­ly the combined term SSL/TLS. However, this is usually referring to the current version of TLS (i.e. TLS 1.3).

SSL or TLS – which one should you use?

Today, the only answer is TLS. SSL 2.0 and SSL 3.0 are outdated and regarded as insecure. The same can be said about older versions of TLS. Only TLS 1.2 can still be used under certain con­di­tions, which are outlined in the TLS 1.3 spec­i­fi­ca­tion. However, you should avoid all SSL protocols (as using them is now pro­hib­it­ed) as well as TLS versions 1.0 and 1.1 (support for which will be phased out soon). On properly con­fig­ured servers, these outdated protocols are disabled.

Image: Screenshot of GlobalSign
Example of a proper server con­fig­u­ra­tion: only TLS 1.2 is activated. Source: https://glob­al­sign.ssllabs.com/
Tip

Using this Glo­gal­Sign, you can check which en­cryp­tion protocols the server of a specific website has enabled.

Go to Main Menu