If you’re new to the world of web security and SSLs, learning the ins and outs of both can be quite an undertaking. You might vaguely know that SSL certificates “secure your site,” but not exactly how or why. And then people start bringing TLS certificates into the mix, and you’re completely lost. Are they one and the same or completely different?
If you’ve ever found yourself wondering what TLS has to do with SSL, this blog post will shed some much-needed light on the subject.
The Difference Between SSL and TLS certificates
SSL, or Secure Sockets Layer, is a cryptographic protocol used to establish secure, encrypted communications on the web between a client and a server via HTTPS. In everyday terms, this would be a connection between a web browser and a website. Encryption ensures that any data sent over this connection is rendered unreadable to third parties.
TLS, or Transfer Layer Security, is also a cryptographic protocol. It does the same thing as an SSL certificate, but better. It’s essentially an upgraded version of SSL that’s faster and more secure. While the outcome is the same, SSL and TLS go about creating the encrypted connection in different ways behind the scenes, from the type of authentication messages sent to how they establish record protocols. These necessary steps for establishing an encrypted connection are what we refer to as the SSL or TLS handshake.
So far you’re with me, right? The next part is what usually throws people off.
In all likelihood, if you’re using an SSL certificate in 2020, it actually works by using the TLS protocol. The term ‘SSL certificate’ is in fact a misnomer. ‘TLS certificate’ would be a more accurate name.
To understand why SSL certificates are actually TLS certificates, we’ll have to go back a couple of decades and take a look at how these digital certificates came to exist.
A Brief History of SSL
SSL was first developed in the mid-90s in response to a growing need for better security across the World Wide Web as the number of people, institutions, and businesses using it increased. As online banking and shopping began to take off, there was a growing realization that people’s data — from personal information to credit card numbers — needed to be protected.
And so Netscape created SSL 1.0 in 1994. Although it was a game-changer in the world of online encryption, this first version had numerous significant security flaws, so it never had a public release. SSL 2.0 released in 1995 and 3.0 released in 1996 made improvements, but still had many security flaws.
That’s where TLS comes into all this. With the pressing need for a more secure encryption protocol, researchers began working on something new.
The Shift to TLS
In 1999 the TLS protocol was created, and would eventually replace SSL entirely. The first version of TLS was version 1.0, and was followed up by TLS 1.1 released in 2006, TLS 1.2 in 2008, and the latest version, TLS 1.3, which was released in 2018. Each version of TLS has come with significant security upgrades, so much so that the latest version of TLS works completely differently from the first version of SSL developed more than two decades before.
These days, it’s TLS 1.2 and 1.3 that are the most widely used cryptographic protocols. The use of the final version of SSL (3.0) was deprecated back in 2015 by the Internet Engineering Task Force (IETF). When it comes to web browsing, SSL is basically obsolete.
Why Do We Still Call Them SSL Certificates, Then?
Mostly for branding and marketing purposes. The name “SSL Certificate” has simply become synonymous with encryption and web security. Even though SSL isn’t really used anymore, it is the industry-wide term for this type of digital certificate.
The time for switching the name to TLS certificates has long passed. Suddenly referring to them as TLS certificates outright might result in a lot of confusion for those who aren’t intimately familiar with Internet protocols. They may think you’re talking about something completely different.
In any case, the debate over whether to call them SSL or TLS certificates is actually a bit misleading. Whether an encrypted connection is created via the SSL or TLS protocol is not controlled by the digital certificate in of itself, but rather the configurations of your server and the browser being used.
Ensuring Your SSL Certificate Uses the TLS Protocol
If you created your website in the last few years and it works in modern web browsers, it’s highly unlikely your servers are configured to use SSL or older versions of the TLS protocol, because otherwise they simply wouldn’t work. Google Chrome stopped supporting the last version of SSL in 2014, while major browsers and tech companies have vowed to deprecate the use of TLS 1.0 and 1.1 by the end of this year. Your server is likely configured to support TLS 1.2 or 1.3, with the latter being preferable.
You can check your server configurations by using this tool. If you want to update your TLS server configurations, reach out to your web hosting provider or hire a systems administrator.