There are a number of differences between SSL and TLS as TLS is the successor of SLS, all of which will be discussed in this article. SSL, which refers to Secure Socket Layer, is a protocol used to provide security to connections between a server and a client. This protocol uses security mechanisms such as cryptography and hashing to provide security services such as confidentiality, integrity, and endpoint authentication to connections between a server and a client. TLS, which refers to Transport Layer Security, is the successor of SSL, which includes bug fixes and improvements over SSL. SSL, now being bit old, has a lot of known security bugs and hence what is recommended to use is the latest version of TLS, which is TLS 1.2. SSL came up to versions 3.0 and after that the name was changed to TLS.
What is SSL ?
SSL, which refers to Secure Socket Layer, is a protocol used to provide secure connections between a client and a server. A TCP connection can provide a reliable link between a server and a client but cannot provide services such as confidentiality, integrity and end point authentication. So, SSL was introduced by Netscape in early 1990s to provide these services. The first version of SSL, which is known as SSL 1.0, was never released to the public as it had many security holes. However, in 1995, SSL 2.0, which provided better security than SSL 1.0, was introduced and, in 1996, SSL 3.0 was introduced with more improvements. The next versions of the SSL protocol appeared under the name TLS.
SSL, which is implemented in the transport layer, can secure a protocol such as TCP by applying various security measures. It will provide confidentiality by using encryptions to prevent anyone from eavesdropping. It uses both asymmetric and symmetric encryption. First, using asymmetric key encryption, a symmetric session key is established which then would be used for encrypting the traffic. Asymmetric key cryptography is also used for digital certificates used to authenticate the server. Then Message Authentication Code, which uses various hashing techniques, is used to provide integrity (identify any unauthenticated modification done to the real data). So a protocol like SSL allows transmitting sensitive information such as banktransactions and credit card information over the internet. Also, it is used for providing confidentiality for services such as email, web browsing, messaging, and voice over IP.
SSL is now outdated and has many security issues where its usage is not much recommended currently. SSL 3.0 was enabled by default until recently in many browsers but now they are planning to disable in the future versions due to severe security bugs such as POODLE attack.
What is TLS?
TLS, which refers to Transport Layer Security, is the successor of SSL. After SSL 3.0, the next version emerged as TLS 1.0 in 1999. Then, in 2006, an improved version named as TLS 1.1 was introduced. Then, in 2008, further improvements and bug fixes were done and TLS 1.2 was introduced. Currently, TLS 1.2 is the latest available Transport Layer Security version. Just as SSL, TLS also provide security services such as confidentiality, integrity, and end point authentication. Similarly encryption, message authentication code, and digital certificates are used to provide these security services. TLS is immune to attacks such as POODLE attack, which has compromised the security of SSL 3.0.
The recommendation is to use the latest TLS version, TLS 1.2, as it being the latest it has the least security flaws. Any security system is not perfect and with time flaws would be detected and in the future TLS version 1.3 will be released that will fix those detected errors. However, currently , TLS 1.2 is the most secure and, in all mainstream browsers, this is enabled by default.
What is the difference between SSL and TLS?
• TLS is the successor of SLS. SLS was introduced in 1990s and three versions have been introduced namely SSL 1.0, SSL 2.0 and SSL 3.0. After that, in 1999, the next version of SSL was named as TLS 1.0. Then TLS 1.1 was introduced and the current latest version is TLS 1.2.
• SSL has lot of bugs and is susceptible for known attacks than TLS. In latest TLS versions, most bugs have been fixed and hence is immune to attacks.
• TLS has new features and supports new algorithms when compared to SSL.
• With the attack called POODLE attack, now usage of SSL has become lot vulnerable and, in the new versions of web browsers, SSL will be disabled by default. However, in all browsers, TLS is enabled by default.
• TLS supports new authentication and key exchange algorithms suites such as ECDH-RSA, ECDH-ECDSA, PSK and SRP.
• Message Authentication Code Algorithm suites such as HMAC-SHA256/384 and AEAD are available in latest TLS versions, but not in SSL.
• SSL was developed and edited under Netscape. However, TLS is under Internet Engineering Task Force as a standard protocol and hence is available under RFC.
• There are differences in the implementation of the protocol such as in key exchange and key derivation.
Summary:
TLS vs SSL
TLS is the successor of SSL and hence TLS includes lot of improvements and bug fixes over SSL. SSL was introduced in early 1990s and three versions came up to SSL 3.0. Then, in 1999, the next version of SSL appeared under the name TLS 1.0. Currently, the latest version is TLS 1.2. SSL being an old protocol has a lot of known security bugs and hence is susceptible to known attacks such as POODLE attack. Latest version of TLS has fixes to these attacks while it also supports new features and algorithms. So for applications that need a better security, the latest version of TLS is recommended rather than using old SSL protocols.
Images Courtesy:
- TLS by Jeffreytedjosukmono (CC BY-SA 3.0)