Differences between SSL and TLS

The chronic epidemic of perceptual impairment in the people of Metropolis, due to which no one notices that Clark Kent and an eccentric flying alien, looking like two drops of water, is in fact one and the same person, extends to the technical sector, where we constantly argue about how strictly it is necessary to distinguish between SSL and TLS protocols.

It is fair to say that this is not a situation of “SSL from the Earth, TLS from Krypton”, but a worthy example of the continuous improvement of encryption standards and the rejection of outdated and unreliable data exchange methods between clients and servers to improve the overall security of the Internet.

More than 20 years ago, Netscape developed SSL (Secure Sockets Layer) version 1.0 so that browsers can view Geocities pages and share ASCII graphics based on Star Trek without worrying about security.
')


Versions of SSL 1.0–3.0, as well as all the first attempts to create an efficient encryption algorithm, were criticized due to serious security problems, which required the release of several modified versions with an improved security architecture.

In 1999, Transport Layer Security protocol version 1.0 was released: tools.ietf.org/html/rfc2246 . The name was changed to emphasize the open nature of the standard, so that anyone could use it in their projects and thereby separate it from the company's Netscape product (which at that time was still selling software for the Netscape Enterprise Server web servers, using SSL to encrypt data from external channels). In addition, TLS was developed as an application independent protocol, whereas SSL was originally planned to be used only for HTTP connections.

In linguistic confrontation (“What is the name of the protocol, using which a green lock appears?”) The term SSL has won. If you need proof, see the SSL Trends TLS comparison on Google Trends.



That is why in the materials about the general concept or when telling this concept to people without specialized knowledge, the generally accepted term SSL is used, since it is widely known, and a correct understanding of terminology in such matters is of paramount importance.
When discussing _protocol_ as such and the SSL / TLS versions that should be included, the term TLS will be more correct.

However, in practice, the security and administration specialist needs to know the following.

• There are different versions of SSL / TLS.

• If the protocols do not match, older systems cannot communicate with newer ones. If you have ever thought about why Internet Explorer does not open HTTPS sites when installing Windows 95 on a new computer, then now you know the answer.

• You need to create a corporate policy that allows you to include only later versions of TLS (current version number is 1.2).

• Many devices and applications still support outdated and insecure versions of TLS / SSL, which must be turned off on purpose.

In general, the question “What is the difference between SSL and TLS?” Is very interesting if we discuss only practical points and prove why the small differences between security protocols are so important.