SSL vs TLS – What is the Difference
By Nick Anderson 6 minutes
Security is essential for achieving privacy. It is a tool that gives you the power to protect your online activities from the world. A key component of security is encryption.
Encryption has concealed messages for decades. Before computers, the sender and receiver would encrypt messages using an agreed-upon secret. Computers follow the same process, but the computing capabilities allow for a much higher form of encryption that is impossible to break without a key. Web communication today relies on SSL and TLS as the two protocols for encrypting data.
Using the two terms interchangeably has created confusion among people, especially when they see them written separately. We’ll explain how both technologies are different, and why encryption is so important.
Why Encryption is Important
Encryption refers to the process of turning plain-text into cipher-text. A cipher-text is plain-text that has been converted into an unreadable format. It is encrypted using a key that is also used to decrypt it. Only the sender and the receiver know the key. There are two types of encryption: symmetric and asymmetric.
The sender and receiver share a common key in symmetric encryption. Encryption and decryption both work via the same key. Asymmetric encryption is new and involves a public key and a private key – it is also known as public-key encryption for that reason. The sender/client uses a public key to encrypt data, then the receiver/server uses the private key for decryption. The server keeps its private key as a closely guarded secret. The private key works because the public key is mathematically related to it.
The web before the proliferation of HTTPS was generally unsecure. There was always the risk that some third-party could spy on the data passing between the client and the server. It also meant that sending sensitive information such as password and banking information over the internet was a huge risk. Being the “secure” version of HTTP, HTTPS addresses these concerns by adopting SSL/TLS for encryption.
Difference Between SSL and TLS
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are both encryption protocols, but the latter is the successor and more secure. SSL was developed by Netscape back in 1994. Due to security vulnerabilities, SSL skipped the very first version and jumped to SSL 2.0 for the public release. Then came SSL 3.0, which was quickly retired due to vulnerability to POODLE– a Man-in-the-Middle attack.
Enter TLS. It was released alongside SSL, but it wasn’t until the depreciation of SSL in 2015 that TLS was the only and ubiquitous protocol on the web that’s recommended for secure web exchange.
TLS also brought expandability in the number of ciphers that can be used. Ciphers are cryptographic algorithms that are used for encryption or key exchange. The strength of the cipher dictates how difficult it will be to brute-force the encrypted data. TLS supports RSA, AES, Diffie-Hellman, ECDSA, SHA-256, SHA-1 ciphers.
The reason why SSL and TLS are used interchangeably has to do with familiarity with the former. TLS has failed to catch on as a term to replace SSL. Hence, SSL continues to be the popular term even when TLS is being used.
HTTPS uses TLS to establish a secure channel between the client and the webserver. The handshake begins the process; the client authenticates the web server’s identity by verifying the digital certificate. The X.509 digital certificate is issued by a Certification Authority (CA) to the website to prove its identity to visitors. The process occurs through asymmetric encryption, where the webserver sends its digital certificate that contains its key. The client and server agree on the highest encryption protocol that is supported, then proceed to create session keys for that particular session. Once the authentication phase has finished, the two entities communicate using symmetric encryption.
Asymmetric encryption is slow and introduces latency. So after authentication, it makes the most sense to use symmetric encryption for fast data exchange. FastestVPN uses AES 256-bit encryption to protect your data.
Search Engines LoveHTTPS
Google prefers websites that use HTTPS for security and favors them heavily in the ranking. The majority of the web today has transitioned to HTTPS, but a large portion of the web continues to be unsecure. A padlock icon in the URL bar next to the website’s address indicates that you are in secure communication with the webserver. You can click on the padlock icon to see which CA has issued the digital certificate.
But it’s not just Google or other search engines, as more people become aware, they look for HTTPS in a website. It serves as a sign of trust and reliability. It’s unthinkable today that someone like a bank would use unsecure HTTP for logging into the account. Ecommerce websites use HTTPS to provide security while you shop with credit card information on the internet. The presence of encryption ensures that a third-party cannot steal the information.
Despite such significant advantages, there are some websites that have not made that transition – yet. It is perhaps because some of them are blogs, where sensitive data exchange does not occur. But HTTPS also prevents a hacker from injecting malware onto a website, not to mention that forms on a website request information from the user such as name and email address.
Investing in HTTPS makes the website credible. Users are much more likely to interact with a secure website than an unsecure one. Many web hosting providers offer SSL certificates for free, while others allow you to add free SSL such as Let’s Encrypt.
Encryption is vital for protecting privacy in the digitally connected world of today. It’s easy for someone with a little bit of technical understanding to sniff data packets over an unsecure network like a public Wi-Fi hotspot. It is for this reason that a VPN plays a significant role is achieving greater security. VPN uses encryption all the time, which is most useful when communicating with non-HTTP websites. Moreover, VPN bypasses the ISP for DNS, making your activities hidden.