Website Security-What Should You Have?
SSL or TLS Certificates
For newbies to the topics of web security and SSLs, getting up to speed with both can be challenging. Maybe you know that SSL certificates “secure your site,” but you're not exactly sure how or why. And now, TLS certificates enter into the mix, and you’re completely lost. Are they one and the same or are they completely separate? If you have ever wondered what TLS has to do with SSL, this blog post will shed some light on the subject.
So What’sThe Difference Between SSL and TLS Certificates?
Secure Sockets Layer (SSL), is a cryptographic protocol that is used to establish secure, encrypted communications on the web between a client and a server via HTTPS. In other words, this would be the connection between a web browser and a website. Encryption ensures that any data sent over this connection is rendered unreadable to third parties.
Transfer Layer Security (TLS), is also a cryptographic protocol and does the same thing as an SSL certificate, only better. Essentially it’s an upgraded version of SSL that’s faster and more secure. Although the result is the same, SSL and TLS create the encrypted connection differently behind the scenes, from the type of authentication messages sent to how they establish record protocols. These very necessary steps for establishing an encrypted connection are referred to as the SSL or TLS handshake.
This next part is normally what throws people off. Today, in all likelihood, if you are using an SSL certificate in 2020, it actually works by using the TLS protocol. In fact, the term ‘SSL certificate’ is a misnomer. ‘TLS certificate’ is really the more accurate name. To understand why, we’ll need to go back a couple of decades and look at how these digital certificates came to exist.
A Brief History of SSL
In the mid-90s, SSL was developed. As the number of people, institutions, and businesses using the World Wide Web increased, the need for better security grew. Then as online banking and shopping took off, there was an increasing realization that people’s data — from personal information to credit card numbers — needed to be protected.
It was Netscape that created SSL 1.0 in 1994. Although it was a game-changer in the world of online encryption, the first version had a number of major security breaches, so it was never released to the public. SSL 2.0 was released in 1995 and 3.0 in 1996. Although each made improvements, they still had many security flaws.
Here is where TLS enters the picture. Because of the pressing need for a more secure encryption protocol, researchers started working on something new.
Shifting to TLS
The TLS protocol was created in 1999, and eventually would replace SSL entirely. TLS version 1.0 was followed up by TLS 1.1, released in 2006, TLS 1.2 in 2008, and the latest version, TLS 1.3, which was released in 2018. Every version of TLS has come with significant security upgrades. So many, in fact, that the latest version of TLS works completely differently from the first version of SSL developed more than two decades before.
Today, the most widely used cryptographic protocols are TLS 1.2 and 1.3. The use of the final version of SSL (3.0) was deprecated back in 2015 by the Internet Engineering Task Force (IETF). When it comes to web browsing, SSL is basically obsolete.
So Why Do We Still Call Them SSL Certificates?
Mainly due to branding and marketing purposes. The name “SSL Certificate” quite simply has become synonymous with encryption and web security. Despite the fact that SSL isn’t really used anymore, it is the industry-wide term for this type of digital certificate.
The time for switching the name to TLS certificates has long passed. A sudden change in referring to them as TLS certificates outright would probably result in a lot of confusion for those not familiar with Internet protocols. They might think you’re talking about something completely different.
Actually the debate over whether to call them SSL or TLS certificates is somewhat misleading. Whether an encrypted connection is created via the SSL or TLS protocol is not controlled by the digital certificate in and of itself. Rather it is the configurations of your server and the browser being used.
Is Your SSL Certificate Using the TLS Protocol?
If your website was created during the last few years and is working in modern web browsers, it’s very unlikely that your servers are configured to use SSL or older versions of the TLS protocol because they simply wouldn’t work. Google Chrome stopped supporting the last version of SSL in 2014, while major browsers and tech companies have vowed to terminate the use of TLS 1.0 and 1.1 by the end of this year. Your server is most likely configured to support TLS 1.2 or 1.3, with 1.3 being preferable.
You can check your server configurations by using this tool. If you want to update your TLS server configurations, reach out to your web hosting provider or hire a systems administrator.