SSL, TLS, ECC, SHA ... Cybersecurity looks a bit like a soup filled with small alphabet pasta. This soup of acronyms can however quickly become indigestible and make you lose sight of your real needs. I think the most commonly asked question is about the differences between SSL (Secure Socket Layer) and Transport Layer Security (TLS). You want to secure your website (or other communication medium), but do you need SSL? TLS? Both ? Let's see this in detail.
SSL and TLS: historical reminder
SSL and TLS are two cryptographic protocols that allow authentication and encryption of data that travels between servers, machines, and networked applications (such as when a client connects to a Web server). SSL is the predecessor of TLS. Over time, new versions of these protocols have emerged to address vulnerabilities and support ever stronger, ever more secure suites and encryption algorithms.
Initially developed by Netscape, the SSL comes out in 1995 in its version SSL 2.0 (the SSL 1.0 never being released). But after discovering several vulnerabilities in 1996, version 2.0 is quickly replaced by SSL 3.0. Note: Versions 2.0 and 3.0 are sometimes labeled as: SSLv2 and SSLv3.
Based on SSL 3.0, TLS is introduced in 1999 as the new version of SSL:
The differences between this protocol and SSL 3.0 are not huge, but important enough to prevent interoperability between TLS 1.0 and SSL 3.0. "
Currently, the version of TLS used is v.1.2 - TLS v.1.3 is not finalized.
Which protocol to use: SSL or TLS?
Both SSL 2.0 and 3.0 have been deprecated by the IETF (in 2011 and 2015 , respectively). Vulnerabilities (such as POODLE , and DROWN ) have been and continue to be discovered in deprecated SSL protocols. Most recent browsers degrade the user experience (locked padlock or HTTPS prefix in the URL bar, display security warnings) when they encounter a Web server that uses older protocols. We recommend that you disable SSL versions 2.0 and 3.0 in your server configuration to keep only TLS protocols.
Certificates are different from protocols.
Before you consider replacing your existing SSL certificates with TLS certificates, remember that certificates are not dependent on protocols . Clearly, you do not have to use a TLS certificate instead of an SSL certificate. If many vendors tend to talk about "SSL / TLS certificate", it might be more accurate to talk about "certificates for use with SSL and TLS," since the protocols are determined by your server configuration, not by the certificates in as such.
The term "SSL Certificates", to date the most widespread, should however continue, even if the term TLS begins to break. The term "SSL / TLS" is a common tradeoff until the use of TLS is generalized.
Disabling SSL 2.0 and 3.0
Not sure SSL protocols are still supported by your servers? Our SSL server test tool helps you know it quickly.
The AA server test results indicate which protocols are enabled, when they should no longer be.
To learn how to disable SSL 2.0 and 3.0 on the main types of servers , including Apache, NGINX and Tomcat, read the article on the subject on our Support site.
So what is the difference between SSL and TLS? In common parlance, the differences are minimal, and the term SSL remains widely used. But in your server configuration, differences can be seen in vulnerabilities, obsolete cipher suites, and browser security warnings. On your servers, only TLS protocols must be enabled.
0 Comments