The Difference Between SSL and TLS

SSL and TLS are used interchangably in conversations as they are incredibly closely related. Knowing the subtle difference is key. 
Michael Buckbee
2 min read
Last updated October 22, 2021

Image credit: zviray

The chronic epidemic of face blindness that affects the population of Metropolis and prevents them from realizing that Clark Kent and the freaking flying alien who looks just like him are actually the same person extends to the tech sector where we continually argue over how pedantic to be about the difference between “SSL” and “TLS”.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

To be fair, the situation is less of a “SSL is from Earth” and “TLS is from Krypton” than a very positive story of how encryption standards have continually been improved and how the outdated and insecure methods of client and server communication have been deprecated to boost the overall security of the Internet.

What is SSL?

Netscape developed version 1.0 of the Secure Sockets Layer (SSL) protocol more than 20 years ago so that people could use their browser to securely cruise around Geocities and share Star Trek ASCII art securely.

the_difference_between_ssl_and_tls_-_google_docs

Like all first efforts at shipping practical crypto, SSL versions 1.0 to 3.0 were found to have some security issues which necessitated iterative releases of more and more fundamentally secure designs.

What is TLS?

In 1999, Version 1.0 of the Transport Layer Security (TLS) protocol was released. The name change was intended to clarify that this was an open standard that any company or project could incorporate and not a proprietary product of Netscape (which at the time was still selling “Netscape Enterprise Server” web server software which used “SSL” for transport encryption). Further, TLS was designed to be application protocol independent, whereas SSL was initially designed fairly narrowly for just HTTP connections.

Which One Should I Say?

Linguistically, the term “SSL” has won in the war of “What should we call the thing that makes the lock show up and be green?” As proof, see the Google Trends comparison of “SSL vs TLS”.
ssl__tls_-_explore_-_google_trends

Because of this, anytime you’re talking about the overall concept – or when trying to explain this to a non-technical audience – “SSL” becomes the commonly accepted blanket term, as it’s most likely what they’ve heard of and the benefits of clear conceptual communication are usually paramount.

When you’re talking about the protocol and what which versions of SSL/TLS should be enabled, “TLS” is by necessity preferred as the exact version matters due to changes in how ciphers, etc. are handled.

On a practical level, however, there are significant security and administrative benefits of knowing:

  • That different versions of SSL/TLS exist.
  • That older systems can’t connect to newer ones if there is a protocol mismatch. If you’ve ever wondered why Internet Explorer on a new Windows 95 install can’t connect to HTTPS sites, there’s your answer.
  • That you should have an organizational policy of only enabling later versions of TLS. (TLS 1.0 is not acceptable for PCI Compliance)
  • That many devices and applications still support older, insecure versions of TLS/SSL that you need to specifically disable.

Ultimately, the question of ‘what’s the difference between SSL vs TLS?’ is a great one – if only to discuss these practical points and drive home why the finer points of security protocols matter.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

difference-between-organizational-units-and-active-directory-groups
Difference Between Organizational Units and Active Directory Groups
Active Directory loves hierarchy. Domains, Organizational Units, groups, users, etc. Sometimes it can be confusing—how do I best structure my AD? 
is-a-ransomware-attack-a-data-breach?
Is a ransomware attack a data breach?
Understanding if ransomware is a data breach is vital to determining what response your IT and Legal department needs to take.
fighting-golden-ticket-attacks-with-privileged-attribute-certificate-(pac)
Fighting Golden Ticket Attacks with Privileged Attribute Certificate (PAC)
Learn how and why to control the Active Directory Environment state with PACRequestorEnforcement, the implications of doing so and how to detect Golden Ticket attacks happening in your network.
dns-over-https-as-a-covert-command-and-control-channel
DNS over HTTPS as a covert Command and Control channel
Learn how DNS over HTTPS (DoH) is being actively used as a Command and Control (C2) channel by threat actors.