In the previous post we talked about the handshake process between browser and the server. There we mentioned various terms like HTTPS, SSL and TLS.
It's easy to confuse these terms and use them interchangeably. Let's look into each one and see how they differ.
HTTPS is the secured version of HTTP: HyperText Transfer Protocol. It is the protocol used by your browser and web servers to communicate and exchange information. When that exchange of data is encrypted with SSL/TLS, then we call it HTTPS. The 'S' stands for Secure.
SSL stands for 'Secure Sockets Layer'. A protocol created by Netscape. It is a dinosaur by Internet standards.
Netscape developed it in the year 1994. It was envisioned as a system that will ensure secure communication between client and server systems on the web. Gradually, the IETF (the Internet Engineering Task Force) picked up the protocol and standardized it as a protocol. Two versions of SSL followed that ironed out the vulnerabilities found in version 1. The current SSL version is SSL 3.0.
If we look at below history, we can assume that IETF seriously attempted to secure online data with robust security at its best.
SSL 1.0 - Due to security flaw, SSL 1.0 was never released.
SSL 2.0 - First public release of it by Netscape in February 1995 but there were design flaws that compelled Netscape to release SSL v.3. However, SSL v.2.0 was deprecated in 2011.
SSL 3.0 - SSL v3 was an upgrade version of earlier version SSL v2.0 that fixed few security design flaws of SSL v2.0 However, SSL v3.0 deemed insecure in 2004 due to the POODLE attack.
TLS means Transport Layer Security, which is a cryptographic protocol successor of SSL 3.0, which was released in 1999.
TLS 1.0 - TLS 1.0 which was upgrade of SSL v.3.0 released in January 1999 but it allows connection downgrade to SSL v.3.0.
TLS 1.1 - After that, TLS v1.1 was released in April 2006, which was an update of TLS 1.0 version. It added protection against CBC (Cipher Block Chaining) attacks. In March 2020, Google, Apple, Mozilla and Microsoft has announced for deprecation of TLS 1.0 and 1.1 versions.
TLS 1.2 - TLS v1.2 was released in 2008 that allows the specification of hash algorithm used by the client and server. It allows authenticated encryption, which added more support with extra data modes. TLS 1.2 was able to verify length of data based on cipher suite.
TLS 1.3 - TLS v1.3 was released in August 2018 and had major features that differentiate it with its earlier version TLS v1.2 like removal of MD5 and SHA-224 support, require digital signature when earlier configuration used, compulsory use of Perfect forward secrecy in case of public-key based key exchange, handshake messages will now be encrypted after “Server Hello”.
In nutshell, SSL is obsolete and TLS is the new SSL protocol as modern encryption standard being used by everybody. Technically, TLS is more accurate, but everyone knows SSL.
Thanks for reading this. Until next time.