All you need to know: TLS vs. SSL

The definition of SSL and TLS

SSL (Secure Socket Layer) and TLS (Transport Layer Security) are both cryptographic protocols that encrypt and authenticate data traveling from the client (i.e. your device that is requesting a website) to a server, machine or application

SSL is TLS’ predecessor. SSL was first released to the public in 1995. However, it had many vulnerabilities, so it was replaced by SSL v3.0 a year later. The latter wasn’t perfect either, so TLS was introduced in 1999. Most devices and browsers have now moved to TLS v1.2. However, many people are so used to the term SSL that they will refer to TLS as SSL. Most are now using the term SSL/TLS to ease the transition.

Why do websites need SSL/TLS?

SSL/TLS goes hand in hand with HTTP and is what adds the S for ‘security’ in HTTPS. HTTP (Hypertext Transfer Protocol) is an application protocol that transfers data from a web browser to a web server, or in simpler terms, delivers your search results to your browser.

However, HTTP connections aren’t safe on their own. It’s like sending your data out in the open – anyone can see it. HTTP is vulnerable to man-in-the middle attacks, which means that anyone snooping on the traffic could steal your login or credit card details.

That’s why HTTPS was introduced. It’s a combination of HTTP, which handles the mechanics of data transmission, and SSL/TLS, which handles data encryption. With SSL/TLS encryption, your data is much safer – anyone snooping on your traffic can now only see scrambled data. These days, most websites use HTTPS. NordVPN uses it too! Have a look at your URL bar.

How SSL works

SSL/TLS encryption can be divided in two stages: the SSL/TLS handshake and the SSL/TLS record layer. Let’s delve into them in more detail.

What is an SSL handshake?

An SSL/TLS handshake is a form of communication between a client and server where the two decide what protocol version will be used for their further communication. How does performing a TLS handshake work in practice?

1. The client sends a ‘hello’ request to a web server it wants to communicate with. It includes the types of ciphers (encryption algorithms) the client can support.
2. The server sends a ‘hello’ back with its SSL certificate and its public key. The client and the server here use asymmetric cryptography to exchange secure messages. This means that the client needs the server’s public key to encrypt the messages, and the server needs two keys – private and public – in order to decrypt it. No one snooping on the traffic can decipher their messages.
3. The client then uses the server's public key to create a pre-master secret and sends it to the server. This will be used to create session keys and elevate the communication to symmetric encryption. Both ends will now be using private keys only. Symmetric cryptography will make their communication much faster and will use less resources.
4. The server decrypts the pre-master, uses it to create symmetric key and exchanges it with the client. With symmetric encryption established, they can now exchange encrypted communication. The website traffic is secured.

SSL/TLS record layer

This is where the encryption takes place. The data is sent from the user's application and encrypted. Depending on the cipher, it may also be compressed. Then, it’s sent further to the network transport layer, which determines how to send the data to its target device.

What is an SSL certificate and why is it needed?

Web servers that support TLS will have “SLS certificates,” though it might be more accurate to call them SSL/TLS certificates. They are acquired from web hosting platforms and are needed during the SSL/TLS handshake process to authenticate that they are indeed secure connection providers.

However, protocols are not the same as certificates. What protocol will be used during your connection, SSL or TLS, is determined by your browser and the target server’s configurations, not the website’s certificate. It’s possible to connect to a website that has HTTPS but uses an outdated SSL v3.0 protocol.

Such connections are vulnerable to attacks. Most new browsers will indicate this in your URL. Just look for the crossed green padlock and HTTPS symbols. If you are worried about accidentally connecting to a website that only supports SSL v3.0, you can manually disable SSL connections. However, this might lead to connection disruptions.

Want to read more like this?

Get the latest news and tips from NordVPN.

Subscribe

Subscribe

You've successfully subscribed to our newsletter!

Email is invalid

Subscribe

We won't spam and you will always be able to unsubscribe.