Both SSL and TLS are terms that refer to protocols designed to secure communications over the Internet. They stand for Secure Socket Layer and Transport Layer Security, respectively.
Historical Background
SSL was designed by Netscape Communications and implemented in their browsers; several vulnerabilities were discovered in SSL, and the version was upgraded to continue revisions in terms of security. However, with the discovery of vulnerabilities due to the POODLE attack, the last specification, SSL 3.0 was also discontinued by the Internet Engineering Task Force (IETF) in 2015. After this, SSL should not be used.
In 1996, before SSL was decommissioned, the IETF started to develop a specification for TLS, and TLS continued to be revised to include countermeasures against new attack methods discovered one after another, with the now widely used TLS 1.2 being established in 2008. The most current standard is TLS 1.3, which was published in August 2018.
SSL and TLS have different names, but the purpose and role are the same, and the two are often used interchangeably. wolfSSL also still uses “SSL” in its company and product names.
Differences in Specifications
Both SSL and TLS provide a means to encrypt and exchange data on the communication path (usually TCP/IP). Major 3 processes are:
- Authenticate the other party to communicate
- Determine a method and key to encrypt communication data
- Encrypt and decrypt communication data
It is said that the difference between the first version of TLS, TLS1.0, and the last version of SSL, SSL3.0, in terms of this feature, was minimal. Therefore, rather than knowing this boundary, it is more meaningful to know how the current TLS1.3 specification has changed.
What is the difference between TLS 1.3 and before?
The following specification changes have been made:
* Sifted through encryption algorithms and change encryption suite notation
* Reduced and sped up packet round trips by reorganizing handshake messages
* Encryption begins earlier in the handshake
Cryptographic suites previously had hundreds of definitions. The number of algorithms has been reduced to 5 by removing the algorithms that are no longer used, limiting them to essential algorithms, and organizing the encryption suite notation. Only the temporary key Diffie-Hellmann remained as the key exchange algorithm. Packet round-trip during handshaking is minimized to one round-trip. Also, encryption is performed in the middle of the handshake. The TLS 1.3 specification is designed to improve both security and communication speed.
Conclusion
Both SSL and TLS are still used interchangeably to refer to handshakes performed on clients and servers. However, SSL as a specification term is now a specification of the past and is not used in actual products. As of 2020, even servers that use TLS 1.1 will receive security warnings from typical browsers. The difference between SSL and TLS will only be questioned when looking back on history.
What’s important as a TLS user is to be aware of the differences between TLS 1.3 and the current mainstream TLS 1.2.
Contact wolfSSL at facts@wolfssl.com to learn more about how wolfSSL can help secure your product or project today!
Related page: