Meet the Trio
SSL, TLS, and HTTPS are a unique trio that each work to help keep your important data secure on the Internet.
If you've ever wondered how each of these protocols compares, you’ve come to the right place. Here are the basics and how they operate.
What is SSL?
SSL, short for Secure Sockets Layer, is an encryption-based Internet security protocol. It was developed by Netscape in 1995 for the purpose of ensuring privacy, authentication, and data integrity in Internet communications. SSL works to safeguard sensitive data that is sent between systems with digital signatures, preventing unauthorized access and ensuring data hasn’t been tampered with.
It does this by initiating an authentication process called a “handshake.” An SSL/TLS handshake is a negotiation between both communicating devices – such as a browser and web server – in order to establish the details of the connection. During the course of an SSL/TLS handshake, the client and server together will do the following to establish that a secure connection is in place before any transferring begins:
- Determine what version of SSL/TLS will be used in the session
- Specify which cipher suite (encryption algorithm) will encrypt the data
- Verify the server’s identity to the client via the server’s public key and the SSL certificate authority’s digital signature
- Generate session keys in order to use symmetric encryption after the handshake is complete
SSL also ensures that any data transferred between users, sites, or two systems remains impossible to read throughout the process. By utilizing encryption algorithms to scramble data in transit, hackers are prevented from reading it while it’s sent over the connection.
The most recent version of SSL (3.0) has not been updated since 1996 and many modern web browsers no longer support it.
What is an SSL Certificate?
An SSL certificate is essentially an ID card or badge that verifies someone is who they claim to be. SSL can only be implemented by websites with an SSL certificate; the certificates are stored and displayed on the web by a website’s or application’s server.
An SSL certificate is also known as the website’s public key, which is what makes encryption possible. With SSL, a user’s device will view the public key and use it to establish secure encryption keys with the web server. Meanwhile, the web server has also been equipped with a secret private key, where it then uses the private key to decrypt the data first encrypted with the public key.
What is TLS?
TLS, short for Transport Layer Security, is an updated and more secure version of SSL. It came about in 1999 after the Internet Engineering Task Force (IETF) proposed a refresh to the protocol. TLS was designed to facilitate privacy and data security for communications over the Internet and it’s now widely adopted.
The primary use of TLS is encrypting the data between web applications and servers; however, it can also be used to encrypt other communications like email, messaging, and voice over IP (VoIP).
Like SSL, the TLS protocol initiates the handshake process to establish a secure connection and authenticate users. All TLS handshakes make use of asymmetric encryption (the public and private key). TLS maintains the integrity of data by utilizing encryption to ensure data hasn’t been forged or tampered with. Once data is encrypted and authenticated, it is then signed with a message authentication code (MAC). The recipient can then verify the MAC to ensure the integrity of the data.
Are SSL and TLS the Same Thing?
The two terms are often used interchangeably and can easily cause confusion. Since SSL is the predecessor and they are closely related, many people still use the term SSL to refer to TLS. It’s also still common for many to use the terms SSL encryption or SSL/TLS encryption, due to SSL’s high level of recognizability.
However, it’s safe to assume that any vendor offering "SSL" these days is almost certainly providing TLS protection as it has been the industry standard for over 20 years.
What is HTTPS?
HTTPS (Hyper Text Transfer Protocol Secure) is the secure version of HTTP where communications are encrypted by SSL/TLS. HTTPS uses TLS (SSL) to encrypt normal HTTP requests and responses, making it safer and more secure.
HTTPS defines the format of messages through which web browsers and web browsers communicate and it defines how a web browser should respond to a web request. It also prevents websites from having their information broadcast in a way that’s easily viewable by anyone with negative intentions.
Any website, especially those that require login credentials, should be using HTTPS. You can tell if a website has implemented SSL/TLS by looking at the URL, as the SSL/TLS certificate enables websites to move the URL from HTTP to HTTPS. In modern web browsers such as Google Chrome, websites that do not use HTTPS are marked differently. Look for a padlock in the URL bar to signify the webpage is secure.