TLS vs SSL vs HTTPS: What’s the Difference?

Three data transfer protocols — Are they all the same, or are there differences?

TLS, SSL, HTTPS. TLS vs SSL. SSL vs HTTPS.

Acronym soup.

The world of website security acronyms can be almost as annoying as that Deangelo Vickers character from the TV show “The Office” if you’re just getting to know about it. Although Deangelo Vickers will always win this battle, in my opinion, at least we can turn him off and watch something else.

But when it comes to the acronyms and lingo of the cyber security industry, there’s no option but to learn suck it up and learn them. So, let’s get started by talking about each and what the difference is between SSL and HTTPS, and where TLS fits in.

SSL (Secure Sockets Layer): The Oldest of All

You might be aware that the internet, in its early days, was primarily used for military and research purposes. But, gradually, it expanded to common uses, and commercialization of the internet began. As a result, more and more users started sharing their sensitive information with businesses — personal data, financial information, etc. — and that created a need for protecting it.

Enter SSL.

SSL, which stands for secure sockets layer, is a cryptographic security protocol that protects your information as it transmits across the internet. A protocol basically means a set of rules that computers use to communicate with each other. It’s kind of like their value system.

SSL was designed to thwart any unauthorized third party from intercepting and tampering with sensitive data while it’s in transit. SSL was developed and released by Netscape, and it was the first of such cryptographic protocols. Its first version, SSL 1.0, never got released. SSL 2.0, the second version, was released in 1995.

The second version contained some security deficiencies, and as a result, SSL 3.0 was created. Later, this, too, was found to have security flaws. This led to the creation of another acronym that you need to know about: TLS, or what’s known as transport layer security. Before moving on to what TLS entails, it’s worth noting that SSL 2.0 & SSL 3.0 both have been deprecated and are no longer supported by web browsers due to the flaws in their security.

TLS (Transport Layer Security): More Secure Version of SSL

Due to the recognized security flaws in SSL, security experts realized that a better and more secure protocol needed to be developed. TLS 1.0 was a successor to SSL 3.0 and was first defined in 1999. Since then, three more versions of TLS have been released, with TLS 1.3 (which was released in 2018) being the most current.

TLS 1.0 and 1.1 are to be deprecated by Apple Safari, Google Chrome, Microsoft Edge and Internet Explorer, and Mozilla Firefox in early 2020.

How SSL/TLS is used in Certificates

As we saw earlier, SSL/TLS are protocols through which communication takes place between two endpoints. Basically, they’re a set of rules that govern the data transmission between server and client.

SSL/TLS certificates are X.509 digital files that are installed on a web server. It’s called a “certificate” because it’s issued by an independent third party that conducts verification of your website and organization.

SSL/TLS certificates work as part of a framework known as public key infrastructure (PKI). This involves the use of two keys — public and private keys. A public key, as the name suggests, is known to everyone. A private key, on the other hand, is kept by the server receiving the message.

Both the keys come are distinct, yet they’re mathematically related to each other. Information encrypted by a public key can only be decrypted by private key related to it. The entire communication happens under the rules decided by the protocol — SSL or TLS.

Now you might be wondering why, if SSL is no longer being used, it’s still referred to an SSL certificate and not a TLS certificate. Honestly, it’s just because industry language tends to be slow to change. (Or the people in it are slow to change.) Either way, SSL is more commonly used than TLS, so people tend to stick with using that terminology.

So, What is HTTPS?

Have you heard of HTTP (Hypertext Transfer Protocol)? Well, if you haven’t, it’s the protocol that defines how messages are formatted and transmitted. HTTPS is a secure version of HTTP because it uses SSL/TLS as a sublayer. When a website uses HTTPS in its web address, it indicates that any communication taking place between a browser and server is secure. In other words, if your website is using HTTPS, all the information will be encrypted by SSL/TLS certificates.

With all of this in mind, let’s compare TLS vs SSL vs HTTPS.

A Side-by-Side Comparison of TLS vs SSL vs HTTPS