Website Security-What Should You Have?
SSL or TLS Certificates
For newbies, getting up to speed with web security and SSLs can be challenging. Maybe you know that SSL certificates secure your site, but you're not exactly sure how or why. And now, TLS certificates enter into the mix, and you’re completely lost. Are they the same, or are they completely separate? If you have ever wondered what TLS has to do with SSL, this blog post will shed some light on the subject.
So What’s The Difference Between SSL and TLS Certificates?
Secure Sockets Layer (SSL) is a cryptographic protocol that is utilized to create safe, encrypted transmissions on the internet linking a client and a server using HTTPS. Put another way, this is the joining of a web browser with a website. The encryption process assures that all transmissions across this connection are made undecipherable to third parties.
Transfer Layer Security (TLS) is also a cryptographic protocol and does the same thing as an SSL certificate, only better. Essentially it's an upgraded version of SSL that's faster and more secure. Although the result is the same, SSL and TLS create the encrypted connection differently in the background, from verification feedback sent to the way they determine archive protocols. The essential steps for establishing an encrypted connection are referred to as the SSL or TLS handshake.
This next part usually is what throws people off. Today, in all likelihood, if you are using an SSL certificate in 2020, it works by using the TLS protocol. The term SSL certificate is a misnomer. TLS certificate is the more accurate name. To understand why we need to go back a couple of decades and look at how these digital certificates came to exist.
A Brief History of SSL
In the mid-90s, SSL was developed. Increases in the volume of individuals, organizations, and companies using the World Wide Web created the need for improved security. Subsequently, banking and shopping online took off emphasizing that people's personal data also required online protection.
In 1994, Netscape released SSL 1.0. In the arena of online encryption, it was a game-changer, despite having several significant security breaches. So it was never released to the public. SSL 2.0 was released in 1995 and 3.0 in 1996. Although each made improvements, they still had many security flaws.
Here is where TLS enters the picture. Because of the pressing need for a more secure encryption protocol, researchers started working on something new.
Shifting to TLS
The TLS protocol was created in 1999 and eventually would replace SSL entirely. In 2006, TLS version 1.0 was upgraded to TLS 1.1. In 2008 TLS 1.2 was released, followed by the latest version, TLS 1.3, in 2018. Every version of TLS has come with significant security upgrades. So many, in fact, that the most recent version of TLS runs totally different from the initial version of SSL that was developed more than twenty years earlier.
Today, the most widely used cryptographic protocols are TLS 1.2 and 1.3. For internet browsing, SSL is fundamentally discontinued. In 2015 the Internet Engineering Task Force (IETF) discouraged using the last version, SSL (3.0).
So Why Do We Still Call Them SSL Certificates?
Mainly due to branding and marketing purposes. The name SSL Certificate entirely has become synonymous with encryption and internet security. Although SSL isn’t used anymore, it remains the industry-wide label for this kind of online certificate.
The time for switching the name to TLS certificates has long passed. A sudden change in referring to them as TLS certificates outright would probably result in much uncertainty for persons unfamiliar with internet protocols. They might think you’re talking about something completely different.
Actually the debate over whether to call them SSL or TLS certificates is somewhat misleading. The online certificates themselves, whether an SSL or TLS protocol, are not the controller by themselves. Instead, it is the configurations of the server and browser being used.
Is Your SSL Certificate Using the TLS Protocol?
If your website was created during the last few years and is working in modern web browsers, it’s improbable that your servers are configured to use SSL or older versions of the TLS protocol because they won't work. In 2014 Google Chrome ended support for SSL. Top browsers and technology companies have pledged to discontinue using TLS 1.0 and 1.1 by 2020 years end. Your server is most likely configured to support TLS 1.2 or 1.3, with 1.3 the preferred.
By using this service, you will be able to monitor the configuration of your server. Contact your web hosting provider or hire a systems administrator if your TLS server configurations need updating.
Written by: Gene Aasen
A Markethive Entrepreneur and a strong advocate of the Markethive mission for technology, world progress, and freedom of speech. I support change and endeavor to help others understand, grow, and move forward with enthusiasm to achieve their goals.