Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

The Difference Between SSL and TLS

SSL and TLS are used interchangably in conversations as they are incredibly closely related. Knowing the subtle difference is key. 
Michael Buckbee
2 min read
Published September 16, 2016
Last updated October 22, 2021

Image credit: zviray

The chronic epidemic of face blindness that affects the population of Metropolis and prevents them from realizing that Clark Kent and the freaking flying alien who looks just like him are actually the same person extends to the tech sector where we continually argue over how pedantic to be about the difference between “SSL” and “TLS”.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

To be fair, the situation is less of a “SSL is from Earth” and “TLS is from Krypton” than a very positive story of how encryption standards have continually been improved and how the outdated and insecure methods of client and server communication have been deprecated to boost the overall security of the Internet.

What is SSL?

Netscape developed version 1.0 of the Secure Sockets Layer (SSL) protocol more than 20 years ago so that people could use their browser to securely cruise around Geocities and share Star Trek ASCII art securely.

the_difference_between_ssl_and_tls_-_google_docs

Like all first efforts at shipping practical crypto, SSL versions 1.0 to 3.0 were found to have some security issues which necessitated iterative releases of more and more fundamentally secure designs.

What is TLS?

In 1999, Version 1.0 of the Transport Layer Security (TLS) protocol was released. The name change was intended to clarify that this was an open standard that any company or project could incorporate and not a proprietary product of Netscape (which at the time was still selling “Netscape Enterprise Server” web server software which used “SSL” for transport encryption). Further, TLS was designed to be application protocol independent, whereas SSL was initially designed fairly narrowly for just HTTP connections.

Which One Should I Say?

Linguistically, the term “SSL” has won in the war of “What should we call the thing that makes the lock show up and be green?” As proof, see the Google Trends comparison of “SSL vs TLS”.
ssl__tls_-_explore_-_google_trends

Because of this, anytime you’re talking about the overall concept – or when trying to explain this to a non-technical audience – “SSL” becomes the commonly accepted blanket term, as it’s most likely what they’ve heard of and the benefits of clear conceptual communication are usually paramount.

When you’re talking about the protocol and what which versions of SSL/TLS should be enabled, “TLS” is by necessity preferred as the exact version matters due to changes in how ciphers, etc. are handled.

On a practical level, however, there are significant security and administrative benefits of knowing:

  • That different versions of SSL/TLS exist.
  • That older systems can’t connect to newer ones if there is a protocol mismatch. If you’ve ever wondered why Internet Explorer on a new Windows 95 install can’t connect to HTTPS sites, there’s your answer.
  • That you should have an organizational policy of only enabling later versions of TLS. (TLS 1.0 is not acceptable for PCI Compliance)
  • That many devices and applications still support older, insecure versions of TLS/SSL that you need to specifically disable.

Ultimately, the question of ‘what’s the difference between SSL vs TLS?’ is a great one – if only to discuss these practical points and drive home why the finer points of security protocols matter.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

threat-update-65---what-is-cloud-security-posture-management-(cspm)?
Threat Update 65 - What is Cloud Security Posture Management (CSPM)?
Kilian and Ryan O'Boyle from the Varonis Cloud Architecture team cover what a Cloud Security Posture Management (CSPM) is designed to protect, key features and capabilities, as well where it fits into the overall cloud security stack.
threat-update-72---what-is-saas-security-posture-management-(sspm)?
Threat Update 72 - What is SaaS Security Posture Management (SSPM)?
Kilian and Ryan O'Boyle from the Varonis Cloud Architecture team cover what Secure Access Service Edge (SASE) is all about, and dive into other security considerations organizations should keep in mind when looking to "decentralize" their network architecture.
securityrwd---introduction-to-aws-identity-and-access-management-(iam)
SecurityRWD - Introduction to AWS Identity and Access Management (IAM)
Kilian Englert and Ryan O'Boyle from the Varonis Cloud Architecture team compare and contrast Amazon Web Services Identity and Access Management against a traditional on-prem setup with Active Directory. Listen in as the team discusses how AWS IAM goes beyond simple user and group management to creating an entire network and defining access to network resources and infrastructure.
threat-update-69---what-is-secure-access-service-edge-(sase)?
Threat Update 69 - What is Secure Access Service Edge (SASE)?
Kilian and Ryan O'Boyle from the Varonis Cloud Architecture team cover what Secure Access Service Edge (SASE) is all about, and dive into other security considerations organizations should keep in mind when looking to "decentralize" their network architecture.