Its hard to keep up to date with cyber security acronyms and terms, you know you need to secure your website and communications, but what do you ask for….. SSL, TLS or HTTPS?
Before we get into the detail it’s worth noting here that SSL and TLS simply refer to the handshake that takes place between a client and a server. The handshake does not do any encryption; it just agrees on a shared secret and type of encryption that is going to be used by the digital certificate.
Let’s go through the terms and background:
Secure Socket Layer (SSL)
SSL is a cryptographic protocol, that was originally developed by Netscape and was followed up with SSL 2.0 in 1995. SSL 3.0 was released in 1996. SSL 3.0 was quite similar to TLS 1.0, but the differences were significant enough that they did not interoperate. As such, operating systems and browsers supported both SSL 3.0 and TLS 1.0.
Unfortunately, old standards just don’t go away until someone or an incident provokes their deprecation. The POODLE attack of 2014 and the DROWN attack of 2016 put an end to browser support of SSL 2.0 and 3.0.
Transport Layer Security (TLS)
TLS was introduced by the IETF in January 1999. I’m not sure why they changed the naming from Secure Sockets Layer to Transport Layer Security. Perhaps SSL was really a Netscape handle, and the IETF didn’t want to create any confusion. Nevertheless, the acronym changed from SSL to TLS. TLS 1.0 was initially very popular when it was rolled out alongside SSL 3.0. However, when it was discovered that TLS 1.0 and 1.1 could be vulnerable to a POODLE attack if the implementations of these protocols were not configured properly, their popularity quickly fell, and TLS 1.2 was the only protocol to be considered secure.
In 2016, PCI issued a paper – “Migrating from SSL and Early TLS“. In this paper, they required merchants to deprecate SSL and early TLS (i.e., TLS 1.0 and 1.1) and migrate to TLS 1.2 by June 30, 2018. Many other secure servers also migrated to TLS 1.2 in 2018. Entrust Datacard stopped supporting TLS 1.0 and 1.1 in 2018.
In addition, browser and operating system vendors plan to deprecate TLS 1.0 and 1.1 starting in 2020. Will this leave us with only TLS 1.2?
Fortunately, RFC 8446 for TLS 1.3 was published in August 2018. Researchers have learned from past mistakes to develop in TLS 1.3 a much more secure version than its predecessor, TLS 1.2. Many attributes used in vulnerabilities are just not supported in TLS 1.3. Downgrade protection has also been added to prevent an attacker from forcing the secure session to drop to a lower version of the protocol. We expect rapid deployment of TLS 1.3 in 2019.
Hypertext Transfer Protocol Secure (HTTPS)
HTTPS, or “HTTP Secure,” is an application-specific implementation that is a combination of the Hypertext Transfer Protocol (HTTP) with the SSL/TLS. HTTPS is used to provide encrypted communication with and secure identification of a Web server.
So, what name should we use?
A quick Google search on SSL certificate versus TLS certificate returned 226,000,000 and 29,500,000 responses respectively. SSL is quite simply the most popular term for discussing and marketing secure server certificates. Most of the time, we will combine the terms and call them SSL/TLS certificates.
