What is difference between SSL and TLS?

Features SSLTLS
DefinitionSecure Sockets Layer (SSL) is a cryptographic protocol that enables secure communications over the Internet.Transport Layer Security (TLS) is the successor to SSL.
HistorySSL was originally developed by Netscape and released as SSL 2.0 in 1995. Improved SSL 3.0 was released in 1996.TLS 1.0 was defined in RFC 2246. The name was changed to avoid any legal issues with Netscape so that the protocol could be "open and free".
Browser SupportModern browsers do not support SSL 1.0 or 2.0.Modern browsers support TLS 1.0 by default and may optionally support TLS 1.1 and 1.2.
VulnerabilityRecent POODLE vulnerability have shown that SSL v3.0 is completely insecure. It is advised to switched to TLS 1.1 or 1.2Recent BEAST attack shows that web sites running even TLS v1.0 protocols are vulnerable. Its advised to switched to TLS 1.1 or 1.2
How connection is established?By Port (a.k.a. explicit): Connecting to a specific port means that a secure connection should be used.  For example, port 443 for https (secure web), 993 for secure IMAP, 995 for secure POP, etc.  These ports are setup on the server ready to negotiate a secure connection first, and do whatever else you want second.

The “By Port” method is commonly referred to as “SSL” or “explicit”
 By Protocol (a.k.a. implicit): These connections first begin with an insecure “hello” to the server and only then switch to secured communications after the handshake between the client and the server is successful. If this handshake fails for any reason, the connection is severed.  A good example of this is the command “STARTTLS” used in outbound email (SMTP) connections.

The “By Protocol” method is commonly referred to as “TLS” or “implicit” in many program configuration areas.
OSI ModelSSL and TLS both works at Presentation layer of OSI model.
Which one to choose?When you select SSL or TLS, you choose how the secure connection will be initiated, the same level of encryption will be obtained when talking to the server and encryption level is determined by the software installed on the server, how that is configured.

SSL 3.0 is outdated; choose TLS 1.1 or 1.2


Sources:
1. https://www.entrust.com/is-it-ssl-tls-or-https/
2. https://luxsci.com/blog/ssl-versus-tls-whats-the-difference.html
3. https://luxsci.com/blog/ssl-vs-tls-the-difference.html ( Infographic - must see)
4. https://www.sans.org/reading-room/whitepapers/protocols/ssl-tls-beginners-guide-1029 (How actual secure connections happens, step by step guide.)
5. https://en.wikipedia.org/wiki/OSI_model#Layer_6:_Presentation_Layer

Labels: , ,