Transport Layer Security (TLS) and Secure Socket Layer (SSL) are internet protocols to secure sensitive information transmitted between a browser and servers.
These cryptographic protocols allow sensitive information such as credit card numbers, social security numbers and login details to be transmitted in an encrypted form.
If you run an online business then an SSL or TLS certificate is essential to both protect and encourage customer payments. Though SSL and TLS are not the only secure protocols currently in use, they are very common for sites dealing with transactions that could involve sensitive data.
When an SSL/TLS certificate is installed on a web server, it enables a secure connection between the web server and the browser that connects to it. The website’s URL is prefixed with “https” instead of “http” and a padlock is shown on the address bar.
If neither SSL nor TLS is used then your connection with the web server is unencrypted and all the data will be sent in plaintext.Network attackers can easily intercept information transmitted in plain text.
SSL was developed by Netscape Communications Corporation in 1994 to secure internet communications over the World Wide Web. Over the years, new versions of the protocols have been released to address vulnerabilities and support stronger, more secure cipher suites and algorithms.
TLS (Transport Layer Security) is an updated and more secured version of SSL.
This protocol was first defined in RFC 2246 in January of 1999. TLS brings a number of useful extensions and security algorithms. According to the protocol specification, TLS is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol. The Record Protocol provides connection security, while the Handshake Protocol allows the server and client to authenticate each other and to negotiate encryption algorithms and cryptographic keys before any data is exchanged. TLS 1.2 is the current version of the protocol.
Most websites refer to TLS/SSL as simply SSL. They are actually two separate protocols.
How does TLS differ from SSL?
The differences between the two protocols are very minor and technical. While SSL connections begin with security and proceed directly to secured communications, TLS connections first begin with an insecure “hello” to the server and only switch to secured communications after the handshake between the client and the server is successful. If the TLS handshake fails for any reason, the connection is never created.
TLS provides a more secure method for managing authentication and exchanging messages, using the following features :
● To provide more consistency, the TLS protocol specifies the type of certificate that must be exchanged between nodes.
● While SSL provides keyed message authentication, TLS implements a standardized MAC (H-MAC) that has been proven in many
other implementations. The main benefit to this change is that H-MAC operates
any hash function, not just MD5 or SHA, as explicitly stated by the SSL protocol.
● TLS uses the HMAC standard and its pseudorandom function (PRF) output to generate key material. Two algorithms increase security by preventing the data from being changed if only one algorithm is compromised. The data remains secure as long as the second algorithm is not compromised.
● TLS provides more specific alerts about problems with a session and documents when certain alerts are sent.
● The safety of SSL’s current version, 3.0, is comparable to TLS 1.0, but TLS 1.1 and 1.2 outstrip both by leaps and bounds.
Over the years vulnerabilities have been and continue to be discovered in the deprecated SSL protocols. For this reason, you should disable SSLv2 and SSLv3 in your server configuration, leaving only TLS protocols 1.0, 1.1, and 1.2 enabled. The newer TLS versions can prevent BEAST, POODLE and other attack vectors and provide many stronger ciphers and encryption methods. Unfortunately, even now a majority of web sites do not use the newer versions of TLS and permit weak encryption ciphers. Adding a TLS certificate to your website will immediately improve security and privacy.