From SSL to TLS: The Road towards Better Security

Wednesday, October 28, 2015

ssl tlsSSL (Secure Sockets Layer) and TLS (Transport Layer Security) are protocols that verify communicating parties and encrypt information on the Internet, such that people can transact highly confidential information such as credit card details securely or pass on important data such as passwords over the Internet.

Often a time, website owners looking to purchase a digital certificate for security may chance upon two commonly used terminologies, SSL, and TLS, invariably getting themselves confused. So.. Is there a difference between SSL and TLS?

In truth, there is and TLS is known for its better security with lesser vulnerabilities. TLS is an upgraded version of SSL and built upon previous versions each time. It starts off with SSL 1.0 and till date, the current version stays at TLS 1.2.

Transition History from SSL to TLS

SSL has transitioned to TLS over the past two decades and been through several rounds of security enhancements, as well as a name change.

1. SSL1.0
Netscape Communications Corporation designed the first version of SSL naming it SSL1.0. But major vulnerabilities were found in its protocol and Netscape Communication Corporation gave up releasing SSL1.0.

2. SSL2.0
SSL2.0 was developed by fixing the vulnerability on SSL1.0 and re-designing the protocol. It was officially released in 1994 by Netscape Communications Corporation. SSL2.0 was implemented in Netscape Navigator 1.1, a web browser developed by Netscape Communication Corporation. Since then, some vulnerabilities were found in SSL2.0 and RFC 6176 prohibited use of SSL2.0 in 2011.

3. SSL3.0
Netscape Communication Corporation fixed the problems with SSL2.0, made functional additions to it and then released the protocol as SSL3.0 in 1995. They implemented SSL3.0 in their Netscape Navigator 2.0; however, the vulnerability “POODLE” (Padding Oracle On Downgraded Legacy Encryption) was found in SSL 3.0 and RFC 7568 prohibited use of SSL3.0 in 2015.

4. TLS1.0
Standardization development of an SSL protocol was transferred to the working group in IETF (The Internet Engineering Task Force), the organization that develops standardization of the technology used on the Internet, and the protocol name was also changed from SSL to TLS.

The first version of the protocol developed by IETF was named as TLS1.0, standardized as RFC 2246 and released in 1999. A significant difference between SSL3.0 and TLS1.0 did not exist, but some alterations were made in TLS1.0.

5. TLS1.1
TLS1.1 was standardized as RFC 4346 in 2006. TLS1.1 focus on strengthening tolerance against newly discovered attacks and AES (Advanced Encryption Standard), a form of the data encryption technologies and it uses 3 types of keys (128/192/256 bit) for encryption to strengthen security, was added to the option in TLS1.1.

6. TLS1.2
TLS1.2 was the version that added SHA-256. SHA-2 is a type of hash that was designed by U.S. National Security Agency and was standardized as RFC 5246 in 2008. As of now, TLS1.2 is the latest version and is available for use in encryption technologies that has compatible verification feature such as GCM mode and CCM mode addition to the existing CBC mode in TLS1.2.

The next version “TLS1.3” has already been proposed and some characteristics of the new “TLS1.3” have already been stated and outlined. One of which states that the version does not support data compression and abolishes encryption technologies that are not compatible with verification features such as CBC mode block encryption.

The Merits of SSL and TLS

While SSL has evolved tremendously, the core technology and features beneath it remain the same.

SSL and TLS provides:
・Encryption of communication contents to prevent divulging of information
・Verification of communications ends to prevent spoofing
・Verification to examine whether messages have been manipulated during transmission

SSL/TLS should be used on all websites regardless of business type and nature (Learn about HTTPS Everywhere).

SSL/TLS Compatibility with DigiCert Products

DigiCert mentions that “All DigiCert digital certificates are compatible with SSL and TLS protocols. However, because of the notable vulnerabilities in SSL 3.0, DigiCert recommends disabling SSL 3.0 on your server completely if you have not already done so. By disabling SSL 3.0 and enabling TLS, admins will receive the same level of encryption without the vulnerabilities. If you are unsure about what SSL/TLS versions you have enabled, you can use the Certificate Inspector for vulnerability scanning, analytics, and more.”

DigiCert SSL certificates use SSL/TLS encryption technology and are implemented globally by well-known companies such as IBM, Intel, and NASA.

Share :    


Back to Blog