"TLS vs. SSL" - 5 Things To Know (Differences, Protocols, & Handshakes)

Graphic for Guide to TLS vs SSL

Online security is paramount to a website’s success. You’ve heard the buzzwords: online privacy, cybercrime, malware, phishing, censorship, DDoS attacks, and so on. These issues periodically pester online users, some more than others, of course.

An essential to shielding yourself and your site against these security vulnerabilities is the end-to-end encryption of the communication data between computers (PC, phone, etc.) and web servers.

We live in an increasingly digitally connected world, where the Transport Layer Security (TLS) network protocol is of the utmost importance to safeguarding folks from digital harm.

The TLS protocol is used by the HTTPS protocol (among others) to encrypt and authenticate the computers involved in any communication on the web.

So, where do we begin? Let’s peer into the world of TLS, SSL, and HTTPS certificates.

1. TLS Is the Modern Encryption Standard (SSL is Older)

In a nutshell: TLS is the encryption everyone uses these days. SSL is antiquated. When people say SSL, they mean TLS!

SSL/TLS Means “Secure Sockets Layer” and “Transport Layer Security”

Transport Layer Security and Secure Sockets Layer (SSL) are both network protocols that allow data to be transferred privately and securely between a web server and a web browser.

Technically, TLS consists of two parts:

  1. The TLS handshake layer manages which cipher (the type of encryption algorithm) will be used, the authentication (using a certificate specific to your domain name and organization), and the key exchange (based on the public-private key pair from the certificate). The handshake process is performed only once to establish a secure network connection for both parties.
  2. The TLS record layer gets data from the user applications, encrypts it, fragments it to an appropriate size (as determined by the cipher), and sends it to the network transport layer.

TLS establishes an encrypted, bidirectional network tunnel for arbitrary data to travel between two hosts. TLS is most often used in conjunction with other Internet protocols such as HTTPS, SSH, FTPS, and secure email.

SSL Handshake and Layers Graphic

TLS/SSL consists of two layers within the application layer of the Internet Protocol Suite (TCP/IP).

In 1999, TLS replaced the older SSL protocol as the encryption most everyone uses. This change was made mostly to avoid legal issues with the Netscape company, which created SSL, so that the protocol could be developed as an open standard, free for all.

HTTP vs. HTTPS

HTTPS is the HTTP protocol embedded within the TLS protocol. HTTP takes care of all the web surfing mechanics, and TLS takes care of encrypting the data sent over the network and verifying the identity of the server host using a certificate.

More and more web servers are also going HTTPS-only, not just for security reasons, but for other practical arguments:

  • Some browser vendors now require HTTPS for certain browser features (e.g., geo-location). And Google and Firefox intend to phase out non-encrypted HTTP in their browsers. So, the browser community is pushing for HTTPS as the standard.
  • Users expect a trust- and safety-indicating URL bar (e.g., the padlock icon) without any security warnings, especially on eCommerce sites and other sites with privacy-sensitive data.

It may increase your search engine ranking, too, though this has yet to be confirmed by Google.

2. Differences Between the SSL, SSL v3, and TLS Protocols

Several versions of SSL and TLS have been released over the years:

  • 1995: SSL v2 was the first public release of SSL by Netscape.
  • 1996: SSL v3 was a new version that fixed several security design flaws of SSL v2. By 2004, v3 was considered insecure due to the POODLE attack.
  • 1999: TLS v1.0 was released with an SSL fallback mechanism for backwards-compatibility.
  • 2006: TLS v1.1
  • 2008: TLS v1.2 is the current TLS standard and is used in most cases.
  • TLS v1.3 is currently still only a working draft specification.

Most applications, such as browsers, are compatible with some of the older SSL protocol versions, too, although SSL is slowly being phased out in favor of the better TLS security.

3. Pros and Cons

Benefits abound for those using encryption to protect their site’s (and customers’) sensitive data. This is especially true of eCommerce and healthcare-related sites.

Pros: SSL/TLS Security

Your site’s traffic benefits from TLS security in two ways:

  1. Prevent intruders from tampering with the communication between your website and web browsers. Intruders can be malicious attackers or benign invaders like ISPs or hotels that inject ads into pages. Sensitive data, such as the user’s login credentials, credit card details, and email info, must never be revealed over the network.
  2. Prevent intruders from passively listening to communications with your server. This is a somewhat elusive, but growing, security threat (also confirmed by the Snowden leaks).

The importance of these pros can’t be overstated — especially for eCommerce sites that depend on getting and retaining user trust for sales.

Cons: SSL/TLS “Handshake”

As great as it sounds, TLS has a few drawbacks:

  1. TLS will add latency to your site’s traffic.
  2. The handshake is resource-intensive. It uses asymmetric encryption to establish a session key, which then allows the client and server to switch to a faster symmetric encryption.
  3. TLS will add complexity to your server management. You will need to get a certificate installed on your web server and maintain the validity of that certificate. Nowadays, there are automated tools for (domain-validated) certificate management.
  4. MaxCDN found a 5ms latency when testing encrypted connections compared to unencrypted connections. Tests showed a peak increase in CPU usage of about 2% as well. However, “even with dozens of parallel requests and hundreds of sequential requests, CPU usage never exceeded 5%.”

As for the performance of the whole connection, MaxCDN concluded: “Encryption does add a step in the initial connection process. The overhead for ongoing connections is negligible when compared to unencrypted connections.”

With the upcoming HTTP/2 standard, setting up a TLS connection will be significantly faster, due to its parallel design (fewer network round trips required for data exchanges).

Additionally, although the HTTP/2 standard itself does not require the use of encryption, most client implementations (Firefox, Chrome, Safari, Opera, IE, Edge) have said they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.

4. Types of TLS/SSL Certificates

As of late, the entire web seems to be trending toward HTTPS. Certificates can be requested from Certificate Authorities, of which there are many providers. Read up on the various certificate options available in our article on choosing an SSL certificate, or read on as we briefly cover the three main types below.

Extended Validation (EV)

EV certificates come with the green address bar — a recognized symbol of trust on the Internet. EV certificates are the premier TLS certificates. Sites for which security and consumer trust are essentials, such as large eCommerce sites, should seriously consider an EV cert.

Screenshot of address bars with EV certificates in place

Websites with EV certificates tout the green bar of trust in the browser address bar.

These certificates are, however, the most expensive because an extended organizational verification process is done based on these issuing criteria.

Organization Validation (OV)

OV certificates do not come with the green address bar but activate a number of browser trust indicators. An OV certificate requires a business be verified by the Certificate Authority. The organization’s name will be listed on the certificate, which reinforces the trust.

OVs are used by corporations, governments, and other entities that want to provide an extra layer of confidence to their visitors. OV certificates are especially important for eCommerce websites if an EV certificate is unattainable for whatever reason.

Domain Validation (DV)

DV certificates offer industry-standard encryption (at the same level as the other certificate types), but not much else. Aside from its low (or even free) cost, another benefit of a Domain Validated (DV) certificate is it can be issued in mere minutes because the Certificate Authority only has to validate that you own the domain you wish to secure — which is often an automated process.

5. Hosts With FREE SSL/TLS Certificates Included

In the past, getting a certificate was often complicated for website owners. Hosting providers spent inordinate amounts of time integrating different tools and administering manual processes into their businesses. And the cost of a certificate was sometimes a prohibitive factor for smaller and/or non-commercial web property owners.

In 2014, a group of companies and nonprofit organizations, including the Electronic Frontier Foundation, Mozilla, Cisco, and Akamai, announced Let’s Encrypt – a free, automated, and open Certificate Authority. This project has shown to be groundbreaking in terms of the number of Domain Validated certificates being used nowadays. Find more on their Automatic Certificate Management Environment (ACME) tools and how to get started here.

In 2016, Symantec started their Encryption Everywhere initiative aimed at ensuring every legitimate website is secure by 2018 using a hassle-free certificate process.

Symantec’s program helps web hosting partners offer basic encryption at no added cost to the hosting customer. Symantec provides basic certificates to hosts, who can, in turn, provide fully integrated SSL encryption to any new or renewing customer (through their cPanel interface).

Here are the top-recommended hosting providers with free SSL certificates:

iPage.com

iPage review

Monthly Starting Price $1.99

  • Featuring easy setup and superb reliability since 1998
  • FREE domain and FREE Google marketing included
  • Unlimited disk, bandwidth, and emails
  • FREE site builder and shopping cart
  • Get more than 75% off today (was $8.99/month)
  • Get started on iPage now.

CHEAP
RATING

5.0
★★★★★

iPage: Our Expert's Review

Setup time: 5 minutes
PJ Fancher (HostingAdvice.com): Whether you're a first-time website owner or a web veteran, iPage’s excellent hosting services and fantastic list of extras make them one of the best values in web hosting.Unlimited disk space, bandwidth, and emails are just a part of what makes iPage’s... Go to full review »
Money Back Guarantee Disk Space Domain Name Cheap Hosting Plans
30 days Unlimited FREE (1 year) www.ipage.com/shared

InMotionHosting.com

InMotion review

Monthly Starting Price $2.95

  • FREE BoldGrid builder and templates
  • FREE website and cPanel migrations
  • FREE SSD storage makes your site load up to 20x faster!
  • FREE security suite including SSL and hack protection
  • Unlimited bandwidth and emails
  • Get started on InMotion now.

CHEAP
RATING

4.8
★★★★★

InMotion: Our Expert's Review

Setup time: 5 minutes
PJ Fancher (HostingAdvice.com): InMotion offers an excellent business-class shared hosting plan. While carrying a higher price tag than other cheap hosts, it has a very nice list of features to help justify the extra cost. For the IT crowd in the audience, you’ll appreciate SSH access, as... Go to full review »
Money Back Guarantee Disk Space Domain Name Cheap Hosting Plans
90 days Unlimited FREE (1 year) www.inmotionhosting.com/shared

So, in these days of free certificates, lower-cost industrial-grade certificates, and much better certificate management tools, there are fewer arguments against using HTTPS as a site owner.

Begin Building Your SSL-Secured Site in Minutes

Now that you know what is required to secure your site using HTTPS, the TLS certificate options available, and the trust expectations of Internet users, you’re free to start implementing encryption best practices on your own site.

Head over to The SSL Store, an excellent partner in this somewhat bewildering world of web certificates and security acronyms. They will deliver friendly, security-qualified, and 24/7 customer support — not to be outdone by the best web hosts out there.

Alexandra Leslie

Questions or Comments? Ask Alexandra!

Ask a question and Alexandra will respond to you. We strive to provide the best advice on the net and we are here to help you in any way we can.

  • Thanks for sharing a great read. In fact, you don’t need a FREE SSL certificate from web hosting provider if you are hosted with WHM/cPanel. With version 58.0 (or later), WHM is shipped with AutoSSL feature which provides you a free COMODO domain validated certificate for all websites hosted in WHM Server.