"TLS vs. SSL" - 5 Things To Know (Differences, Protocols, & Handshakes)

Online security is paramount to a website’s success. You’ve heard the buzzwords: online privacy, cybercrime, malware, phishing, censorship, DDoS attacks, and so on. These issues periodically pester online users, some more than others, of course.

An essential to shielding yourself and your site against these security vulnerabilities is the end-to-end encryption of the communication data between computers (PC, phone, etc.) and web servers.

We live in an increasingly digitally connected world, where the Transport Layer Security (TLS) network protocol is of the utmost importance to safeguarding folks from digital harm.

The TLS protocol is used by the HTTPS protocol (among others) to encrypt and authenticate the computers involved in any communication on the web.

So, where do we begin? Let’s peer into the world of TLS, SSL, and HTTPS certificates.

1. TLS Is the Modern Encryption Standard (SSL is Older)

In a nutshell: TLS is the encryption everyone uses these days. SSL is antiquated. When people say SSL, they mean TLS!

SSL/TLS Means “Secure Sockets Layer” and “Transport Layer Security”

Transport Layer Security and Secure Sockets Layer (SSL) are both network protocols that allow data to be transferred privately and securely between a web server and a web browser.

Technically, TLS consists of two parts:

  1. The TLS handshake layer manages which cipher (the type of encryption algorithm) will be used, the authentication (using a certificate specific to your domain name and organization), and the key exchange (based on the public-private key pair from the certificate). The handshake process is performed only once to establish a secure network connection for both parties.
  2. The TLS record layer gets data from the user applications, encrypts it, fragments it to an appropriate size (as determined by the cipher), and sends it to the network transport layer.

TLS establishes an encrypted, bidirectional network tunnel for arbitrary data to travel between two hosts. TLS is most often used in conjunction with other Internet protocols such as HTTPS, SSH, FTPS, and secure email.

TLS/SSL consists of two layers within the application layer of the Internet Protocol Suite (TCP/IP).

In 1999, TLS replaced the older SSL protocol as the encryption most everyone uses. This change was made mostly to avoid legal issues with the Netscape company, which created SSL, so that the protocol could be developed as an open standard, free for all.

HTTP vs. HTTPS

HTTPS is the HTTP protocol embedded within the TLS protocol. HTTP takes care of all the web surfing mechanics, and TLS takes care of encrypting the data sent over the network and verifying the identity of the server host using a certificate.

More and more web servers are also going HTTPS-only, not just for security reasons, but for other practical arguments:

  • Some browser vendors now require HTTPS for certain browser features (e.g., geo-location). And Google and Firefox intend to phase out non-encrypted HTTP in their browsers. So, the browser community is pushing for HTTPS as the standard.
  • Users expect a trust- and safety-indicating URL bar (e.g., the padlock icon) without any security warnings, especially on eCommerce sites and other sites with privacy-sensitive data.

It may increase your search engine ranking, too, though this has yet to be confirmed by Google.

2. Differences Between the SSL, SSL v3, and TLS Protocols

Several versions of SSL and TLS have been released over the years:

  • 1995: SSL v2 was the first public release of SSL by Netscape.
  • 1996: SSL v3 was a new version that fixed several security design flaws of SSL v2. By 2004, v3 was considered insecure due to the POODLE attack.
  • 1999: TLS v1.0 was released with an SSL fallback mechanism for backwards-compatibility.
  • 2006: TLS v1.1
  • 2008: TLS v1.2 is the current TLS standard and is used in most cases.
  • TLS v1.3 is currently still only a working draft specification.

Most applications, such as browsers, are compatible with some of the older SSL protocol versions, too, although SSL is slowly being phased out in favor of the better TLS security.

3. Pros and Cons

Benefits abound for those using encryption to protect their site’s (and customers’) sensitive data. This is especially true of eCommerce and healthcare-related sites.

Pros: SSL/TLS Security

Your site’s traffic benefits from TLS security in two ways:

  1. Prevent intruders from tampering with the communication between your website and web browsers. Intruders can be malicious attackers or benign invaders like ISPs or hotels that inject ads into pages. Sensitive data, such as the user’s login credentials, credit card details, and email info, must never be revealed over the network.
  2. Prevent intruders from passively listening to communications with your server. This is a somewhat elusive, but growing, security threat (also confirmed by the Snowden leaks).

The importance of these pros can’t be overstated — especially for eCommerce sites that depend on getting and retaining user trust for sales.

Cons: SSL/TLS “Handshake”

As great as it sounds, TLS has a few drawbacks:

  1. TLS will add latency to your site’s traffic.
  2. The handshake is resource-intensive. It uses asymmetric encryption to establish a session key, which then allows the client and server to switch to a faster symmetric encryption.
  3. TLS will add complexity to your server management. You will need to get a certificate installed on your web server and maintain the validity of that certificate. Nowadays, there are automated tools for (domain-validated) certificate management.
  4. MaxCDN found a 5ms latency when testing encrypted connections compared to unencrypted connections. Tests showed a peak increase in CPU usage of about 2% as well. However, “even with dozens of parallel requests and hundreds of sequential requests, CPU usage never exceeded 5%.”

As for the performance of the whole connection, MaxCDN concluded: “Encryption does add a step in the initial connection process. The overhead for ongoing connections is negligible when compared to unencrypted connections.”

With the upcoming HTTP/2 standard, setting up a TLS connection will be significantly faster, due to its parallel design (fewer network round trips required for data exchanges).

Additionally, although the HTTP/2 standard itself does not require the use of encryption, most client implementations (Firefox, Chrome, Safari, Opera, IE, Edge) have said they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.

4. Types of TLS/SSL Certificates

As of late, the entire web seems to be trending toward HTTPS. Certificates can be requested from Certificate Authorities, of which there are many providers. Read up on the various certificate options available in our article on choosing an SSL certificate, or read on as we briefly cover the three main types below.

Extended Validation (EV)

EV certificates come with the green address bar — a recognized symbol of trust on the Internet. EV certificates are the premier TLS certificates. Sites for which security and consumer trust are essentials, such as large eCommerce sites, should seriously consider an EV cert.

Websites with EV certificates tout the green bar of trust in the browser address bar.

These certificates are, however, the most expensive because an extended organizational verification process is done based on these issuing criteria.

Organization Validation (OV)

OV certificates do not come with the green address bar but activate a number of browser trust indicators. An OV certificate requires a business be verified by the Certificate Authority. The organization’s name will be listed on the certificate, which reinforces the trust.

OVs are used by corporations, governments, and other entities that want to provide an extra layer of confidence to their visitors. OV certificates are especially important for eCommerce websites if an EV certificate is unattainable for whatever reason.

Domain Validation (DV)

DV certificates offer industry-standard encryption (at the same level as the other certificate types), but not much else. Aside from its low (or even free) cost, another benefit of a Domain Validated (DV) certificate is it can be issued in mere minutes because the Certificate Authority only has to validate that you own the domain you wish to secure — which is often an automated process.

5. Hosts With FREE SSL/TLS Certificates Included

In the past, getting a certificate was often complicated for website owners. Hosting providers spent inordinate amounts of time integrating different tools and administering manual processes into their businesses. And the cost of a certificate was sometimes a prohibitive factor for smaller and/or non-commercial web property owners.

In 2014, a group of companies and nonprofit organizations, including the Electronic Frontier Foundation, Mozilla, Cisco, and Akamai, announced Let’s Encrypt – a free, automated, and open Certificate Authority. This project has shown to be groundbreaking in terms of the number of Domain Validated certificates being used nowadays. Find more on their Automatic Certificate Management Environment (ACME) tools and how to get started here.

In 2016, Symantec started their Encryption Everywhere initiative aimed at ensuring every legitimate website is secure by 2018 using a hassle-free certificate process.

Symantec’s program helps web hosting partners offer basic encryption at no added cost to the hosting customer. Symantec provides basic certificates to hosts, who can, in turn, provide fully integrated SSL encryption to any new or renewing customer (through their cPanel interface).

Here are the top-recommended hosting providers with free SSL certificates:

CHEAP RATING
★★★★★ 5.0/5.0
  • Featuring easy setup and superb reliability since 1998
  • FREE domain and FREE Google marketing included
  • Unlimited disk, bandwidth, and emails
(read more)
Starting Price/Mo. $1.99
Money Back Guarantee 30 days
Disk Space Unlimited
Domain Name FREE (1 year)
Cheap Hosting Plans www.ipage.com/shared

Our Expert's iPage Review

Whether you're a first-time website owner or a web veteran, iPage’s excellent hosting services and fantastic list of extras make them one of the best values in web hosting. Unlimited disk space, bandwidth, and emails... read more +

Whether you're a first-time website owner or a web veteran, iPage’s excellent hosting services and fantastic list of extras make them one of the best values in web hosting.

Unlimited disk space, bandwidth, and emails are just a part of what makes iPage’s shared hosting plans a great deal. They offer very good "suites" of extras focusing on web hosting necessities like security, marketing, and support.

If you don’t yet have a site, they include a free domain and website builder to get you rolling quickly. We especially love their inclusion of eCommerce templates and online shopping carts for the same low price.

Support is one factor that’s very important to us, as it should be to you. For customer support, iPage has US-based phone, email, and chat available 24/7. For the DIY crowd, they also have an extensive list of tutorials and helpful documents.

One of the very best budget web hosts out there, iPage offers great hosting features and server performance for a low price. If you are searching for a cheap, reliable web host, iPage should definitely be near the top of your list.

collapse info -

CHEAP RATING
★★★★★ 4.8/5.0
  • FREE BoldGrid builder and templates
  • FREE website and cPanel migrations
  • FREE SSD storage makes your site load up to 20x faster!
(read more)
Starting Price/Mo. $2.95
Money Back Guarantee 90 days
Disk Space Unlimited
Domain Name FREE (1 year)
Cheap Hosting Plans www.inmotionhosting.com/shared

Our Expert's InMotion Review

InMotion offers an excellent business-class shared hosting plan. While carrying a higher price tag than other cheap hosts, it has a very nice list of features to help justify the extra cost. For the... read more +

InMotion offers an excellent business-class shared hosting plan. While carrying a higher price tag than other cheap hosts, it has a very nice list of features to help justify the extra cost.

For the IT crowd in the audience, you’ll appreciate SSH access, as well as support for PHP, Ruby, Perl, Python, WP-CLI, and other popular languages. You’ll also appreciate the 20-times faster speed, which comes from all-SSD storage and your choice of datacenter locations. You needn’t worry about data security as InMotion plans include data backups.

For the rest of us, we can appreciate the convenience of the free website transfers and 24/7 US-based support. A free domain and website builder with eCommerce support are also appealing.

The overall package and business-class hardware make InMotion’s shared hosting a great choice for businesses or those looking for a little higher-end hardware. And, as one of the few remaining independently owned hosting providers left on the market, InMotion has taken every effort to remain cost-competitive.

collapse info -

So, in these days of free certificates, lower-cost industrial-grade certificates, and much better certificate management tools, there are fewer arguments against using HTTPS as a site owner.

Begin Building Your SSL-Secured Site in Minutes

Now that you know what is required to secure your site using HTTPS, the TLS certificate options available, and the trust expectations of Internet users, you’re free to start implementing encryption best practices on your own site.

Head over to The SSL Store, an excellent partner in this somewhat bewildering world of web certificates and security acronyms. They will deliver friendly, security-qualified, and 24/7 customer support — not to be outdone by the best web hosts out there.

ABOUT THE AUTHOR
Alexandra Leslie

Alexandra Leslie serves as Tech Vertical Manager of Digital Brands Inc, spearheading the charge to deliver technical expertise and thought leadership to our rapidly growing audience of developers, engineers, and website owners here at HostingAdvice. You'll find her engaging with leaders in web hosting and tangentially related industries, enjoying honest discussions of their cutting-edge technologies. She loves getting her hands dirty with comprehensive reviews of popular hosting platforms and services, and she's a die-hard WordPress fan. Alexandra leads the HostingAdvice team with a passion for translating technical jargon into digestible action items anyone can use to build, monetize, and scale a web presence.