TLS vs. SSL: 5 Key Facts About Protocols, Handshakes & Differences (2024)

Tls Vs Ssl

Online security is paramount to a website’s success, and understanding the difference between TLS vs. SSL is another step in protecting your sensitive data.

You’ve heard the buzzwords: online privacy, cybercrime, malware, phishing, DDoS attacks, and so on. An essential component to shielding yourself and your site against these security vulnerabilities is the end-to-end encryption of the communication data between computers and web servers.

We live in an increasingly digitally connected world, where the Transport Layer Security (TLS) network protocol is of the utmost importance to safeguarding folks from digital harm. The TLS protocol is used by the HTTPS protocol (among others) to encrypt and authenticate the computers involved in any communication on the web. So, where do we begin? Let’s peer into the world of TLS, SSL, and HTTPS certificates.

1. Hosts With FREE SSL/TLS Certificates

In the past, getting a certificate was often complicated for website owners. Hosting providers spent inordinate amounts of time integrating different tools and administering manual processes into their businesses. And the cost of a certificate was sometimes a prohibitive factor for smaller and/or non-commercial web property owners.

In 2014, a group of companies and nonprofit organizations, including the Electronic Frontier Foundation, Mozilla, Cisco, and Akamai, announced Let’s Encrypt – a free, automated, and open Certificate Authority. This project has shown to be groundbreaking in terms of the number of Domain Validated certificates being used nowadays. Find more on their Automatic Certificate Management Environment (ACME) tools and how to get started here.

In 2016, Symantec started its Encryption Everywhere initiative aimed at ensuring every legitimate website is secure by 2018 using a hassle-free certificate process.

Symantec’s program helps web hosting partners offer basic encryption at no added cost to the hosting customer. Symantec provides basic certificates to hosts, who can, in turn, provide fully integrated SSL encryption to any new or renewing customer (through their cPanel interface).

So, in these days of free certificates, lower-cost industrial-grade certificates, and much better certificate management tools, there are fewer arguments against using HTTPS as a site owner. Here are the top-recommended hosting providers with free SSL certificates:

Bluehost.com

Bluehost Review

Monthly Starting Price $1.99

  • Cheap shared hosting from a trusted provider
  • Ideal for hosting a WordPress website
  • FREE Weebly website builder and Cloudflare CDN
  • Unlimited traffic and 24/7 live chat support
  • Get 75% off today with our Bluehost coupon
  • Get started on Bluehost now.
CHEAP
RATING
★★★★★ 4.9 Our Review»
Bluehost: Our Expert's Review

Ryan Frankel (HostingAdvice.com): Bluehost pricing is about as competitive as the industry offers. Sign up for a shared hosting plan for as little as $1.99 per month, and WordPress hosting packages are consistently priced; a VPS plan starts at around $31.99 per month; and the dedicated hosting rates are as little as $91.98 per month. Go to full review »

Money Back Guarantee Disk Space Domain Name Setup Time
30 days 10 GB SSD - 100 GB SSD FREE (1 year) 5 minutes

iPage.com

iPage Review

Monthly Starting Price $2.95

  • Easy setup and superb reliability since 1998
  • FREE domain and Google marketing included
  • Unlimited bandwidth, storage, and emails
  • FREE site builder and shopping cart
  • Get more than 63% off today (was $7.99/month)
  • Get started on iPage now.
CHEAP
RATING
★★★★★ 4.7 Our Review»
iPage: Our Expert's Review

PJ Fancher (HostingAdvice.com): Whether you're a first-time website owner or a web veteran, iPage’s excellent hosting services and a fantastic list of extras make the brand one of the best values in web hosting. Unlimited disk space, scalable bandwidth, and emails are just a part of what makes iPage’s shared hosting plan a great deal. Go to full review »

Money Back Guarantee Disk Space Domain Name Setup Time
30 days Unlimited FREE (1 year) 5 minutes

InMotionHosting.com

InMotion Review

Monthly Starting Price $1.99

  • FREE BoldGrid site builder and templates
  • FREE website, domain, and cPanel migrations
  • SSD storage makes your site load up to 20x faster
  • Security suite includes SSL and hack protection
  • Unlimited bandwidth and email accounts
  • Get started on InMotion now.
CHEAP
RATING
★★★★★ 4.7 Our Review»
InMotion: Our Expert's Review

PJ Fancher (HostingAdvice.com): InMotion Hosting offers an excellent business-class shared hosting plan — with a price tag lower than several other budget hosts. For the IT crowd in the audience, you’ll appreciate SSH access, as well as support for PHP, Ruby, Perl, Python, WP-CLI, and other popular languages. Go to full review »

Money Back Guarantee Disk Space Domain Name Setup Time
90 days 100 GB SSD - Unlimited SSD FREE (1 year) 5 minutes

2. TLS Is the Modern Encryption Standard (SSL is Older)

In a nutshell: TLS is the encryption everyone uses these days. SSL is antiquated. When people say SSL, they mean TLS!

SSL/TLS Means “Secure Sockets Layer” and “Transport Layer Security”

Transport Layer Security

and Secure Sockets Layer (SSL) are both network protocols that allow data to be transferred privately and securely between a web server and a web browser.

Technically, TLS consists of two parts:

  1. The TLS handshake layer manages which cipher (the type of encryption algorithm) will be used, the authentication (using a certificate specific to your domain name and organization), and the key exchange (based on the public-private key pair from the certificate). The handshake process is performed only once to establish a secure network connection for both parties.
  2. The TLS record layer gets data from the user applications, encrypts it, fragments it to an appropriate size (as determined by the cipher), and sends it to the network transport layer.

TLS establishes an encrypted, bidirectional network tunnel for arbitrary data to travel between two hosts. TLS is most often used in conjunction with other Internet protocols such as HTTPS, SSH, FTPS, and secure email.

SSL Handshake and Layers Graphic

TLS/SSL consists of two layers within the application layer of the Internet Protocol Suite (TCP/IP).

In 1999, TLS replaced the older SSL protocol as the encryption most everyone uses. This change was made mostly to avoid legal issues with the Netscape company, which created SSL, so that the protocol could be developed as an open standard, free for all.

HTTP vs. HTTPS

HTTPS is the HTTP protocol embedded within the TLS protocol. HTTP takes care of all the web surfing mechanics, and TLS takes care of encrypting the data sent over the network and verifying the identity of the server host using a certificate.

More and more web servers are also going HTTPS-only, not just for security reasons, but for other practical arguments:

  • Some browser vendors now require HTTPS for certain browser features (e.g., geo-location). And Google and Firefox intend to phase out non-encrypted HTTP in their browsers. So, the browser community is pushing for HTTPS as the standard.
  • Users expect a trust- and safety-indicating URL bar (e.g., the padlock icon) without any security warnings, especially on eCommerce sites and other sites with privacy-sensitive data.

It may increase your search engine ranking, too, though this has yet to be confirmed by Google.

3. Differences Between the SSL, SSL v3, and TLS Protocols

Several versions of SSL and TLS have been released over the years:

  • 1995: SSL v2 was the first public release of SSL by Netscape.
  • 1996: SSL v3 was a new version that fixed several security design flaws of SSL v2. By 2004, v3 was considered insecure due to the POODLE attack.
  • 1999: TLS v1.0 was released with an SSL fallback mechanism for backwards-compatibility.
  • 2006: TLS v1.1
  • 2008: TLS v1.2 is the current TLS standard and is used in most cases.
  • TLS v1.3 is currently still only a working draft specification.

Most applications, such as browsers, are compatible with some of the older SSL protocol versions, too, although SSL is slowly being phased out in favor of the better TLS security.

4. Pros and Cons

Benefits abound for those using encryption to protect their site’s (and customers’) sensitive data. This is especially true of eCommerce and healthcare-related sites.

Pros: SSL/TLS Security

Your site’s traffic benefits from TLS security in two ways:

  1. Prevent intruders from tampering with the communication between your website and web browsers. Intruders can be malicious attackers or benign invaders like ISPs or hotels that inject ads into pages. Sensitive data, such as the user’s login credentials, credit card details, and email info, must never be revealed over the network.
  2. Prevent intruders from passively listening to communications with your server. This is a somewhat elusive, but growing, security threat (also confirmed by the Snowden leaks).

The importance of these pros can’t be overstated — especially for eCommerce sites that depend on getting and retaining user trust for sales.

Cons: SSL/TLS “Handshake”

As great as it sounds, TLS has a few drawbacks:

  1. TLS will add latency to your site’s traffic.
  2. The handshake is resource-intensive. It uses asymmetric encryption to establish a session key, which then allows the client and server to switch to a faster symmetric encryption.
  3. TLS will add complexity to your server management. You will need to get a certificate installed on your web server and maintain the validity of that certificate. Nowadays, there are automated tools for (domain-validated) certificate management.
  4. MaxCDN found a 5ms latency when testing encrypted connections compared to unencrypted connections. Tests showed a peak increase in CPU usage of about 2% as well. However, “even with dozens of parallel requests and hundreds of sequential requests, CPU usage never exceeded 5%.”

As for the performance of the whole connection, MaxCDN concluded: “Encryption does add a step in the initial connection process. The overhead for ongoing connections is negligible when compared to unencrypted connections.”

With the upcoming HTTP/2 standard, setting up a TLS connection will be significantly faster, due to its parallel design (fewer network round trips required for data exchanges).

Additionally, although the HTTP/2 standard itself does not require the use of encryption, most client implementations (Firefox, Chrome, Safari, Opera, IE, Edge) have said they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.

5. Types of TLS/SSL Certificates

As of late, the entire web seems to be trending toward HTTPS. Certificates can be requested from Certificate Authorities, of which there are many providers. Read up on the various certificate options available in our article on choosing an SSL certificate, or read on as we briefly cover the three main types below.

Extended Validation (EV)

EV certificates come with the green address bar

— a recognized symbol of trust on the Internet. EV certificates are the premier TLS certificates. Sites for which security and consumer trust are essentials, such as large eCommerce sites, should seriously consider an EV cert.

Screenshot of address bars with EV certificates in place

Websites with EV certificates tout the green bar of trust in the browser address bar.

These certificates are, however, the most expensive because an extended organizational verification process is done based on these issuing criteria.

Organization Validation (OV)

OV certificates do not come with the green address bar

but activate a number of browser trust indicators. An OV certificate requires a business be verified by the Certificate Authority. The organization’s name will be listed on the certificate, which reinforces the trust.

OVs are used by corporations, governments, and other entities that want to provide an extra layer of confidence to their visitors. OV certificates are especially important for eCommerce websites if an EV certificate is unattainable for whatever reason.

Domain Validation (DV)

DV certificates offer industry-standard encryption (at the same level as the other certificate types), but not much else. Aside from its low (or even free) cost, another benefit of a Domain Validated (DV) certificate is it can be issued in mere minutes because the Certificate Authority only has to validate that you own the domain you wish to secure — which is often an automated process.

Begin Building Your SSL-Secured Site in Minutes

Now that you know what is required to secure your site using HTTPS, the TLS certificate options available, and the trust expectations of Internet users, you’re free to start implementing encryption best practices on your own site.

Websites increasingly need SSL security, as browsers and search engines continue to ramp up the penalties for unsafe sites. Visitors are far less likely to visit or provide payment or contact information if they see their data won’t be secure.

Head over to The SSL Store, an excellent partner in this somewhat bewildering world of web certificates and security acronyms. They will deliver friendly, security-qualified, and 24/7 customer support — not to be outdone by the best web hosts out there.

Advertiser Disclosure

HostingAdvice.com is a free online resource that offers valuable content and comparison services to users. To keep this resource 100% free, we receive compensation from many of the offers listed on the site. Along with key review factors, this compensation may impact how and where products appear across the site (including, for example, the order in which they appear). HostingAdvice.com does not include the entire universe of available offers. Editorial opinions expressed on the site are strictly our own and are not provided, endorsed, or approved by advertisers.

Our Editorial Review Policy

Our site is committed to publishing independent, accurate content guided by strict editorial guidelines. Before articles and reviews are published on our site, they undergo a thorough review process performed by a team of independent editors and subject-matter experts to ensure the content’s accuracy, timeliness, and impartiality. Our editorial team is separate and independent of our site’s advertisers, and the opinions they express on our site are their own. To read more about our team members and their editorial backgrounds, please visit our site’s About page.