SSl and TLS are 2 commonly used protocols for data secured data transfer between a web server and a web browser (client machine).Both protocols render authentication and encryption when transferring data between client and server.TLS is a more recent, improved and secured version of SSL. Also, It fixes some key security vulnerabilities found in earlier SSL protocols.
How SSL/TLS work:
When SSL/TLS certificates are provisioned on web server, 2 keys are used – (1) public key and (2) private key. The keys are used for encryption and decryption data between server and client.
Now, when a request is initiated by any visitor or client PC through browser, it will look for server site’s SSL/TLS certificate. Next, the browser will perform a secured “handshake” to validate certificate and authenticate the web server.Once the client PC browser validates the authenticity of certificate, an encrypted link between client browser and server is created for transport of data.
SSL was developed by Netscape. SSL had gone through some updates in its 3 version. Though its 1st version (SSL v1) was not considered an official lauch, its 1st approved version was SSL v2, which was lauched in year 1995. Below are the 3 releases of SSL –
- SSL v1
- SSL v2
- SSL v3
SSL3.0 was prone to man in the middle attack. One such case was “POODLE” vulnerability which allowed attackers to encryt and decrypt the traffic. The hackers could manipulate the communication and hear the secured communication traffic. Further, the client initiated traffic could be redirected for cyber crimes like financial frauds and malware infection.
TLS was introduced taking view of security risks accosiated with SSL protocol. Below are the 4 versions TLS has gone through since its inception by IETF (The Internet Engineering Task Force) –
- TLS v1.0
- TLS v1.1
- TLS v1.2
- TLS v1.3
TLSv1.0 had some security weaknesses which could put financial transaction at risk and hence had to be stopped by 2018 by websites which were using credit cards or services used by US Government.
TLS 1.3 has made significant improvements comapred to its predecessors and at present major players around the internet are pushing for its proliferation.
Most present day web browsers dont support SSL 2.0 and SSL 3.0 now. Includng Google Chrome, other major browsers have already or planning to shortly stop supporting TLS 1.0 and TLS 1.1.
Now that we understan the SSL and TLS working and some historical events, lets illustrate difference between both protocols is below table: