Blog Detail

  • Home
  • What’s the difference between SSL, TLS, and HTTPS?

What’s the difference between SSL, TLS, and HTTPS?

Meaning of the acronyms:

  • “SSL” means “Secure Sockets Layer”. This was coined by the inventors of the first versions of the protocol, Netscape (the company was later bought by AOL).
  • TLS” means “Transport Layer Security”. The name was changed to avoid any legal issues with Netscape so that the protocol could be “open and free” (and published as a RFC). It also hints at the idea that the protocol works over any bidirectional stream of bytes, not just Internet-based sockets.
  • HTTPS” is supposed to mean “HyperText Transfer Protocol Secure”, which is grammatically unsound. Nobody, except the terminally bored pedantic, ever uses the translation; “HTTPS” is better thought of as “HTTP with an S that means SSL”. Other protocol acronyms have been built the same way, e.g. SMTPS, IMAPS, FTPS… all of them being a bare protocol that “got secured” by running it within some SSL/TLS.

In simple terms SSL (Secure Sockets Layer) is one of the security technology which is used to establish a secure connection between web server and web browser. SSL is an Industry standard protocol which is used by several websites for protecting their online transactions with their customers.

Originally SSL was developed by Netscape Communications, for allowing secure connection of Web Browser & Web Server. The very first version of SSL has never been released due to some problems regarding the protection of credit card transactions over Internet. In 1994, again another version was created by Netscape named as SSLv2, which overcame the problem of first version and able to secure credit card number and other sensitive data and also offered the authentication of Web Server through the use of encryption and digital certificates. In 1995, Netscape furthered one more step and strengthened their cryptographic algorithms in order to resolve the problems related to SSLv2 and they released it under another version called SSLv3, which supports several other security algorithms which were not supported by SSLv2.

On the other hand, TLS (Transport Layer Security), is an updated and more secured version of SSL. In 1999, TLS 1.0 was released as a successor to SSL. TLS 1.0 was based on SSL 3.0 and is defined in RFC 2246 (Dierks & Allen, 1999).

TLS is very closely related to SSL 3.0, though it does not provide backward compatibility due to changes in some of the algorithms. Though one thing to note is that, in today’s date also these security certificates are widely recognized as SSL, just because it’s a more commonly used term, but in reality whenever someone buys an SSL certificate, they are actually buying the latest TLS certificates with the option of ECC, RSA or DSA encryption.

Later on TLS 1.0 was updated to v1.1 in RFC 4346 in 2006 (Dierks & Rescorla, 2006) and again to v1.2 in RFC 5246 in 2008 (Dierks & Rescorla, 2008). TLS is encryption for data in transit, not data at rest. That means that the end host or recipient in a TLS connection must be able to decrypt the encrypted traffic sent to it in order to be processed and/or displayed in the web browser.

HTTPS is HTTP-within-SSL/TLS. SSL (TLS) establishes a secured, bidirectional tunnel for arbitrary binary data between two hosts. HTTP is a protocol for sending requests and receiving answers, each request and answer consisting of detailed headers and (possibly) some content. HTTP is meant to run over a bidirectional tunnel for arbitrary binary data; when that tunnel is an SSL/TLS connection, then the whole is called “HTTPS”.



The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1.

Which is more Secure SSL or TLS

In terms of security they both are consider equally secured

The main difference is that, while SSL connections begin with security and proceed directly to secured communications, TLS connections first begin with an insecure “hello” to the server and only switch to secured communications after the handshake between the client and the server is successful. If the TLS handshake fails for any reason, the connection is never created.

(SSL and TLS vs HTTP)

HTTP protocol is used to request and receive the data and https in which the ‘s’ is nothing but secure SSL which makes the http protocol request and receive activity encrypted so no middle man attacker can obtain the data easily.

If neither SSL nor TLS is used with HTTP, then your connection with the web server is unencrypted all the data will be sent in plain text any middle man attacker can obtain and view that data.

So should go with SSL or TLS?

Both are same except that TLS is more extensible and hoping to get more support in future and TLS is backward compatible.

Write a comment