SSL versus TLS – What’s the difference?
SSL versus TLS
TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide data encryption and authentication between applications in scenarios where that data is being sent across an insecure network, such as checking your email (How does the Secure Socket Layer work?). The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1. With this said though, is there actually a difference between the two?
Is one more secure than the other?
While SSL and TLS differ in ways that make them inoperable with each other, they are generally considered equal in terms of security. The main difference is that, while SSL connections begin with security and proceed directly to secured communications, TLS connections first begin with an insecure “hello” to the server and only switch to secured communications after the handshake between the client and the server is successful. If the TLS handshake fails for any reason, the connection is never created.
Both Internet security protocols ensure that your data is encrypted as it is transmitted across the Internet. They also both enable you to be sure that the server that you are communication with is the server you intend to contact and not some “middle man eavesdropper”. This is possible because servers that support SSL and TLS must have certificates issued to them by a trusted third party, like Verisign or Thawte. These certificates verify that the domain name they are issued for really belongs to the server. Your computer will issue warnings to you if you try to connect to a server and the certificate that it gets back is not trusted or doesn’t match the site you are trying to connect to.
If you are mostly concerned about your level of security, you can’t really go wrong choosing either SSL or TLS.
So then, should I choose to connect with TLS or SSL?
The main benefit in opting for TLS over SSL is that TLS was incepted as an open-community standard, meaning TLS is more extensible and will likely be more widely supported in the future with other Internet standards. TLS is even backwards compatible, possessing the ability to “scale down” to SSL if necessary to support secure client-side connections that only understand SSL.
Another more immediate benefit, however, is that TLS allows both secure and insecure connections over the same port, whereas SSL requires a designated secure-only port. For users connecting to an email server via POP or IMAP, this means that using TLS will allow you to opt for secure connections but easily switch to insecure connections if necessary without needing to change ports. This is not possible with SSL.
However, as discussed in the previous section, it really doesn’t matter which one is used in terms of security.
What happens if I do not use either security protocol?
If neither SSL nor TLS is used, then the communications between you and the server can easily become a party line for eavesdroppers. Your email data and your login information are sent in plaintext for all to see, and there is no guarantee that the server you connect to is not some middle man or interloper.
Does LuxSci support these security protocols?
SSL is the basis of client-server security used by LuxSci for all of our services. We offer a variety of ports for connecting securely to POP, IMAP, and SMTP over both SSL and TLS in addition to the standard insecure ports, and we offer them free of charge. LuxSci also offers MySQL, LDAP and WebMail over SSL and provides SSL for web hosting clients.
To ensure the integrity and security of your data, LuxSci strongly recommends taking advantage of our secure capabilities. See also our Case for Email Security for complete details on the general insecurity of email and what can be done about it.
December 5th, 2008 at 6:10 pm
[...] Has problems with TLS for SMTP; i.e. Outlook assumes that secure SMTP connections on any port other than 25 are always via SSL (and not TLS — what’s the difference?). [...]
December 11th, 2008 at 10:40 am
[...] SSL or TLS (what is the difference?) Be sure to configure your IMAP and SMTP "Security Settings" to use [...]
January 20th, 2009 at 10:43 am
[...] At its most basic level, SSL works as follows (TLS works similarly — what is the difference?): [...]
January 20th, 2009 at 2:27 pm
[...] used in symmetric key cryptography (which, for example, is used for the actual data transmission in SSL and TLS). It is also the "gold standard" encryption technique; many security-conscious [...]
March 12th, 2009 at 7:52 am
[...] SSL versus TLS – What’s the difference? [...]
May 14th, 2009 at 1:24 pm
Excellent article. Thank you for taking the time to concisely explain the subtle differences of SSLv3 & TLS. Also, I love the iPhone reformatting support that you’ve added to your WordPress installation. One note about it: It did say there were 4 comments on this article, but they were not displayed in the mobile iPhone version.
August 26th, 2009 at 9:21 pm
[...] email encryption is one way to ensure that your email can only be read by the intended recipients. SSL and TLS connections are secure, but only to a point. While you can ensure that your users connect securely [...]
January 15th, 2010 at 11:09 pm
[...] The easiest thing you can do to make your email more secure is to use an email provider that supports “Secure Socket Layer” (SSL) for their Webmail, POP, IMAP, and SMTP servers. TLS is a type of SSL that can be initiated during a mail session; unlike TLS, SSL must be initiated before sending the email (see SSL versus TLS – What’s the difference?). [...]
February 19th, 2010 at 5:13 pm
[...] stands for “Transport Layer Security” and is closely related to “SSL” (Secure Socket Layer). TLS is one of the standard ways that computers transmit information over an [...]