What's the difference between SSL, TLS, and HTTPS?

  • I get confused with the terms in this area. What is SSL, TLS, and HTTPS? What are the differences between them?

    See https://www.trustworthyinternet.org/ssl-pulse/#chart-protocol-support for a survey of site support for different SSL and TLS versions.

    December 2014: Expect SSL support to drop fast now it's irreparably broken by POODLE. Browsers have already removed it (Firefox immediately, Chrome cautiously, Internet Explorer partially)

  • TLS is the new name for SSL. Namely, SSL protocol got to version 3.0; TLS 1.0 is "SSL 3.1". TLS versions currently defined include TLS 1.1 and 1.2. Each new version adds a few features and modifies some internal details. We sometimes say "SSL/TLS".

    HTTPS is HTTP-within-SSL/TLS. SSL (TLS) establishes a secured, bidirectional tunnel for arbitrary binary data between two hosts. HTTP is a protocol for sending requests and receiving answers, each request and answer consisting of detailed headers and (possibly) some content. HTTP is meant to run over a bidirectional tunnel for arbitrary binary data; when that tunnel is an SSL/TLS connection, then the whole is called "HTTPS".

    To explain the acronyms:

    • "SSL" means "Secure Sockets Layer". This was coined by the inventors of the first versions of the protocol, Netscape (the company was later bought by AOL).
    • "TLS" means "Transport Layer Security". The name was changed to avoid any legal issues with Netscape so that the protocol could be "open and free" (and published as a RFC). It also hints at the idea that the protocol works over any bidirectional stream of bytes, not just Internet-based sockets.
    • "HTTPS" is supposed to mean "HyperText Transfer Protocol Secure", which is grammatically unsound. Nobody, except the terminally bored pedant, ever uses the translation; "HTTPS" is better thought of as "HTTP with an S that means SSL". Other protocol acronyms have been built the same way, e.g. SMTPS, IMAPS, FTPS... all of them being a bare protocol that "got secured" by running it within some SSL/TLS.

    To make the confusing perfect: SSL (secure socket layer) often refers to the old protocol variant which starts with the handshake right away and therefore requires another port for the encrypted protocol such as 443 instead of 80. TLS (transport layer security) often refers to the new variant which allows to start with an unencrypted traditional protocol and then issuing a command (usually STARTTLS) to initialize the handshake.

    SSL no longer exists. There is TLS 0.9, and for the insane, TLS version -0.1.

    @Hendrik, I'm not sure I'd call starting with the handshake the "old" variant and the one that does an upgrade on the same port (a la STARTTLS) the "new" variant. They're just different. I've always found the arguments for one to be more secure than the other to be very subjective: both approaches need to be configured and used properly to be secure.

    @thejh, oops, good catch.

    Don't confuse the issue by mentioning STARTTLS! TLS and SSL provides a generic secure connection that can be used to send any protocol over it: when the HTTP protocol is sent over TLS or SSL it is referred to as HTTPS. The STARTTLS feature is only available in the SMTP email exchange protocol and has nothing to do with HTTP or HTTPS. TLS and SSL know nothing about the STARTSSL command. Both TLS and SSL always starts with the handshake to establish a secure connection.

    If TLS and SSL are essentially the same thing, how come when setting up an e-mail account in Outlook the encryption options are SSL or TLS?

    With SMTP and IMAP, there are two methods to use SSL: one is similar to HTTPS (you start with SSL, and within the tunnel you use the plain protocol), the other uses the `STARTTLS` command (you start with the plain protocol, and then switch to SSL after some negotiation). The client must know what to do beforehand (notably because both methods don't use the same port: 143 for IMAP+STARTTLS, 993 with IMAP-within-SSL). As general overlords of Confusion, Microsoft decided to call these two methods "SSL" and "TLS".

    @Hoylen Thank you for mentioning STARTTLS is not part of anything aside of SMTP. I read STARTTLS and started going down a path that would have lead to the dark side.

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM