Home » What’s the difference between SSL, TLS, and HTTPS?

What’s the difference between SSL, TLS, and HTTPS?

Solutons:


TLS is the new name for SSL. Namely, SSL protocol got to version 3.0; TLS 1.0 is “SSL 3.1”. TLS versions currently defined include TLS 1.1 and 1.2. Each new version adds a few features and modifies some internal details. We sometimes say “SSL/TLS”.

HTTPS is HTTP-within-SSL/TLS. SSL (TLS) establishes a secured, bidirectional tunnel for arbitrary binary data between two hosts. HTTP is a protocol for sending requests and receiving answers, each request and answer consisting of detailed headers and (possibly) some content. HTTP is meant to run over a bidirectional tunnel for arbitrary binary data; when that tunnel is an SSL/TLS connection, then the whole is called “HTTPS”.

To explain the acronyms:

  • “SSL” means “Secure Sockets Layer”. This was coined by the inventors of the first versions of the protocol, Netscape (the company was later bought by AOL).
  • “TLS” means “Transport Layer Security”. The name was changed to avoid any legal issues with Netscape so that the protocol could be “open and free” (and published as a RFC). It also hints at the idea that the protocol works over any bidirectional stream of bytes, not just Internet-based sockets.
  • “HTTPS” is supposed to mean “HyperText Transfer Protocol Secure”, which is grammatically unsound. Nobody, except the terminally bored pedant, ever uses the translation; “HTTPS” is better thought of as “HTTP with an S that means SSL”. Other protocol acronyms have been built the same way, e.g. SMTPS, IMAPS, FTPS… all of them being a bare protocol that “got secured” by running it within some SSL/TLS.

SSL and TLS are protocols that aim to provide privacy and data integrity between two parties (see RFC 2246), designed to run over a reliable communication protocol (typically TCP). Although the TLS specification doesn’t talk about sockets, the design of SSL/TLS was done so that applications could use them almost like traditional TCP sockets, for example SSLSocket in Java extends Socket (there are small differences in terms of usability, though).

HTTPS is HTTP over SSL/TLS, where the SSL/TLS connection is established first, and then normal HTTP data is exchanged over this SSL/TLS connection.
Whether you use SSL or TLS for this depends on the configuration of your browser and of the server (there usually is an option to allow SSLv2, SSLv3 or TLS 1.x).
The details of how HTTP and SSL/TLS form HTTPS are in RFC 2818.

Regarding the difference between SSL and TLS, you may be interested in these two answers I wrote for these similar questions on StackOverflow and ServerFault:

  • Difference between SSL & TLS [Stackoverflow]
  • What are the exact protocol level differences between SSL and TLS? [Serverfault]

You could consider TLSv1.0 as SSLv3.1 (in fact that’s what happens
within the records exchanged). It’s just easier to compare the TLSv1.0
with TLSv1.1 and TLSv1.2 because they’ve all been edited within IETF
and follow more or less the same structure. SSLv3 being edited by a
different institution (Netscape), it makes it a bit more difficult so
spot the differences.

Here are a few differences, but I doubt I can list them all:

  • In the ClientHello message (first message sent by the client, to initiate the handshake), the version is {3,0} for SSLv3, {3,1} for
    TLSv1.0 and {3,2} for TLSv1.1.
  • The ClientKeyExchange differs.
  • The MAC/HMAC differs (TLS uses HMAC whereas SSL uses an earlier version of HMAC).
  • The key derivation differs.
  • The client can send application data can be sent straight after sending the SSL/TLS Finished message in SSLv3. In TLSv1, it must wait
    for the server’s Finished message.
  • The list of cipher suites differ (and some of them have been renamed from SSL_* to TLS_*, keeping the same id number).
  • There are also differences regarding the new re-negotiation extension.

Generally, the higher the version or SSL/TLS, the more secure it is, provided you choose your cipher suites properly too (higher versions of TLS also offer using cipher suites that are considered better). (SSLv2 is considered insecure.) In addition, SSL doesn’t fall under the IETF scope. For example, the TLS renegotiation fix had to be retrofitted for SSLv3 (although SSL/TLS stacks had to be updated anyway).

You may also be interested in this answer:

  • What happens on the wire when a TLS / LDAP or TLS / HTTP connection is set up?[Stackoverflow]

Note that some people oppose SSL and TLS as being the difference between “SSL/TLS upon connection” and “upgrade to TLS” (after some conversation using the application protocol). Despite some of these answers being relatively highly upvoted, this is incorrect. This mistake is propagated by the fact that certain applications, like Microsoft Outlook, offer two configuration options called “SSL” and “TLS” for SMTP/IMAP configuration when they really mean “SSL/TLS upon connection” and “upgrade to TLS”. (The same goes for the JavaMail library, I think.)

The RFCs that talk about STARTTLS were written when TLS was already an official RFC, that’s why they only talk about upgrading the connection to TLS. In practice, if you tweak the configuration of your mail client to force it to use SSLv3 instead of TLS (not something I would generally recommend), it’s still likely to be able to upgrade to SSL/TLS using STARTTLS with an SSLv3 connection, simply because it’s more about the mode of operation than the version of SSL/TLS and/or the cipher suites.

There is also a variant of HTTP where the upgrade to SSL/TLS is done within the HTTP protocol (similar to STARTTLS in LDAP/SMTP). This is described in RFC 2817. As far as I know, this is almost never used (and it’s not what’s used by https:// in browsers). The main relevant part of this RFC is the section about CONNECT for HTTP proxy servers (this is used by HTTP proxy servers to relay HTTPS connections).

SSL VS TLS

The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1.

Which is more Secure SSL or TLS

In terms of security they both are consider equally secured

The main difference is that, while SSL connections begin with security and proceed directly to secured communications, TLS connections first begin with an insecure “hello” to the server and only switch to secured communications after the handshake between the client and the server is successful. If the TLS handshake fails for any reason, the connection is never created.

(SSL and TLS vs HTTP)

HTTP protocol is used to request and recive the data and https in which the ‘s’ is nothing but secure SSL which makes the http protocol request and receive activity encrypted so no middle man attacker can obtain the data easily.

If neither SSL nor TLS is used with HTTP

then your connection with the web server is unencrypted all the data will be sent in plaintext any middle man attacker can obtain and view that data.

so should go with SSL or TLS

well, both are same but TLS is more extensible and hoping to get more support in future
and TLS is backward compatible.

Related Solutions

Winsock programming connecting to a public ip

The issue is with your server. You are binding it to 127.0.0.1. This means your server will only bind to the loopback interface, so only clients running on the same machine as the server will be able to connect to the server using this same interface. If you...

Pin-board effect with CSS [closed]

You can use JavaScript to accomplish this but it can't be done with CSS floats alone. A library like jQuery masonry will do it well. The reason? The specs on floats. In particular #5 which says, "The outer top of a floating box may not be higher than the outer...

Calculate the sum with minimum usage of numbers

Here's a hint: 23 : 11 + 11+ 1 ( 3 magic numbers) 120: 110+ 10 (2 magic numbers) The highest digit in the target number is the answer, since you need exactly k magic numbers (all having 1 in the relevant position) in order for the sum to contain the digit k. So...

Why not drop the “auto” keyword? [duplicate]

Your proposal would be rejected on the basis of backward compatibility alone. But let's say for the sake of argument that the standards committee like your idea. You don't take into account the numerous ways you can initialize a variable widget w; // (a) widget...

Recursive to iterative using a systematic method [closed]

So, to restate the question. We have a function f, in our case fac. def fac(n): if n==0: return 1 else: return n*fac(n-1) It is implemented recursively. We want to implement a function facOpt that does the same thing but iteratively. fac is written almost in...

How can I match values in one file to ranges from another?

if the data file sizes are not huge, there is a simpler way $ join input1 input2 | awk '$5<$4 && $3<$5 {print $2, $5-$3+1}' B100002 32 B100043 15 B123465 3 This Perl code seems to solve your problem It is a common idiom: to load the entire...

Javascript difference between “=” and “===” [duplicate]

You need to use == or === for equality checking. = is the assignment operator. You can read about assignment operators here on MDN. As a quick reference as you are learning JS: = assignment operator == equal to === equal value and equal type != not equal !==...

Compiler complains about misplaced else [closed]

Your compiler complains about an misplaced else because, well, there is an else without a preceding if: // ... for (j=1; j<n-i; j++) { if(a[j]<=a[j+1]) { // ... } // END OF IF } // END OF FOR else { continue; } // ... The else in your code does not follow...

Bootstrap – custom alerts with progress bar

/* !important are just used to overide the bootstrap css in the snippet */ .alertContainer { border-radius: 0 !important; border-width: 0 !important; padding: 0 !important; height: auto !important; position: absolute !important; bottom: 15px !important; left:...

How to Garbage Collect an external Javascript load?

Yes, s.onload = null is useful and will garbage collect! As of 2019, it is not possible to explicitly or programmatically trigger garbage collection in JavaScript. That means it collects when it wants. Although there is cases where setting to null may do a GC...

Math programming with python

At first, what you are looking for is the modulo operator and the function math.floor() Modulo from wikipedia: In computing, the modulo operation finds the remainder after division of one number by another (sometimes called modulus). for example: 12%12=0...

Android slide over letters to create a word [closed]

Here some advice you can use: First for each cell you can create an object that represents the state of that cell: class Cell { char mChar; int row,column; boolean isSelected; } then you can create a 2D array of your cells Cell[][] mTable = ... For views you...

Sum two integers in Java

You reused the x and y variable names (hence the variable x is already defined in method main error), and forgot to assign the ints read from the Scanner to the x and y variables. Besides, there's no need to create two Scanner objects. public static void...