What is the difference between HTTPS and SSL and TLS?

These are the things that people say you need to do but never quite explain.

The basic explanation is simple enough. SSL just indicates the secure use of some common protocol on the internet. For instance, all HTTPS traffic is encrypted (TLS) over the Internet and protected from eavesdropping (SSL).

This article will get into these three words with examples. Encryption is important because its the only way you can keep your information safe when its sent or stored online. You could have SSL or TLS, for example, and it would still require decryption for you to access the data contained within your emails or chat logs if that email, message, or log was transmitted or stored.

HTTPS encrypts data as it's sent. For HTTPS, this encryption is SSL or TLS. SSL encrypts the connection using symmetric encryption while TLS uses asymmetric encryption. HTTP is unencrypted in this sense because anyone, inside or outside the communications path, can decode what's sent between the computer and your web site. This is where TLS kicks in to make sure your data stays safe.

Secure Logins is all about passwords. Passwords are your key to secure, internet transactions. The problem with this is it allows someone who has access to your password/credentials, access to your bank account. One way to address this is the concept of Secure Logins. Your password will be hashed, put in a table, and compared to the hashed values in a table. If there is a match then the session will move along without any further user interaction.

Websites like Amazon.com has the most robust Secure Login system that I know of. For example, if you want to buy something online, you enter your credentials which are captured via a login page. It hashes your password and compares it to the hash of the value in their database. If the hashed values match, they credit you with a purchase. As an added layer of protection, if you buy two of a product and don't use the same credential, it will block you from further purchases. If Amazon.com found your credentials at a competitor (for example Walmart) then you'd lose you credit for the previous purchase. Its an added layer of security which allows me to make secure purchases on the fly. You can't use a browser bookmark that will work on such websites.

Why was SSL renamed to TLS?

SSL is not longer a protocol, it is a family of protocols: SSL 1.

0 (1996), SSL 2.0 (1998), TLS 1.0 (1999) and TLS 1.1 (2008). With all of these protocols, which are often used for HTTPS connections, it is mandatory to verify that the host being accessed really is the intended host, and has not been tampered with during transit. The most significant difference between TLS and SSL is that TLS uses asymmetric cryptographic mechanisms.

TLS: When TLS was defined the name "SSL" was still being used for something else entirely. That's why TLS is sometimes known as "SSTLS". This is also why people sometimes refer to the TLS "web" or "secure" protocol. In short, in the early days of TCP/IP networking, a connectionless network protocol such as TCP/IP could not guarantee that packets weren't being modified or read while they were being forwarded, or even just while they were being stored on the server. Consequently, a connection-oriented protocol called the Secure Socket Tunneling Protocol was designed to let a host specify a security layer at the transport level ie, what protocols were allowed to pass through the Internet which prevented attackers from eavesdropping on, modifying, and redirecting traffic via various means. This was the genesis of SSL and TLS (which stands for Secure Sockets Layer and Transport Layer Security, but is also sometimes referred to as SSLv2, SSL3, TLSv2, and TLSv3). For a better treatment of this topic, please consult The Evolution of TLS.

Nowadays, a new secure protocol, HTTP 2.0 (HTTP Handshake for Transport Layer Security), has also been invented to increase security. Since HTTP 2.0 was officially introduced to Web sites, the web has become more secure since there's no need to use a tunneling protocol for HTTP anymore. However, there are still many things that make our browsers insecure including insecure versions of TLS. To prevent these insecure versions of TLS from being used on the Internet, CAs have adopted a set of guidelines called "HSTS", which mandates TLS 1. The HSTS guidelines have been adopted by almost every browser and mobile OS on the market, and TLS 1.

Should I say SSL or TLS?

There's a difference and it's one that should be clear before you click on the Order Confirmation page in your browser.

However, I've heard more than one confused person, and even a few confused developers, use the term 'SSL' when it comes to secure HTTP connections. The most recent confusion was after the recent Heartbleed bug was revealed.

Heartbleed SSL. That's why I thought it would be useful to explain the difference between SSL and TLS. SSL = Secure Socket Layer. TLS = Transport Layer Security. The differences between the two are a little bit more detailed and you'll get the details here: SSL vs TLS Explained. This also applies to other protocols, such as SSH or other protocols that offer encryption through tunnels (for example: VPN tunnel protocols). SSL vs TLS: What the Difference Means. SSL vs TLS is actually a difference of protocol, and not encryption technology. In fact, SSL 3.0 didn't use encryption at all. It relied on a trust relationship and a shared key to validate a remote server.

However, SSL 3.0 has been phased out and SSL and TLS have become synonymous terms. That is: SSL was replaced by TLS.

I'm not complaining. This means we don't have to worry about replacing our existing SSL code with new TLS code and then having to rewrite it.

However, people do get confused because they hear SSL used for 'secure HTTP connections.' SSL and TLS and their relation. What does 'secure HTTP connections' mean? Well, the HTTP protocol itself wasn't secure originally, and even today it's quite easy to bypass it. However, SSL 3.0 was created before the popularization of browsers, and it took a little while for browser makers to implement.

When browsers were created and put on the market, it was soon realized that SSL was only meant for encrypting the traffic that flows between web servers and browsers. It wasn't necessarily the right choice for encrypting the traffic between web servers and clients.

As time went by, web servers started adding HTTP requests, so web browsers wouldn't have to request information via HTTP every single time.