Difference Between SSL and TLS

SSL stands for "Secure Sockets Layer". It commonly uses port 443 to connect your computer to a secure server on the Internet. SSL is most often used for transmitting credit card, tax, banking, or personal information to a business server somewhere. Examples of SSL are purchasing an item online, filing your taxes online, or transferring funds between your bank accounts.

Both SSL and TLS strive to create confidential connections across the Net. With only a very few exceptions, it is not possible for a regular hacker to break into an SSL or TLS connection...the encryption technology is as reliable as 21st century programming can make it. When you are trying to transmit financial information or internal business documentation, it is highly advisable that you only do so with an SSL or TLS type of connection. Both SSL and TLS are special encryption and protocol technologies used to connect two computers. SSL and TLS lock out eavesdroppers by encrypting the connection.


SSL and TLS both use cryptography to provide authentication and security to Internet communications. TLS was designed to replace SSL. There are a handful of minor differences. So, why create a new protocol? The truth is, it is very easy to break SSL with mistakes that occur on the HTTP level. Because SSL, created by Netscape in 1994 to provide application-independent secure communications over the Internet, is a closed proprietary protocol. The community cannot make changes or validate its security. The Internet Engineering Task Force (IETF) created TLS, an open version of the protocol, so everyone would be free to use and comment on it.

The purpose of TLS is to replace SSL because SSL still has some unsolved security issues. The most important part of TLS is the handshake between a client and a server to which the client wants to connect. During this handshake all security parameters and secrets are exchanged. Thus, this is the most vulnerable point of the protocol. TLS did not replace SSL. However, you can view SSL 3.0 as the ground building for TLS 1.0. TLS was never truly designed to replace SSL. This is funny as some people refer to TSL as SSL 3.1. They are both strong encryption protocols. Just know what when turning on SSL and TLS you are ensuring that you browser configurations are compatible with the server you are connecting to. The US government mandates the use of TLS, because it supports AES encryption.

What is a secure site?
How can I tell if a web page is secure?
Anytime a web page asks you for sensitive information, you need to be able to identify if the page is secure or not. The ability to recognize a secure web connection is extremely important as online fraud cases have increased substantially from year to year.

1] Check the web page URL
Check for that "https" in the prefix of the web page address.
Visit the home page of Note the URL begins with the "http" meaning that the home page is not secure. Now click the link to "Log in". Notice the change in the URL? It now begins with "https", meaning the user name and password typed in will be encrypted before being sent to the server.

2] Check for the "Lock" icon

Click on that "lock icon" in the address bar of your browser.
There is a de facto standard among web browsers to display a "lock" icon somewhere in the window of the browser (NOT in the web page display area!) This is important to know because some fraudulent web sites are built with a bar at the bottom of the web page to imitate the lock icon of your browser. Microsoft Internet Explorer [IE8] displays the lock icon to the right of the ULR bar

THE LOCK ICON IS NOT JUST A PICTURE! When you click on it you will see details of the site's security.


Do I need ssl 2.0, ssl 3.0 and tls 1.0 all enabled in my browser?
I would leave them all checked. You will not hurt your system and it will help ensure that your browser is compatible with a secure system that may possibly be using a older version. To check your settings click on Tools--Internet Options--Advanced


SSL hopelessly broken?
Blunders expose huge cracks in net's trust foundation

Every year or so, a crisis or three exposes deep fractures in the system that's supposed to serve as the internet's foundation of trust. In 2008, it was the devastating weakness in SSL, or secure sockets layer, certificates issued by a subsidiary of VeriSign. The following year, it was the minting of a PayPal credential that continued to fool Internet Explorer, Chrome and Safari browsers more than two months after the underlying weakness was exposed.

And in 2010, it was the mystery of a root certificate included in Mac OS X and Mozilla software that went unsolved for four days until RSA Security finally acknowledged it fathered the orphan credential.

In 2011 it was the revelation that unknown hackers broke into the servers of a reseller of Comodo, one of the world's most widely used certificate authorities, and forged documents for Google Mail and other sensitive websites. It took two, seven and eight days for the counterfeits to be blacklisted by Google Chrome, Mozilla Firefox and IE respectively, meaning users of those browsers were vulnerable to unauthorized monitoring of some of their most intimate web conversations during that time.
Blunders expose huge cracks in net's trust foundation.

Vanish.Org Copyright © 2006 All rights reserved