Re-Hashed: The Real Truth About TLS Vs SSL- The Difference May Surprise You!
1 Star2 Stars3 Stars4 Stars5 Stars (11 votes, average: 4.64 out of 5)
Loading...

Re-Hashed: The Real Truth About TLS Vs SSL- The Difference May Surprise You!

TLS vs SSL – Similar intentions, different means

When you are researching SSL Certificates, or if you already work with SSL (Secure Sockets Layer) to secure your online business, websites or any communication, you may come across another secure communications protocols: TLS (Transport Layer Security) and might be wondering about ‘TLS vs SSL.’

The majority of people who are connected with online business know SSL provides a secured, encrypted communication between a client and a server. But you may be wondering what TLS is, and scratching your head about the difference.

PCI Standards Require Abandoning SSL 3.0 and TLS 1.0

Luckily, the truth is simple. TLS is simply a newer version of SSL. TLS was first introduced in 1999 as an upgrade to SSL Version 3.0 and was written by Christopher Allen and Tim Dierks. As stated in their original paper, “the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to preclude interoperability between TLS 1.0 and SSL 3.0”.

So in reality when you are talking about SSL today, you should really be saying TLS instead. However, the majority of people still say SSL instead of TLS and that’s why all major brands likes Symantec, Thawte, Comodo, and GeoTrust didn’t change the names of their products from SSL Certificates to TLS certificates. Likewise, this is why software that enables SSL on a server, such as OpenSSL, didn’t change its name to OpenTLS.

The certificates themselves have been expanded over time to support all the versions of SSL and TLS, so you don’t need to worry that you may be buying an incompatible certificate.

Is SSL itself really dead?

No, not completely. However it should be. Let’s explain…

Overall there are 5 different versions of SSL and TLS. They each made improvements on the version before it. However, not all computers and servers support all 5 versions, so a key part of setting up a secure connection is having the client and server agree on which protocol to use. When the client establishes the connection with the server there is a process called a “handshake” where the client and server choose the protocol version. In some cases a lack of mutual support will result in them using an older protocol, such as SSL 3.0. This is actually dangerous, too. SSL 3.0 has been proven vulnerable. It should be universally deprecated. Most platforms have already done this, but every now and then in the dark corners of the web you’ll still find SSL 3.0.

While we still talk about SSL and TLS as if they are the same, there are major technical differences between the newest version of TLS (which is Version 1.3) and the last version of SSL that was released (which was SSL 3.0). Again, this is why using SSL 3.0 today can be dangerous.

Most devices now support TLS, however there is a way to force a connection to use the older and insecure SSL versions known as a “downgrade attack”. Unfortunately, SSL 3.0 has weaknesses that hackers can exploit, giving them the incentive to try to force servers to downgrade to SSL 3.0

That being said – you shouldn’t worry too much. Supporting the most modern, secure versions of SSL is simply a matter of updating your server configuration. All SSL Certificates are capable of using any protocol version of SSL or TLS – so that’s not something you need to worry about when shopping for a certificate.

How can old versions of the SSL protocol be used to weaken Internet security?

In 2014, researchers at Google disclosed the ‘POODLE’ vulnerability, which could allow attackers to decrypt encrypted connections to websites that use the SSL 3.0 protocol using a “man in the middle” attack – a popular way to intercept data.

This is where the hacker inserts a process in between the client and server through which their communication passes through, allowing the hacker to listen in on a private communication. The hacker may also be able to redirect the client to a web site controlled by the hacker where the hacker will infect the client with malware and/or commit financial fraud.

The ‘Coffee shop” attack is the perfect example of a “Man in the Middle” attack. In this case, a hacker is sitting in the coffee shop, and has set up a laptop to broadcast a WiFi signal that looks the same as the “Coffee Shop’s WiFi.” The victim then carelessly connects to the hacker’s WiFi signal instead of the Coffer Shop WiFi and all of the victim’s traffic is subsequently available to the attacker to intercept and record. This type of attack would usually be stopped if the connection was encrypted. However, with the POODLE vulnerability, it would be theoretically possible to decrypt some data from sessions that are secured with SSL 3.0.

Fortunately, there is a simple solution: SSL 3.0 can be disabled on a server and/or in the client’s browser. If either party does not support the insecure version, there is no way to “fall back” to SSL or execute the attack.

You can check to see if a web site has SSL 3.0 enabled as follows: Enter your website URL at:
https://sslanalyzer.comodoca.com. Sites with SSL 3.0 will be reported as ‘Vulnerable to the POODLE attack.’

Note: Re-Hashed is a feature on Hashed Out where we take an older article and touch it up so that our new readers can enjoy it, too. This article originally ran on August 24, 2015. It has been updated and revised by Jay Thakkar.

5 comments
  • Since you used the ‘Coffee shop’ attack as an example of a ‘man-in-the-middle’ attack, I just have to ask, how can I tell if the Wi-Fi actually belongs to the coffee shop as opposed to a hacker?

    • It can be difficult as most criminals are savvy enough to pick something that sounds legitimate enough to be mistaken for the real thing. The best route is to ask an employee what the name of their network is. I’d still use a VPN though, as even if you are on the right network, the security on public WiFi isn’t always that strong.

  • If we disable ssl 3.0 from our browser or server then the the site becomes will become security less then how come the attackers cant attack our communication it would rather be very easy for him not correct me if im wrong?

    • Yes, that’s incorrect. Most browsers have already disabled support for SSL 3.0 and only support newer versions of TLS. SSL 3.0 has known vulnerabilities. You really shouldn’t even be using TLS 1.1 anymore now that TLS 1.3 is out. If someone can’t connect with your website because their browser only supports SSL 3.0, that’s on them. But best practice is to disable support for SSL 3.0.

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha *