+1-888-690-2424

Is it SSL, TLS or HTTPS?

Bruce Morton

Throughout this blog I appear to use (or misuse) the terms SSL, TLS and HTTPS interchangeably. From time to time I catch myself and say, “Which one should I be using?” Frankly, my default is to use SSL. When I reference an article or site, I do tend to side with the term it prefers. So what’s the difference?

Secure Sockets Layer (SSL) is a cryptographic protocol that enables secure communications over the Internet. SSL was originally developed by Netscape and released as SSL 2.0 in 1995. A much improved SSL 3.0 was released in 1996. Current browsers do not support SSL 2.0.

Transport Layer Security (TLS) is the successor to SSL. TLS 1.0 was defined in RFC 2246 in January 1999. The differences between TLS 1.0 and SSL 3.0 were significant enough that they did not interoperate. TLS 1.0 did allow the ability to downgrade the connection to SSL 3.0. TLS 1.1 (RFC 4346, April 2006) and TLS 1.2 (RFC 5246, August 2008) are the later editions in the TLS family. Current browsers support TLS 1.0 by default and may optionally support TLS 1.1 and 1.2.

Hypertext Transfer Protocol Secure (HTTPS), or “HTTP Secure,” is an application-specific implementation that is a combination of the Hypertext Transfer Protocol (HTTP) with the SSL/TLS. HTTPS is used to provide encrypted communication with and secure identification of a Web server.

In addition to HTTPS, SSL/TLS can be used to secure other application-specific protocols such as FTP, SMTP, NNTP and XMPP.

What terminology should we use? Since TLS has succeeded SSL, logic dictates that we should be using the term TLS instead of SSL. However, SSL is by far most common on the Internet, so SSL will continue to be my default acronym of choice when making non-application specific references. From time to time, I will use SSL/TLS. When talking about HTTPS, I may use SSL, SSL/TLS or HTTPS, who knows?

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

2 Comments

  1. Jason William November 20, 2014 Reply

    Which ssl certificate you recommend to use?

    • Bruce Morton Author
      Bruce Morton November 24, 2014 Reply

      The SSL certificate to choose is based on the requirement and the use of the server, and the trust you are trying to extend. The data in an SSL certificate can verified for the domain only (DV), the organization and domain (OV) or extended validation (EV), which provides a higher level of verification and authorization. Some certificates only need to protect one domain, some many domains (Multi-domain) and others protect sub-domains that might not be defined yet (Wildcard). The choice of the certificate type is yours, but most CAs will guide you through the process.

Add to the Conversation