You may have noticed that some resources refer to SSL certificates using the term TLS certificates.
This new security protocol raised some questions regarding the secure encryption between users’ browsers and website’s servers. This article will clarify the difference between these two protocols and will explain whether you should worry about your SSL certificate or not.
The first version of TLS was TLS 1.0. Tim Dierks and Christopher Allen created it in 1999. They named the new protocol Transport Layer Security and introduced it as an update to the SSL 3.0 version. Tim and Christopher explained that even though the differences between these two versions of protocols were not critical, they were still important. That’s why a they came up with a new protocol name.
From that moment, SSL became TLS. When we are addressing the term “SSL” today, we actually refer to “TLS”, because all the certificates support both protocols. This means that all the SSL certificates are fully compatible with TLS, although they kept their name unchanged.
If SSL is now TLS, why aren’t we calling them TLS Certificates?
There is a technical reason and a common reason why we still use “SSL” over “TLS” when we talk about SSL certificates.
The technical reason derives from the fact that some computers or servers don’t support the new TLS protocol and allow the secure connection over the SSL 3.0 protocol.
However, hackers can forcedly establish this connection through a cyber attack called the “downgrade attack”. By choosing the SSL 3.0 instead of the new TLS 1.2, the hackers’ computers exploit the vulnerability of a website and force the servers to downgrade to the SSL 3.0 protocol. This vulnerability, which Google called “POODLE”, gives hackers the possibility to perform “man-in-the-middle” attacks, through which they can catch the data that is being transmitted, or redirect the visitors to a fraudulent website.
Luckily, you can easily solve this issue by disabling the SSL 3.0 option on your server. Or, if you are a website visitor, you can protect yourself by disabling this option from your browser. Once you turn off this option, your SSL certificate will perform a secure connection by using only the TLS protocol.
The common reason is that the general public is familiar with the “SSL” term and the leading Certificate Authorities, such as Symantec, GeoTrust, RapidSSL, Thawte, and Comodo, along with major software providers, like Open SSL, kept the “SSL” name for their products. So this is the main reason why SSL certificates are still referred to as SSL rather than TLS Certificates. The public simply got used to it and changing the name may cause confusion.
In conclusion, there are three key things to remember from this article:
1) First of all, the SSL protocol is now the TLS protocol, but it keeps the old name.
2) You don’t have to worry about making any updates because all the SSL certificates are compatible with all 5 existing versions of SSL and TLS.
3) In order to fully protect your website, you need to make sure that you disable the downgrade to SSL 3.0 option, so that your server only uses the TLS protocol.