1

What are the difference between Transport layer security(TLS) and secure sockets layer(SSL). what could be the weakness of them

thalla
  • 21
  • 2
  • Just Google the same – haseeb Nov 06 '15 at 17:38
  • **PLEASE NOTE**: All versions of SSL plus TLS 1.0 and 1.1 are deprecated. All new installations should be configured to accept TLS 1.2 ONLY. Given that the most recent update of TLS 1.2 was published in March, 2011 ([RFC 6176](https://tools.ietf.org/html/rfc6176) which only added a requirement that fall back to SSL 2.0 be disabled), all browsers and most applications have had more than enough time to be compatible. The exceptions should be very few, very narrow and well justified. – JaimeCastells Nov 06 '15 at 17:59
  • @JaimeCastells that's a little over-optimistic. Not every browser *has* made the change. It is still an issue. – schroeder Nov 06 '15 at 18:28
  • While many (all?) browsers still support earlier encryption standards, I am not aware of any that do not support TLS 1.2. From the perspective of a firm publishing a web site, it is a safe assumption that your audience will be able to connect. @schroeder, do you know of a browser that does not support TLS 1.2? I suppose an argument could be made for old versions or browsers that are no longer under support/development, but there is a "reasonable person" criteria for how long a firm needs to support dated browsers. – JaimeCastells Nov 07 '15 at 15:58
  • @JaimeCastells "reasonable person" is moot if your target audience uses an older browser. As a Security Architect for a SaaS company, I can tell you that this is still a real issue. – schroeder Nov 07 '15 at 17:43
  • @schroeder. my instinct is that you are mistaken, but you are in a singularly good position to have hard numbers. You should be able to tell from system logs what the mix of browsers to your web sites are. In fact, you probably have the data to answer the question more specifically than by browser version. If your web servers are configured to prefer TLS 1.2 and fall back if the client is not compatible, the frequency of that event should be visible in your logs. It would be very helpful to this community if you could provide visibility into that metric. Please? – JaimeCastells Nov 08 '15 at 15:45
  • Not in this question - such detail would be superfluous. I can tell you this: for one company that I designed the security for, they served a geographically local area of businesses made of primarily of mom-and-pop type ownerships. These places only spend money when absolutely necessary. The number of businesses still running XP and IE 8 were high and represented a large portion of the company's revenue. Even if the Internet's stats may say that older browsers are insignificant, in some niches, they are the primary browser. – schroeder Nov 08 '15 at 17:12
  • @schroeder, I did some research and your practical knowledge was more reliable than my instinct. The problem is more subtle than I had realized. Most browsers had support for TLS 1,2 by the end of 2009, but it was optional and disabled by default because the browser providers were concerned about possible crashes when the browser offered an unrecognized protocol to servers that did not yet support it. This was broadly the case for most browsers till only the last 2 years or less. So users with unpatched browser more than two years out of date probably have TLS 1.2 disabled. – JaimeCastells Nov 08 '15 at 17:22

1 Answers1

3

SSL is the code name for three successive protocols that were designed by Netscape, back in the 1990s. The acronym stands for "Secure Sockets Layer". The three protocols are very different from each other (SSL 1.0 was never published but has been described as "embarrassing"; SSL 2.0 was published as draft; and SSL 3.0 was considerably modified to try to fix a number of shortcomings in SSL 2.0).

Then the whole concept was given to the IETF, who became responsible for maintaining the SSL 3.0 protocol. The subsequent protocols were called TLS, starting with TLS 1.0, then 1.1 and 1.2. The name change was partly meant to convey the idea that the protocol could be applied to any bidirectional transport medium, not just Internet sockets; and partly to avoid any potential issues with the reuse of the "SSL" acronym which might have been a Netscape trademark.

In any case, TLS 1.0, 1.1 and 1.2 are quite similar to SSL 3.0 in their definition and functioning; there is a much larger gap between SSL 2.0 and SSL 3.0, than between SSL 3.0 and TLS 1.2. Thus, trying to keep "SSL" and "TLS" apart from each other does not make a lot of technical sense. The difference in terminology relates to administrative concepts.

Personally, I tend to use "SSL" as a designation of the whole concept (thus encompassing all versions, from SSL 1.0 to TLS 1.2), and "TLS" only to designate the IETF incarnations of that concept. In many cases, I write "SSL/TLS" when I want to avoid any vain debate.

See also this answer.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480