Tuesday, January 12, 2016

How is TLS different from SSL ?

When two hosts communicate with each other over the unsecure network and they want to transfer sensitive data between them, especially for bank transactions or ecommerce transactions, communication must be encrypted and secured enough. SSL and TLS are developed for that purpose. It enables bank and ecommerce transaction security over the unsecure network.

We often use the terms SSL and TLS interchangeably. But, are they same or are they different ?

How is TLS different from SSL ?

SSL and TLS are two different protocols. There are seven main differences between SSL and TLS.

Let's look into these differences.

  • To enable secure data communication between two hosts over the network, SSL was first developed by Netscape. SSL 2.0 was first publicly released version of the protocol. But, soon security flaws were found in it. So, SSL 3.0 replaced SSL 2.0. And, TLS 1.0 is an upgraded version of SSL 3.0. So, overall TLS is an updated protocol of SSL.
  • When two hosts communicate over TLS, if the user does not have any certificate, TLS does not use a seperate NoCertificate message to notify that. The client simple returns an empty certificate message, while SSL issues NoCertificate message.
  • SSL operates with SHA or MD5. But, TLS uses HMAC which can operate with any hash function, and not only with SHA and MD5.
  • SSL uses RSA, Diffie-Hellman or Fortezza/DMS output to create key material. But, TLS uses HMAC standard and its pseudorandom output to do the same.
  • In SSL, CertificateVerify message requires complex procedures. But, in TLS the verification message is included in the previous handshake message.
  • In TLS, Pseudo Random Function output or PRF output of HMAC algorithm is used to generate master secret and it uses 'client finished' or 'server finished' designation to create the Finished message. But, in SSL the same is created in an ad-hoc manner using a combination of hash output, selected ciphersuite and parameter information.
  • SSL specifically uses RSA, Diffie-Hellman or Fortezza/DMS ciphersuites. But, TLS has stopped Fortezza/DMS support.

So, in short, TLS is an upgraded and more secure version of SSL. Many security vulnerabilities are found in SSL. And, it is advisable to use TLS.

No comments:

Post a Comment