ssl_tls - dwilson2547/wiki_demo GitHub Wiki

Here’s a clear and concise explanation of SSL and TLS, including their differences:

SSL (Secure Sockets Layer) and TLS (Transport Layer Security)

1. Overview

  • SSL and TLS are cryptographic protocols designed to secure communication over a network, most commonly used for HTTPS (secure web browsing).
  • They provide:
    • Encryption: Protects data from eavesdropping.
    • Authentication: Verifies the identity of the server (and optionally the client).
    • Integrity: Ensures data is not altered during transmission.

2. History and Evolution

  • SSL:
    • Developed by Netscape in the 1990s.
    • Versions: SSL 1.0 (never released), SSL 2.0 (1995, insecure), SSL 3.0 (1996, deprecated in 2015 due to vulnerabilities like POODLE).
  • TLS:
    • Successor to SSL, introduced in 1999 as TLS 1.0.
    • Based on SSL 3.0 but with significant security improvements.
    • Latest versions: TLS 1.2 (2008) and TLS 1.3 (2018).

3. Key Differences

Feature SSL TLS
Development Created by Netscape Standardized by IETF
Versions SSL 1.0, 2.0, 3.0 TLS 1.0, 1.1, 1.2, 1.3
Security Vulnerable to attacks More secure, modern algorithms
Handshake Process Less efficient Faster, more efficient
Cipher Suites Limited options Stronger, more flexible
Current Use Deprecated Actively used (TLS 1.2/1.3)

4. How SSL/TLS Works

  1. Handshake:
    • Client and server agree on a protocol version, cipher suite, and exchange keys.
    • Server authenticates itself with a digital certificate (issued by a trusted CA like Let’s Encrypt).
    • Client and server generate a session key for symmetric encryption.
  2. Data Transfer:
    • All communication is encrypted using the session key.
  3. Termination:
    • Session ends securely, and keys are discarded.

5. Why TLS Replaced SSL

  • Security Flaws: SSL 3.0 and earlier are vulnerable to exploits (e.g., POODLE, BEAST).
  • Performance: TLS 1.3 reduces handshake latency (1-RTT or even 0-RTT).
  • Modern Algorithms: TLS supports stronger encryption (e.g., AES, ChaCha20) and forward secrecy.

6. Practical Implications

  • Terminology: "SSL" is often used colloquially to refer to TLS (e.g., "SSL certificates" are actually TLS certificates).
  • Compatibility: Modern browsers and servers disable SSL by default and require TLS 1.2 or higher.
  • Certificates: Both use X.509 certificates for authentication.

7. How to Check for SSL/TLS

  • Browser: Look for a padlock icon and "HTTPS" in the address bar.
  • Command Line: 
    openssl s_client -connect example.com:443 -tls1_2
    (Replace -tls1_2 with the version you want to test.)

8. Best Practices

  • Use TLS 1.2 or 1.3: Disable SSL and older TLS versions.
  • Strong Cipher Suites: Prioritize AES-GCM and ChaCha20.
  • Regular Updates: Keep servers and clients updated to avoid vulnerabilities.
⚠️ **GitHub.com Fallback** ⚠️