MBF Knowledge Base |
|
SSL TLSTLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide data encryption and authentication between applications and servers in scenarios where that data is being sent across an insecure network, such as checking your email. The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1.
Which is more secure – SSL or TLS?
TLS v1.0 is marginally more secure than SSL v3.0, its predecessor. However, subsequent versions of TLS — v1.1 and v1.2 are significantly more secure and fix many vulnerabilities present in SSL v3.0 and TLS v1.0. For example, the BEAST attack that can completely break web sites running on older SSL v3.0 and TLS v1.0 protocols. The newer TLS versions, if properly configured, prevent the BEAST and other attack vectors and provide many stronger ciphers and encryption methods. Unfortunately, even now a majority of web sites do not use the newer versions of TLS and permit weak encryption ciphers. Check how well your favorite web site is configured.
Are TLS and SSL different encryption mechanisms?
If you setup an email program you will often see separate options for “no encryption”, “SSL”, or “TLS” encryption of you transmission. This leads one to assume that TLS and SSL are different things.
In truth, this labeling is a misnomer. You are not actually selecting which method to use (SSL v3 or TLS v1.x) when making this choice. You are merely selecting between options that dictate how the secure connection will be initiated.
No matter which method you choose, TLS or SSL, the same level of encryption will be obtained when talking to the server and that level is determined by the software installed on the server, how that is configured, and what your program actually supports.
If the SSL vs TLS choice is not one of security, what is it?
There are two distinct ways that a program can initiate a secure connection with a server:
1: By Port: Connecting to a specific port means that a secure connection should be used. For example, port 443 for https (secure web), 993 for secure IMAP, 995 for secure POP, etc. These ports are setup on the server ready to negotiate a secure connection first, and do whatever else you want second.
2: By Protocol: These connections first begin with an insecure “hello” to the server and only then switch to secured communications after the handshake between the client and the server is successful. If this handshake fails for any reason, the connection is severed. A good example of this is the command “STARTTLS” used in outbound email (SMTP) connections.
The “By Port” method is commonly referred to as “SSL” and the “By Protocol” method is commonly referred to as “TLS” in many program configuration areas. Sometimes, you have only the option to specify the port and if you should be making a secure connection or not and the program itself guesses from that what method should be used … many old email programs like Outlook and Mac Mail did that.
To Review: In email programs and other systems where you can select from SSL or TLS together with the port a connection will be made on:
SSL means a “by port” connection to a port that expects to the session to start with security negotiation.
TLS means a “by protocol” connection where the program will connect “insecurely” first and use special commands to enable encryption.
Use of either could result in a connection encrypted with either SSL or TLS of any version based on what is installed on the sever and what is supported by your program.
Both methods of connection result in equally secure communications.
Both methods ensure that your data is encrypted as it is transmitted across the Internet. They also both enable you to be sure that the server that you are communication with is the server you intend to contact and not some “middle man eavesdropper“. This is possible because servers that support SSL and TLS must have certificates issued to them by a trusted third party, like Verisign or Thawte. These certificates verify that the domain name they are issued for really belongs to the server. Your computer will issue warnings to you if you try to connect to a server and the certificate that it gets back is not trusted or doesn’t match the site you are trying to connect to.
So then, should I choose TLS or SSL?
If you are configuring a server, you should install software that supports the latest version of the TLS standard, and configure it properly. This ensures that the connections that your user make is as secure as possible. Using an excellent security certificate will also help a lot — e.g. one with 2048+ bit keys, Extended Validation, etc.
If you are configuring a program (especially an email program) and have the option to connect securely via SSL or TLS, you should feel free to choose either one…. as long as it is supported by your server.
Note: many web browsers have special preference areas that allow you specifically enable/disable SSL v2, SSL v3, TLS v1.0, etc. In these cases you are actually telling the browser what versions of these security protocols you will allow your browser to use when establishing secure connections. We recommend turning off SSL v2 (it’s way out of date and provides no real secuity). You should leave SSL v3 enabled unless you only connect to secure web sites that have updated TLS implementations installed; as most do not, disabling SSL v3 would break many web sites.
What happens if I do not select either one?
If neither SSL nor TLS is used, then the communications between you and the server can easily become a party line for eavesdroppers. Your data and your login information are sent in plain text for anyone to see; there is no guarantee that the server you connect to is not some middle man or interloper.