SSL vs TLS vs mTLS
Read System Design resources by signing-up for Medium
Don’t forget to buy your copy of bestseller Kali Linux Hacking
Transport over the internet calls for protocols to establish a secure connection between two systems. These systems can be servers, machines, applications or users. A cryptographic protocol is required to authenticate connection and establish encrypted communication between the two ends, preventing the data from unauthorized access.
Get a leg up on your competition with the Grokking Modern System Design for Software Engineers and Managers and land a Big Tech job!
SSL and TLS are both cryptographic protocols for encrypting data to be transferred over a network, with SSL being the older technology. Many people are already familiar with it.
Putting SSL vs. TLS vs. mTLS in simplest words, here’s what you should know:
- TLS is the successor of SSL.
- mTLS is not a different protocol. It is just an extension of the TLS standard.
Let’s learn more about these protocols, identifying they key differences in their authentication and data encryption process and effectiveness in data security while the data is in transit.
What is SSL?
SSL, or Secure Sockets Layer, was the first cryptographic protocol to be developed by Netscape Communications Protocol to transfer sensitive data securely over a network. SSL served as an endpoint encryption system, ensuring that any data transferred between the two systems is impossible to read. In this way, the protocol prevents hackers from accessing sensitive information such as credit card number, or personal information, such as names and addresses.
SSL 2.0 was the first publicly released SSL protocol, making its appearance in February 1995. SSL 1.0 had some security issues and was never released. SSL 3.0 followed SSL 2.0, releasing in 1996. Last in line of the SSL upgrades, SSL 3.0 further improved the security flaws of its predecessors.
Work smart, learn coding patterns to solve interview questions rather work hard and waste endless hours on LeetCode to prepare for your interview
What is TLS?
TLS, Transport Layer Security, is also a cryptographic protocol. TLS 1.0 was released in 1999 as a successor to SSL 3.0. TLS 1.0 was not very different from SSL 3.0, other than the security upgrades, though the change in name suggests otherwise. The main reason for the name change was the fact that TLS was developed by different organization, IETF (Internet Engineering Task Force).
The main flaw of TLS 1.0 was that it allowed a connection downgrade to SSL 3.0. So, even if TLS 1.0 offered better security of data, hackers could easily downgrade the protocol to SSL 3.0 to target the connection.
This flaw, among other reasons, pushed the release of updates. TLS 1.1 came out in 2006, soon followed by TLS 1.2 in 2008. TLS 1.3 came out ten years later, releasing officially in August 2018. It has significant improvements over its predecessor TLS 1.2 and required digital signatures whenever earlier configuration is used. This meas hackers don’t have the option to downgrade the protocol to break the security.
The latest cryptographic protocol at the time of writing this article is TLS 1.3. Google, Apple, Microsoft and Mozilla announced deprecation of TLS 1.0 and TLS 1.1 in March 2020. SSL 2.0 and SSL 3.0 were already deprecated much earlier, in 2011 and 2015 respectively.
Currently, TLS 1.2 and TLS 1.3 are the recommended protocols for encrypted transfer of data.
Get a leg up on your competition with the Grokking the Advanced System Design Interview course and land that dream job! Don’t waste life on Leetcode. Learn patterns with the course Grokking the Coding Interview: Patterns for Coding Questions. Or if you prefer video-based courses check out Udacity courses.
What is a Handshake?
Both protocols, SSL and TLS, attempt to achieve the same purpose. Their purpose is to authenticate the server, establish a secure connection between the client and the server and transfer encrypted data over that connection. The difference lies in how the two protocols achieve the purpose.
SSL and TLS are the types of handshake between the client and the server before they exchange information. The handshake, both SSL and TLS, establishes the following:
- Establish the version of SSL or TLS protocol (SSL 2.0, 3.0, TLS 1.0, 1.1, 1.2 or 1.3) that will be used for the connection.
- Decide which “cipher suite” will be used. Cipher suite is a set of encryption algorithms performed on data transferred over the connection. The handshake agrees on a cipher suite that is supported by both, client and server.
- Authenticate server’s identity
- Generates session keys for encrypted transfer after the handshake is complete.
Land a higher salary with Grokking Comp Negotiation in Tech.
Difference in the Handshake Process
Though they both set up a secure connection between the client and the server, there is a difference in the way they establish connection. SSL uses a port to set up an explicit connection for secure communication between the client and server. In general, HTTPs uses port 443 for secure data transfer. However, there are several other ports as well.
TLS, in contrast, sets up an implicit connection using protocol. The client sends a “Client Hello” to the server over an insecure channel to start the handshake. Once the handshake begins, the connection is moved to port 443 for secure transfer.
The handshake establishes a cipher suite to encrypt data that will be transferred over the network. Other than the fact that SSL and TLS establish connection differently, the two protocols also have substantial differences in their supported cipher suites. Each SSL and TLS version has its own supported cipher suites. Cipher suites of the more recent versions offer greater security and faster data transfer.
The older versions of the protocol involved several round trips for authentication and key exchange and multiple algorithms for encryption. This added latencies to the data transfer. TLS 1.3 solved the latency problem by accomplishing the handshake with a single roundtrip and reducing the number of encryption algorithms to two.
SSL vs TLS: Differences
Other than the handshake itself, there are multiple other differences between the two protocols. Here are some of the prominent ones:
Is your Web Server on SSL or TLS?
TLS, in essence, is the upgraded version of the SSL protocol and is the modern encryption standard in use today. With its security flaws, obsolete cipher suites and inefficient performance, servers that are still using SSL protocols will not provide a secure and high-performance website experience. When configuring your website’s server or choosing a web hosting provider, make sure only TLS protocols are enabled.
If you don’t know which protocol your web server is using, you can use SSL Labs’ SSL Server Test to find out.
Get a leg up on your competition with the Grokking the Advanced System Design Interview course and land that dream job! Don’t waste life on Leetcode. Learn patterns with the course Grokking the Coding Interview: Patterns for Coding Questions. Or if you prefer video-based courses check out Udacity courses.
SSL Certificate VS TLS Certificate: Is there a Difference?
With all the differences between SSL and TLS, a common confusion is whether you need to switch your site’s SSL certificate to TLS certificate. Certificates are independent of protocols. The popular “SSL certificate” that everyone is familiar with can also be called “TLS certificate” or “SSL/TLS certificate”.
All three of these are just naming conventions, while in practice they mean one and the same thing. It is a X.509 digital certificate that authenticates the server during the handshake between the web client and server. The certificate can be used with both, SSL and TLS protocols. The handshake that the server makes with the client, independent of the SSL/TLS certificate, depends on the protocol (SSL or TLS) enabled in the server’s configuration.
So if your website has an SSL certificate, you don’t need to worry about vulnerabilities. SSL certificate is the standard digital certification to authenticate your web server. However, if you want to ensure higher encryption strength for the communication between clients and your web server, make sure that the latest TLS protocol versions (1.2 and 1.3) are enabled in your server configuration and the insecure, outdated versions (SSL and TLS 1.0 and 1.1) are disabled.
If you are interviewing, consider buying our number#1 course for Java Multithreading Interviews.
What is mTLS and How is it different from SSL and TLS?
So far you know what SSL and TLS are. But there is also an MTLS? As mentioned earlier in the article, mTLS is not a new protocol to add to the list. mTLS or mutual TLS refers to TLS authentication established at both client and server side.
In simple TLS authentication, client authenticates the server to establish a secure connection. In mTLS, the same TLS authentication occurs at both ends. The client authenticates the server and the server also authenticates the client.
Who needs mTLS?
In the common use cases for public-facing servers, the servers are not concerned about the client’s identity. Their clients are the end users accessing the server over the internet. The client verifies the server by using server’s SSL/TLS certificate and then a conection is established after the TLS handshake.
In certain other use cases, organizations can have networks or applications that they don’t want everyone to access. The network is only accessible to specific services within the organization. The organization doesn’t want unauthorized clients, especially end users sending the server HTTP requests. Only authorized internal clients should be able to communicate with the server. In this case, the server will also validate the client’s identity and for that we will need to use mTLS. Both ends of the network will verify themselves to complete the handshake and establish a connection.
mTLS is especially useful for organizations that use Zero Trust approach to protect their network’s security. Zero Trust refers to the approach where no user or request is trusted by default. For example, Skype uses mTLS to protect its business servers against unauthorized access. B2B communications between APIs also uses mTLS.
Public and Private key
To understand how the TLS and mTLS handshake works in the next section, there’s a concept you need to understand. TLS protocol uses public key encryption to encrypt and decrypt messages sent over the network. This encryption techique uses a pair of cryptographic keys, public key and private key to make the encrypted communication possible.
Breeze through your coding interviews with Hacking the Coding Interview.
If the public key encrypts a message, it can only be decrypted by the private key. If private key encrypts a message, it can only be decrypted by the public key.
The SSL/TLS certificate of the server is publicly available and contains the public key. So the public key is available to the client who wants to communicate with the server. To authenticate the server, client will send it an encrypted message using the public key. If the server is able to decrypt the message, it proves that the sever is in possession of the private key and has the same identity as it claims to be.
Get a leg up on your competition with the Grokking the Advanced System Design Interview course and land that dream job! Don’t waste life on Leetcode. Learn patterns with the course Grokking the Coding Interview: Patterns for Coding Questions. Or if you prefer video-based courses check out Udacity courses.
TLS Handshake vs mTLS Handshake
TLS Handshake
In a TLS handshake, the server will have an SSL/TLS certificate, and a public/private key pair. The client does not have these components.
Here is what a TLS handshake looks like
mTLS Handshake
In an mTLS handshake, both the server and the client have a certificate and public/private key pair. However, this certificate is not the standard SSL/TLS certificate issued by external certifying authorities. In mTLS, the organization implementing the protocol will itself act as the certifying authority.
Land a higher salary with Grokking Comp Negotiation in Tech.
The organization has a “root” TLS certificate that authorizes the organization to be the certifying authority for its internal communication. The clients and servers also have certificates that comply with the root certificate. All the certificates are self-signed, which means that the organization issues it itself. This is in contrast to the TLS handshake, where the server has a SSL/TLS certificate issued by an external organization and the client can verify it.
Here’s what an mTLS handshake looks like:
TLS vs mTLS: What are the differences?
You have already seen how mTLS handshake includes some additional steps as compared to a simple TLS handshake. The table below further clarifies the difference between TLS and mTLS:
mTLS is essentially the same protocol as TLS and uses the same technologies. Think of mTLS as an extension of TLS, where there occurs a two-way verification instead of one. The identities of both server and client are verified before a connection is established and data is exchanged between the two end points.
Your Comprehensive Interview Kit for Big Tech Jobs
0. Grokking the Machine Learning Interview This course helps you build that skill, and goes over some of the most popularly asked interview problems at big tech companies.
1. Grokking the System Design Interview Learn how to prepare for system design interviews and practice common system design interview questions.
2. Grokking Dynamic Programming Patterns for Coding Interviews Faster preparation for coding interviews.
3. Grokking the Advanced System Design Interview Learn system design through architectural review of real systems.
4. Grokking the Coding Interview: Patterns for Coding Questions Faster preparation for coding interviews.
5. Grokking the Object Oriented Design Interview Learn how to prepare for object oriented design interviews and practice common object oriented design interview questions
6. Machine Learning System Design
