Info: What is the difference between SSL and TLS?


Transport Layer Security vs Secure Socket Layer


SSL uses (MAC algorithm) older and vulnerable

In 1994 the Secure Sockets Layer Protocol (SSL) was invented by Netscape Communications to secure communications between clients and server applications over an unprotected network. Versions 1.0 and 2.0 were known to have major security flaws and so SSL version 3.0 was developed 1996. As of 2014 the 3.0 version of SSL is considered insecure as it is vulnerable to the POODLE attack that affects all block ciphers in SSL and RC4, the only non-block cipher supported by SSL 3.0, is also feasibly broken as used in SSL 3.0.

SSL uses the Message Authentication (MAC) algorithm - a message authentication code (MAC) is a short piece of information used to authenticate a message and to provide integrity and authenticity assurances on the message. Integrity assurances detect accidental and intentional message changes, while authenticity assurances affirm the message's origin.

TLS uses (HMAC algorithm) Newer and more secure

TLS is like an enhancement based on the earlier SSL specifications developed by Netscape for adding the HTTPS protocol to their Navigator web browser. It is an Internet Engineering Task Force (IETF) standards track protocol first defined in 1999.

TLS uses the HMAC algorithm, a keyed-hash message authentication code (HMAC). It is a specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authentication of a message. Any cryptographic hash function, such as MD5 or SHA-1, may be used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-MD5 or HMAC-SHA1 accordingly. The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, the size of its hash output, and on the size and quality of the key.

Many new alert messages are included in TLS. Also with the TLS it will not require to associate the Certificate to the root CA, an intermediary authority can be used. With TLS, one can benefit with its eminent features like tougher authentication, privacy and integrity, interoperability, flexibility, easy deployment and use.

All TLS versions were further refined in RFC 6176 in March 2011 removing their backward compatibility with SSL such that TLS sessions will never negotiate the use of Secure Sockets Layer (SSL) version 2.0.

As of February 2015, TLS 1.3 is a draft, and details have not fixed yet.  It is based on the earlier TLS 1.1 and 1.2 specifications.

Was this article helpful?
2 out of 2 found this helpful