Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Could you please ELI5 the difference between ssl and tls. My office is also moving to tls 1.2 and the communication seemed to use both ssl and tls interchangeably. The Winndows registry has entrees for both ssl and tls. I am confused.


There is no difference. SSL was invented by Netscape, when they brought it to IETF to get standardized Microsoft did not want to use a name Netscape has advertised, so they forced a name change. Thus "SSL 3.1" (IETF update to SSL 3) was called "TLS 1.0". This was in 1999.

TLS 1.1 uses version encoded in two bytes that should mean "SSL 3.2", TLS 1.2 uses bytes that should mean "SSL 3.3". TLS 1.3 pretends to be TLS 1.2 to pass through proxies but internally uses two bytes that should mean SSL 3.4 to indicate its version.


The confusion is understandable.

_TECHNICALLY_ the only thing that exists is TLS. The implementation history is SSL 3.0 < TLS 1.0 ... 1.3

However, SSL is still used colloquially in conversation, e.g. "SSL certificate" and in many legacy config flags, such as Firefox's `about:config`.

For best clarity, check the details of all those settings, even the SSL ones. But TLS is the term for the modern standards.


SSL = TLS version 0.x. Earlier versions of the same thing.

Colloquially we still say "SSL" a lot when referring to TLS.


This is one of my greatest pet peeves, hearing people ask for "SSL certificates" and seeing "your payment card information is secured with SSL" at the bottom of websites everywhere.

I know it really doesn't matter in the grand scheme of things, but man does it make my eye twitch lol.


Meh, semantics. Lot of things live on. "Save to disk"? Granted hard drives kind of resemble "hard disks" still. TV? There are probably dozens of easily accessible examples for a well rested brain but mine is not.

I've tried using TLS instead of SSL but due to the friction of general acceptance of SSL I don't see much point in trying to fight.

I wish that TLS 1.4 will be called Transport Security System Layer (TSSL) or something which can be referred to as SSL and we can all go back to normal again. ;)


> Granted hard drives kind of resemble "hard disks" still.

No, it is a good example by now. A modern M.2 SSD looks much more like a stick of RAM than any kind of spinning disk.

Sure, spinning hard disks are still around, and might stick around for quite a while (data centers, archival...), but when someone at their desk says "save on disk" nowadays, it increasingly will be on such an entirely non-disk-looking disk.


I've got boxes of 3D printed versions of the "Save" icon from years ago.

They even have aluminium sliding parts and what looks like some sort of disk inside...

/s


I recently saw an audio recorder that is marketed as automatically transcribing your meetings and sending the text to an app. As a non-native speaker of the language where I live this was appealing, until I read the FAQ. It said something like "what about security of my data? A: Don't worry all data is transmitted using a secure tsl connection" .. like that was the beginning and end of the data security story for audio recordings of your private meetings.. Some times I thinks this country still being in the paper and fax age is the only thing saving it from it's self..


I’m routinely amazed by this too. Honestly when I see that this is the sole privacy or security disclaimer in anything but the most trivial of websites’ FAQ, I run the other way. Nothing on privacy, nothing about storage at rest, nothing about access controls and what customer data staff can access. It just comes across as indicative of a security-through-checkboxing view on security and a “heh, yeah sure buddy” approach to privacy.


At this point, just say HTTPS, and refer to TLS if you're speaking about the protocol itself.


Yeah this is what I've been leaning towards as well. People (both technical and non-technical) understand it. If you say TLS people either know what you mean, they think you're being a smartass of they have no idea what you're talking about. With https everyone knows.


Must be nice to have such an informed audience. I have to call it "the lock icon" with my team. They don't really get security, but they do get client perceptions of security.


TLS can be used on other protocols than HTTP (think SMTPs, IMAPs, OpenVPN, etc.)


Urgh! With SMTP it is even worse, because people talk about “SSL” vs “TLS” in the config dialogs.

But they don't actually mean SSL vs TLS. They mean a TLS connection (like HTTPS uses) vs StartTLS (where you start out SMTP plaintext then negotiate TLS as an extension.


I'm aware of that and that's why I said in that case, say "TLS" when you're referring to the protocol itself.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: