What's the Difference Between SSL and TLS?

August 28, 2020
In short, SSL is the now deprecated predecessor of TLS.

What is the difference between SSL and TLS?

In the most basic form, SSL and TLS simply refer to the handshake that takes place between a client and a server. The main difference is in how this handshake takes place. An SSL handshake uses a port to start it’s connections, otherwise known as an explicit connection. TLS starts its connections via protocol, otherwise known as an implicit connection. Another key difference between SSL and TLS is the key exchange and digital signature negotiations have been removed from the process, instead it can now be accomplished with a single circuit and enables Zero roundtrip resumption (0-RTT). Additionally, this first interaction is now encrypted, usually at 256 bit, further reducing the attack vector.

Should You Be Using SSL or TLS?

SSL should not be used as SSL has been deprecated by the Internet Engineering Task Force (IETF) in 2011. Since its inception vulnerabilities have been and continue to be found in SSL.

A short History of SSL and TLS

SSL and TLS are cryptographic protocols are designed to provide communications security over a computer network. SSL was developed by Taher Elgamal, a chief scientist at Netscape Communications in 1995. The first version of SSL, version 1.0 was never released because it was filled with multiple security flaws soon after SSL 2.0 and 3.0 were released. TLS 1.0 was first defined in RFC 2246 in 1999 as an upgrade of SSL Version 3.0, and written by Christopher Allen and Tim Dierks of Consensus Development. As stated in the RFC, "the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to preclude interoperability between TLS 1.0 and SSL 3.0". Tim Dierks later wrote that these changes, and the renaming from "SSL" to "TLS", were a face-saving gesture to Microsoft, "so it wouldn't look [like] the IETF was just rubberstamping Netscape's protocol". TLS 1.1 came out seven years later in 2006, replaced by TLS 1.2 in 2008. Currently the main version of TLS is TLS 1.3, which was finalized in 2018 after 11 years and nearly 30 IETF drafts.

Which CMMC practices can make use of TLS?

CMMC Practice's AC.3.14, IA.3.84, and SC.3.190 can all utilize TLS to meet their CMMC requirements.

Practice AC.3.14 usage of TLS:

As stated in the CMMC (Cybersecurity Maturity Model Certification) documentation AC.3.14 must “Employ cryptographic mechanisms to protect the confidentiality of remote access sessions”. One way to achieve this is to utilize TLS on remote access sessions such as the use of a VPN. By using TLS you can encrypt the connection therefore ensuring confidentiality.

Practice IA.3.84 usage of TLS:

As stated in the CMMC (Cybersecurity Maturity Model Certification) documentation IA.3.84 must “Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts”. One way to achieve this is to enable transport layer security (TLS) for access to your systems.

Practice SC.3.190 usage of TLS:

As stated in the CMMC (Cybersecurity Maturity Model Certification) documentation SC.3.190 must “Protect the authenticity of communications sessions”. One way to achieve this is to configure TLS on your web servers and VPN connections.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance