SSL certificates are dead. Long live the TLS certificates.

If you’ve built a website, you know how exciting – but also overwhelming – the process is. There are many decisions to be made and plenty of options for registrars, hosting, DNS, domain services, DDoS protection, plugins, digital security certificates, etc. Whilst every decision is important, security is essential to guarantee a safe environment for users to make online transactions, to protect the website itself, and for the search engines to award it a better ranking.

However, something strange is that still now, even in 2023, people continue to talk about the SSL certificate, but it’s such a past issue. When we talk about digital security, we should be talking about the TLS certificate.

What was an SSL Certificate?

SSL stands for Secure Sockets Layer. It was a technology that encrypted the data traffic, a protocol that was created to secure both of the sides of the communication: the web browser (client), and the servers of the website (server). The SSL protected the flow of important information such as user data, passwords, and bank details. With SSL you could have a safer site and prevent tampering and eavesdropping, for instance. When you set it up properly, you could show your visitors the HTTPS right before your domain name.

The first Secure Sockets Layer (SSL) certificate was created in 1994 by Netscape Communications Corporation. Before this, there was no standard for website security and no available method to protect sensitive information while transmitted over the Internet. The creation of SSL meant a big step to strengthen security.

Besides data encryption, SSL helped to authenticate websites and organizations. This was a good sign for customers to know they were on a legitimate and not a forged website, so they could trust it and buy with confidence.

Unfortunately, every technological improvement, especially when it is about security, faces a vicious cycle. It takes time for developers to identify and create solutions, and once they’re rolled out and implemented, criminals respond either with stronger attacks or look for weaknesses in the new technology to keep executing their malicious activities. SSL was no exception. Black-hat hackers found vulnerabilities in the SSL technology that allowed them to intercept and tamper with encrypted communications.

This established the need for an improved answer from the white-hat side.

Read more interesting information about types of hackers and how dangerous they are here.

What is a TLS certificate?

In 1999, the TLS or Transport Layer Security came to replace the previous SSL certificate.

Transport Layer Security (TLS) is an improved version of a digital certificate used to secure connections between a web client (a web browser, for instance) and a web server. The certificate is issued by a reliable third-party organization, known as a certificate authority (CA).

The certificate has information related to the website owner’s identity and the necessary public key required for communications to be encrypted. Every time a browser connects to a website that owns a valid TLS, the browser verifies it through the use of the CA’s public key. If the browser’s verification process points out the TLS certificate is valid, it (the browser) establishes a secure connection with the web server using the information included in the TLS certificate. At this moment, a very important process takes place: the TLS handshake. This process initiates the communication session, so the two involved sides acknowledge (exchange messages) and verify each other, define the cryptographic algorithms to be used, and agree on session keys.

Once the TLS handshake is successfully executed, the web server and web browser’s communications are encrypted, therefore sensitive information like banking details, credit or debit card numbers and login credentials are protected from criminal attempts to intercept data.

Consider that a TLS certificate is valid only if:

• The domain name within it matches the website’s domain name that the user’s browser is attempting to connect to.
• It has not been revoked.
• It has not expired.

The domain name within it matches the website’s domain name that the user’s browser is attempting to connect to.

• The domain name of the website.
• Owner’s name of the website (organization).
• Organization’s location.
• Certificate authority’s digital signature.
• The public key to encrypt communications.
• The expiration date of the certificate.

SSL certificate vs TLS certificate

Purpose

The Secure Sockets Layer (SSL) and the Transport Layer Security (TLS) are cryptographic protocols that allow the establishment of secure connections between web clients and web servers. Both follow the same purpose, but there are differences between them.

Development

SSL was created by Netscape Communications Corporation in 1994. Before its creation, there was no such security method to protect users’ privacy. TLS was developed by the Internet Engineering Task Force (IETF) in 1999. It was designed with the clear purpose of replacing the SSL with an enhanced protocol version. TLS addressed the vulnerabilities (interception and tampering with encrypted communications) previously found in the SSL protocol.

Authentication

TLS incorporated more powerful authentication methods than SSL into its desgin. While SSL authenticated only the server, TLS came with the ability to authenticate the server and the client too.

Perfect Forward Secrecy

TLS added the Perfect Forward Secrecy (PFS) feature that helps to ensure that even in case the private key gets compromised, previous communications can remain safe. With PFS, every communication (session) creates a unique encryption key. It is independent of the private key, and it lasts only the time the session lasts. SSL did not include this feature in its design.

Algorithms

TLS has stronger algorithms than SSL used in the past to encrypt. As a reference, TLS 1.2 uses ECDHE and AES, while SSL 3.0 uses RSA and RC4.

Versions

SSL only had SSL 2.0 and SSL 3.0 versions and currently, both are considered unsafe. TLS has already more versions, 1.0, 1.1, 1.2, and 1.3. TLS is what you should use now to be safer.

Deprecation

This is a very important point! SSL is no longer considered safe to use because it is officially deprecated. The current recommended protocol to secure web communications is TLS.

Benefits of having a TLS certificate

A TLS certificate offers the following benefits:

• More robust security. TLS certificate offers stronger encryption algorithms and enhanced methods of authentication. Therefore, you get a higher security level than the one SSL certificate could offer in the past. TLS means protection against malware and phishing attacks, and integrity protection because its security features help prevent criminal tampering of the server-client web communications.
• Data encryption. It is an effective method to protect against criminal interception of the sensitive information exchanged during communication (login credentials, bank card numbers, etc.).
• Authentication. A TLS certificate helps users to verify they are communicating with the website they wanted to. Remember that TLS includes useful information to authenticate the website’s owner identity.
• Improved user experience. Now, you know that a TLS certificate means more security for your website and users, a safer and overall, more pleasant experience translates into higher engagement, trustability, and customer loyalty.
• Higher search engine ranking. For a while now, search engines have promoted websites that use security certificates as they make the online environment safer. Your website has a higher chance to be recommended and better ranked by them if it has a valid TLS certificate.
• Higher sales. A TLS certificate is taken as a positive sign from users. Feeling safe on your website while entering bank card details and other sensitive information is key for users to purchase from you.
• Compliance. In general, businesses selling products or services, and government agencies are obliged to offer secure communications to users. There can be differences from country to country, but in most cases, operating with a TLS certificate is an important obligation established by different regulations. This is to protect the privacy and sensitive users’ information. The biggest browsers can mark your website as not secure in the absence of TLS.

Which is the latest TLS version? – Improvements

The latest TLS version is TLS 1.3. The Internet Engineering Task Force (IETF) officially standardized it in August 2018. These are the main improvements offered by TLS 1.3 compared with its previous versions:

Security was enhanced. TLS 1.3 incorporated stronger encryption algorithms (AES-GCM) to protect your communications from cryptographic attackers.

Outdated features were removed. And since they were, it was found out that session resumption, renegotiation, and compression were insecure in previous versions, the support for those features was removed in TLS 1.3.

Deprecated ciphers were removed. The support for weak and deprecated cipher suites was removed to make TLS 1.3 a safer protocol.

It kept Perfect Forward Secrecy (PFS). The feature is present in TLS 1.3.

It allows a faster connection. TLS 1.3 makes the handshake process quicker. As a result, the establishment of a secure connection and page load times for users are faster too.

Message authentication was enhanced. The latest TLS version included AEAD or Authenticated Encryption with Associated Data constructions. They provide stronger protection against replay attacks and tampering.

Why do people still say SSL instead of TLS?

There are a couple of reasons for people still using the term SSL instead of TLS. Some providers consider that SSL’s name better communicates the purpose of this technology compared to TLS, so they kept referring to the TLS certificate as SSL just to save explanations for customers. Others think that the issue is that SSL positioned itself very quickly and effectively into people’s minds, so the convention to refer to this technology has been hard to break and replace. In our opinion, both reasons are weak, and the use of an incorrect and outdated name only creates confusion among customers.

Let’s accept it already: SSL certificates are dead long ago. Long live the TLS certificate! The SSL certificate’s vulnerabilities pushed the world to move on to a more secure certificate. SSL has not been updated since SSL 3.1 (1996) because it is officially considered deprecated. If you check, modern browsers no longer support it. Currently, you must use a TLS certificate – more specifically – the TLS 1.3, the most updated version.

You may want to check different types of TLS certificates available in the market (DV, OV, and EV).

Is TLS 1.3 flawless?

We can say that TLS 1.3 is a very helpful protocol, it truly enhances websites’ security, but it is not flawless. The developers are not to blame, but the criminals. Remember what we said at the beginning, black-hat hackers are consistently looking for ways to break security systems, searching for the smallest possibility to execute their attacks. Every new improvement reached by white-hat hackers and developers is almost immediately hit by black-hat hackers. It is a story without an end.

Then, you should consider TLS 1.3 as an important element of your website’s security, but it will work much better combined with other technologies. Be aware of potential risks like:

Misconfigurations can lead to the use of outdated ciphers or weaker encryption, and this will translate into a less safe connection. Misconfigurations can be the result of clients not being configured to use the latest TLS version or errors while configuring the server.

Potentially, there is a risk of side-channel attacks looking for extracting secret keys from a cryptographic implementation. Such attacks exploit implementation information leaks like electromagnetic emanations, timing information, or power consumption.

Man-in-the-middle attacks are another potential risk you should not neglect. Attackers could try to modify the requests of the clients to the server with the objective of clients accepting a forged certificate. If they manage this, they could intercept and decrypt the traffic.

These risks can be managed through security practices like updating your systems to have the latest patches.

Conclusion

Everything is clear now! TLS certificate dominates the online world more than two decades ago. Its design improved the capabilities of its predecessor SSL. To add a TLS certificate to your website is not a waste, but a smart security investment we recommend!

Remember, SSL certificates are dead. Long live the TLS certificate!