What do SSL, TLS & HTTPS mean ?

SSL

SSL (or Secure Sockets Layer) is a security protocol which was first developed by Netscape in 1995 for the purpose of ensuring privacy, authentication, and data integrity in Internet communications. It is the predecessor to the modern TLS encryption used today. It prevents hackers from seeing or stealing any information transferred, including personal or financial data.

TLS

Transport Layer Security (TLS) is a new protocol for encrypting data on the web. TLS grew out of Secure Sockets Layer (SSL). In other words, TLS is but a set of new updates & patches aapplied to fix security flaws in SSL. Thus TLS is the latest & updated version of SSL. SSL has not been updated since SSL 3.0 in 1996 & hence security experts recommend discontinuing its use. The industry still uses the terms somewhat interchangeably for historical reasons.

Everything on the web should be encrypted by default.

– Jeff Atwood, Co-founder of Stack Overflow

Why was the renaming done ?

In 1999 the Internet Engineering Task Force (IETF) proposed an update to SSL. Since this update was being developed by the IETF and Netscape was no longer involved in it. The IETF chose to give the update a new name aka TLS.

HTTPS

HTTP (no ‘S’ is there) stands for HyperText Transport Protocol, which simply is a protocol (a language) for information to be transferred between servers and clients. The important thing is the addition of letter S which makes the difference between HTTP and HTTPS. The ‘S’ stands for “Secure”.

If a website’s URL begins with the https:// then, it indicates that information is being transmitted via Secure HTTP (HTTPS) i.e. using Transport Layer Security (TLS) protocol. This encrypts information passed between a client (browser) and a server (web site).

How do SSL certificates work ?

In simple terms, SSL certificates establish an encrypted connection between a website/server and a browser with what’s known as an “SSL handshake”. For visitors to your website, the process is invisible — and instantaneous. The reason it’s called a handshake is that it’s when two parties – client and server come across each other for the first time. The handshake involves a number of steps that start from validating the identity of the other party and concludes with the generation of a common key – secret key if you may call it.

Fundamentally, the SSL handshake is nothing but a conversation between two parties (client and server) wanting to accomplish the same purpose – securing the communication with the help of symmetric encryption.

Do I need SSL for my website ?

Some people mistakenly believe that the only sites that need HTTPS are sites that handle some level of sensitive information, like personal or financial data. But this isn’t true. Every site should be using HTTPS. It helps to prevent people from listening in on what’s crossing the wire, and helps prevent it from being tampered with while in transit.

And if privacy and security weren’t enough of a reason to protect your users, many new browser features like service workers, the Payment Request API, and even some older APIs like GeoLocation now require HTTPS.

Can I get a free SSL certificate?

Absolutey yes. That’s the whole purpose of this website. Many certificate authorities charge for SSL certificates. To help make the Internet more secure, companies like Cloudflare & Let’s Encrypt (a non-profit organisations) offer free SSL certificates. Infact this was the main reason behind the creation of this very website. The goal was to eradicate the belief that getting SSL is costly or tough. SSL.WIKI has guides to implement free SSL like these for any tech stack or any server (Wordpress, cPanel, Apache, Nginx etc.).