TLS vs SSL — What Actually Runs on HTTPS
tls vs ssl difference · what is tls 1.3 · ssl tls explained
Clear explanation of TLS vs SSL naming, why tools say SSL checker, TLS 1.2 vs 1.3 in production, and how to read negotiated protocol in results.
By DN01 Network Team
SSL 3.0 is deprecated and disabled in modern browsers. Public HTTPS today uses TLS — typically TLS 1.2 or TLS 1.3. Marketing copy, hosting panels, and job titles still say «SSL certificate» because the term stuck.
Understanding both words helps when reading docs, exam questions, and checker output that lists TLS 1.3 under an «SSL» product name.
Security audits often ask for «TLS configuration» while procurement buys «SSL certificates» — the same X.509 files satisfy both vocabularies when protocols are modern.
Historical naming
SSL (Secure Sockets Layer) was Netscape's protocol; TLS (Transport Layer Security) is the IETF successor starting at TLS 1.0. Each version removed weak ciphers and improved handshake security.
Certificates are still called X.509 public-key certificates — the same file format works regardless of whether the negotiated protocol is TLS 1.2 or TLS 1.3.
PCI DSS and similar frameworks reference «strong cryptography» and TLS versions — they do not require a product literally named SSL.
TLS 1.2 vs TLS 1.3 in practice
TLS 1.3 reduces handshake round trips and removes many legacy cipher suites. Most CDNs and modern servers prefer 1.3 with 1.2 fallback for old clients.
If a checker shows only TLS 1.0 or SSLv3, treat it as a misconfiguration — upgrade the web server or load balancer policy.
Cipher suite names like TLS_AES_256_GCM_SHA384 (1.3) vs ECDHE-RSA-AES128-GCM-SHA256 (1.2) appear in detailed checker output — screenshot them for compliance reports.
What to write in documentation
For stakeholders: «We use TLS 1.2+ with a valid public certificate (often called SSL in panels).»
For engineers: specify minimum protocol version on the load balancer, test with the SSL Checker, and reference RFC 8446 for TLS 1.3.
Pair TLS checks with HTTP Header Checker for HSTS — protocol version and HSTS are complementary hardening layers.
Disabling legacy protocols
Scan public endpoints with the SSL Checker after changing server config — some virtual hosts inherit old defaults from global templates.
Legacy clients (old Android, embedded devices) may require TLS 1.2 fallback — document business justification before disabling 1.2 entirely.
Internal tools behind VPNs sometimes still negotiate TLS 1.0 — segregate them from internet-facing hosts and track separately in compliance spreadsheets.
Frequently asked questions
- Is SSL the same as TLS?
Colloquially yes for HTTPS. Technically TLS replaced SSL; only TLS 1.2/1.3 should be enabled on public sites.
- Why does my SSL checker show TLS?
Because it reports the negotiated protocol after the handshake — accurate engineering terminology.
- Do I need different certificates for TLS 1.3?
No. The same X.509 certificate works; only server configuration and cipher policy change.
- Is STARTTLS the same as HTTPS TLS?
Same TLS family, different application protocol — SMTP STARTTLS uses certificates on mail ports; HTTPS uses TLS on 443.
- What TLS version do browsers require today?
Major browsers reject SSL 3.0, TLS 1.0, and TLS 1.1 on public sites — aim for TLS 1.2 minimum with 1.3 preferred.