Engineering

SSL vs TLS: What's the Difference and Why It Matters

SSL is deprecated and TLS is what your server actually uses — but why does everyone still call it SSL? Learn the history, the attacks that killed SSL, and what changed.

 min. read
Last updated:
March 5, 2026
Star us on GitHub and stay updated

Why Are SSL and TLS Used Interchangeably?

If you've spent any time working with web security, you've seen "SSL" and "TLS" used as if they're the same thing. An "SSL certificate" is actually a TLS certificate. An "SSL Checker" checks TLS. An "SSL handshake" is a TLS handshake. The confusion is everywhere.

The simple explanation: SSL is dead, but its name survived.

SSL (Secure Sockets Layer) was the original encryption protocol for the web, developed by Netscape in the mid-1990s. TLS (Transport Layer Security) replaced it in 1999. Every version of SSL has been deprecated due to critical, exploitable security vulnerabilities, and is disabled in all modern servers and browsers. But by the time SSL was retired, it had become the generic word for "web encryption" — and the industry never updated its vocabulary.

Today, when anyone says "SSL certificate" or "SSL connection," they mean TLS. The X.509 certificate format hasn't changed. The protocol has. For a full overview of what's inside a certificate and how the connection works, see What Is an SSL Certificate? A Developer's Guide.

The History: From SSL to TLS

VersionYearStatusNotes
SSL 1.0Never releasedAbandonedCritical flaws found internally; never shipped
SSL 2.01995Deprecated (RFC 6176, 2011)First public version; weak cipher design, protocol flaws
SSL 3.01996Deprecated (RFC 7568, 2015)Vulnerable to POODLE attack (2014); disabled everywhere
TLS 1.01999Deprecated (RFC 8996, 2021)Vulnerable to BEAST and POODLE-over-TLS; PCI-DSS banned it in 2018
TLS 1.12006Deprecated (RFC 8996, 2021)Minor fixes over TLS 1.0; also deprecated in 2021
TLS 1.22008Current — widely supportedSHA-256, modern cipher suites; still the baseline for most traffic
TLS 1.32018Current — preferredFaster handshake, forward secrecy mandatory, legacy algorithms removed

Today, your server almost certainly negotiates TLS 1.2 or TLS 1.3. Anything older is either disabled by default or actively blocked by browsers and clients trying to connect to you.

Key Technical Differences: SSL vs TLS

SSL 3.0 and TLS 1.0 were more similar than different — TLS 1.0 was internally called "SSL 3.1" in early drafts. But as TLS matured, the differences became significant:

FeatureSSL 3.0TLS 1.2TLS 1.3
Message authenticationMD5 / SHA-1 (weak)HMAC-SHA-256 (strong)AEAD ciphers only (stronger)
Handshake round trips2 round trips2 round trips1 round trip (0-RTT resumption possible)
Forward secrecyNot supportedOptional (ECDHE/DHE cipher suites)Mandatory for all connections
Legacy cipher suitesRC4, DES, export-grade ciphersStill optionally available (dangerous if enabled)All legacy ciphers removed from the spec
Certificate types supportedRSA onlyRSA + ECDSARSA + ECDSA + EdDSA

What Is Forward Secrecy?

Forward secrecy (also called Perfect Forward Secrecy, or PFS) means that even if an attacker records all your encrypted traffic today and later obtains your server's private key, they still cannot decrypt the historical traffic. Each TLS session generates a fresh, ephemeral encryption key that is never stored and never reused.

Without forward secrecy: an attacker who records traffic now and steals your private key later can decrypt everything. This was the reality with all SSL versions. With forward secrecy: past sessions are safe even if the private key is eventually compromised. TLS 1.3 makes forward secrecy mandatory for every connection.

The Vulnerabilities That Killed SSL

SSL wasn't deprecated because it went out of fashion. It was killed by specific, publicly demonstrated attacks:

POODLE (2014)

POODLE (Padding Oracle On Downgraded Legacy Encryption) exploited SSL 3.0's block cipher padding. An attacker who could sit between a user and server and inject JavaScript could force a TLS connection to downgrade to SSL 3.0, then use a padding oracle to decrypt session cookies one byte at a time. The practical result: an attacker on the same network could steal authenticated sessions.

The fix required disabling SSL 3.0 entirely — there was no patch. Every browser and server operator disabled SSL 3.0 in 2014–2015.

BEAST (2011)

BEAST (Browser Exploit Against SSL/TLS) exploited a flaw in how CBC cipher mode worked in TLS 1.0 (inherited from SSL). An attacker who could inject JavaScript into a victim's browser and observe encrypted traffic could gradually recover plaintext — primarily HTTP cookies, enabling session hijacking. BEAST pushed the industry toward TLS 1.2 and accelerated the deprecation of TLS 1.0.

DROWN (2016)

DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) showed that if any server — even a different server — used the same RSA private key and still supported SSL 2.0, an attacker could use that to decrypt TLS 1.2 sessions from the primary server. Organizations that thought they'd fully migrated to TLS were still vulnerable through shared keys.

🔒 What this means today: If your server is correctly configured for TLS 1.2 or 1.3 only, you are not vulnerable to any of these attacks. Use the Authgear SSL Checker to confirm the protocol version your server negotiates.

TLS 1.2 vs TLS 1.3: Should You Upgrade?

TLS 1.2 is still widely used and secure when properly configured. TLS 1.3 is faster and more secure by design:

  • Faster handshake — TLS 1.3 reduces the handshake from 2 round trips to 1, reducing latency especially on high-latency mobile connections.
  • 0-RTT resumption — for returning connections, TLS 1.3 can send application data before the handshake completes, with some trade-offs around replay attacks.
  • No legacy algorithm negotiation — TLS 1.3 removed all the weak cipher suites that required careful exclusion in TLS 1.2 configs. You can't accidentally enable a weak cipher suite.

The recommended configuration: Support both TLS 1.2 and TLS 1.3, disable everything else. TLS 1.3 is supported by all modern clients, but some older enterprise systems and IoT devices still require TLS 1.2.

# Nginx: support TLS 1.2 and 1.3, disable all older versions
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

How to Check Which TLS Version Your Server Negotiates

Option 1: Authgear SSL Checker (no setup)

The Authgear SSL Checker reports the TLS protocol version your server negotiates alongside the full certificate details. Not sure which version your server is using? Run it through the SSL Checker — it shows the TLS version, cipher suite, and certificate details together in one view.

Option 2: OpenSSL

# Check what TLS version is negotiated (look for "Protocol" in output)
openssl s_client -connect yourdomain.com:443

# Force TLS 1.3 specifically
openssl s_client -connect yourdomain.com:443 -tls1_3

# Force TLS 1.2 specifically
openssl s_client -connect yourdomain.com:443 -tls1_2

# Verify old versions are disabled (these should fail/refuse to connect)
openssl s_client -connect yourdomain.com:443 -tls1    # TLS 1.0 — should fail
openssl s_client -connect yourdomain.com:443 -tls1_1  # TLS 1.1 — should fail

TLS in Authentication and Security

For authentication systems, TLS is the transport-level security that everything else depends on:

  • Token security — OAuth access tokens, JWT bearer tokens, and session cookies sent over HTTP are fully exposed. TLS is what makes token-based auth work securely in practice.
  • OAuth 2.0 requires TLS — the OAuth 2.0 specification (RFC 6749) mandates TLS for all authorization endpoints and token endpoints. No HTTPS, no OAuth.
  • mTLS (mutual TLS) — in standard TLS, only the server presents a certificate. In mTLS, the client also presents a certificate, enabling cryptographic client authentication. Used in service meshes, zero-trust networks, and high-security API endpoints. Authgear supports mTLS for enterprise deployments.
  • Certificate pinning — mobile apps sometimes "pin" a specific certificate or public key, refusing connections if the server presents a different certificate. This prevents MITM attacks even with a compromised CA, but requires careful planning around certificate renewals.

Summary: SSL vs TLS

  • SSL is deprecated — SSL 2.0 and 3.0 are disabled in all modern software.
  • TLS is what you actually use — TLS 1.2 and TLS 1.3 are the current standards.
  • The certificate format is the same — X.509 certificates are unchanged whether you call them SSL or TLS certificates. The name stuck even though the protocol moved on.
  • Configure TLS 1.2 + 1.3, disable everything older — the correct production configuration for 2026.
  • TLS 1.3 is faster and cleaner — enable it alongside TLS 1.2 for the best balance of security and compatibility.

Next Steps

Latest articles
Engineering

What Is .well-known/openid-configuration? A Developer's Guide

March 6, 2026
Engineering

SSL vs TLS: What's the Difference and Why It Matters

March 5, 2026
Engineering

What Is an SSL Certificate? A Developer's Guide

March 5, 2026
Preferences

Privacy is important to us, so you have the option of disabling certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may impact your experience on the website.

Accept all cookies

These items are required to enable basic website functionality.

Always active

These items are used to deliver advertising that is more relevant to you and your interests.

These items allow the website to remember choices you make (such as your user name, language, or the region you are in) and provide enhanced, more personal features.

These items help the website operator understand how its website performs, how visitors interact with the site, and whether there may be technical issues.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.