SSL vs TLS: What's the Difference?
By Nathan Cole, Security Researcher · Updated 2026-06-02Part of our guide to SSL/TLS Certificates Explained: How to Check and Read One.
SSL and TLS are not the same thing, even though almost everyone uses the words interchangeably. SSL is the older protocol, now fully deprecated and unsafe. TLS is its successor, and it is what actually encrypts your HTTPS connections right now. The "SSL" you see in product names and certificate listings is a leftover label, not a description of the protocol doing the work. For the bigger picture on what these certificates are, see SSL/TLS certificates explained.
Here is the short history. Netscape created Secure Sockets Layer (SSL) in the mid-1990s; versions 2.0 and 3.0 shipped, and both had serious flaws. When the IETF took the protocol over, they renamed it Transport Layer Security and released TLS 1.0, then 1.1, 1.2, and 1.3. Same lineage, different name, and every revision since SSL has tightened security. If you want the deeper breakdown of which TLS revisions matter today, the pillar covers it in SSL/TLS certificates explained.
Every SSL version is dead
This is not a stylistic preference. SSL 2.0 and SSL 3.0 are both formally deprecated and must not be used. The IETF retired SSL 3.0 in RFC 7568, which states plainly that SSL 3.0 is not sufficiently secure and prohibits its use. SSL 2.0 had been abandoned years earlier. If a server still negotiates either, that is a misconfiguration to fix, not a feature to keep. Modern browsers will not even attempt them.
TLS does the real work
When you load an HTTPS site today, the handshake, the key exchange, and the encryption are all TLS. The current version, TLS 1.3, dropped legacy ciphers, simplified the handshake, and made the connection faster and harder to attack than anything before it. TLS 1.2 is still widely deployed and remains acceptable. Everything older than 1.2 is on its way out or already gone from mainstream clients.
Versions at a glance
| Version | Year | Origin | Status |
|---|---|---|---|
| SSL 2.0 | 1995 | Netscape | Deprecated; insecure |
| SSL 3.0 | 1996 | Netscape | Deprecated by RFC 7568; insecure |
| TLS 1.0 | 1999 | IETF | Deprecated |
| TLS 1.1 | 2006 | IETF | Deprecated |
| TLS 1.2 | 2008 | IETF | Supported and widely used |
| TLS 1.3 | 2018 | IETF | Current; recommended |
So why does the name SSL refuse to die?
Mostly inertia, and a bit of marketing. By the time TLS arrived, "SSL certificate" was already the phrase everyone used for the file that enables HTTPS. Certificate vendors kept selling "SSL certificates" because that is what buyers searched for. Tools are called "SSL checkers." The padlock in the browser was, for years, explained to users as SSL. The label outlived the protocol it originally named, and changing the vocabulary of an entire industry is slower than changing the code underneath it.
So when someone hands you an "SSL certificate," nothing about the protocol is implied. The same certificate works fine over TLS 1.3; the certificate and the protocol are separate things. A certificate proves identity and carries a public key. The protocol (TLS) is the negotiation and encryption that uses it. Mixing the two names is harmless in casual speech but worth keeping straight when you are configuring a server or reading a security report.
What this means in practice
For a site owner, the takeaway is simple. Disable SSL 2.0 and 3.0 entirely. Disable TLS 1.0 and 1.1 unless you have a hard dependency on ancient clients, and even then, plan to remove them. Offer TLS 1.2 and TLS 1.3, with 1.3 preferred. Your certificate does not need to change for any of this; protocol support is a server configuration setting, separate from the certificate you installed.
For everyone else, the distinction matters mainly when reading documentation or audit output. A scanner that flags "SSLv3 enabled" is telling you a genuinely dangerous old protocol is still switched on, not just using old terminology. A line that says "TLS 1.3 negotiated" is the healthy outcome you want. Learning to read those signals is what separates a vague sense that a site is secure from actually knowing it.
| Term | What it really refers to |
|---|---|
| "SSL certificate" | A certificate used with HTTPS, regardless of protocol |
| "SSL/TLS" | The family of protocols, modern usage points to TLS |
| "SSL 3.0" | A specific deprecated protocol you should disable |
| "TLS 1.3" | The current protocol securing connections today |
For a version-by-version look at what to enable and what to retire, continue with TLS versions explained, or revisit the fundamentals in SSL/TLS certificates explained.
Want to know which protocol versions and certificate your own domain is serving? Run a free SSL check and see it in seconds.
Frequently asked questions
Is SSL the same as TLS?
No. TLS is the modern successor to SSL. The encryption on your HTTPS connections is done by TLS. Every version of the original SSL protocol is deprecated and considered insecure.
Why do people still say SSL?
The name stuck. It became the everyday label for certificates and HTTPS long before TLS took over the actual work, so tools, products, and conversations still say SSL out of habit.
Is SSL still used?
The SSL protocol (2.0 and 3.0) is deprecated and should be disabled on any server. Only TLS is used for real connections today, even though the SSL label persists.