This is the fifth in our series of insights that seek to explore and simplify the topic of SSL (and TLS) in web application hosting. In our previous insight, we looked at Certificate Authorities and The Signing Process; in this insight, we’ll explore what’s important to know about TLS and the versions of TLS available.
SSL vs TLS
SSL is like the older brother of TLS. It was the first secret code used on the internet. But people realised that they needed an even better secret code over time. That’s why TLS was created. It’s a newer, more robust code that better protects our information. For simplicity, we’ll skip over much of the complexity and history and can say for website security, we use the term “SSL” when discussing certificates and “TLS” when talking about communication.
Why does the TLS version matter?
Like how software gets updates to improve them, TLS also gets updates, and each new version has better tricks to keep our secrets safe. Websites need to use the latest version so they have the best protection. When you go to a website, your web browser and the website do a secret handshake using TLS. This handshake decides which version of the secret code they will use. If a website uses an older version, it’s like having a rusty lock on your secret clubhouse door. But if it uses the latest version, it’s like having a super strong, shiny lock that keeps everything safe. While we may be keeping our web servers updated to use the latest and greatest version, we cannot necessarily expect our visitor and their web browsers to always have the newest version, so we need to make sure we offer multiple versions and give them time to upgrade.
Which TLS versions should I use?
Your choice of TLS version(s) is typically determined by the sensitivity of the information you exchange, the nature of your users and their use of different web browsers and operating systems. A fantastic resource for exploring support and market share for TLS versions in web browsers is caniuse.com; we can summarise this as:
- TLS1.0 – Deprecated (shows warning or fails) in Chrome, Edge, Firefox, Internet Explorer 11, & Safari.
- TLS1.1 – Deprecated (shows warning or fails) in Chrome, Edge, Firefox, Internet Explorer 11, & Safari.
- TLS1.2 – Supported on all modern web browsers and OS, but NOT natively supported on older versions like Windows XP/Vista or earlier.
- TLS1.3 – Supported on all modern web browsers, but NOT natively supported on older versions like Windows 8 or earlier.
In 2023, if you are exchanging personal information, you should be supporting TLS1.3 and TLS1.2; you would only want to keep TLS1.1 and 1.0 in specific scenarios where you know your users cannot upgrade.
Keep updated with the latest from Pipe Ten by subscribing below.
More in the Simplifying SSL/TLS series
- SSL Basics – What is SSL?
- SSL Certificate Terminology
- EV vs DV vs OV vs FREE SSL Certificates
- Certificate Authorities and The Signing Process
- TLS and Versions
- Web Server Headers
- Mixed Content Warning
- Testing & Tools
Author: Carl Heaton
Carl is a founder of Pipe Ten and uses his role as Technical Director to drive the company’s vision to transform business online in delivering it’s mission to forge agile technical partnerships that accelerate web success. Carl boasts an illustrious career spanning over two decades, starting as a fledgling web developer in his teens, he swiftly ascended the ranks, honing his skills in architecting secure web application infrastructure. With his finger on the pulse of emerging web technologies, Carl has tracked and influenced the ever changing world of cyber security, internet governance, industry regulations and information security compliance ensuring Pipe Ten successfully achieved and maintain ISO/IEC 27001 certification.