SSL vs. TLS!

[nakamura12]

This is why should HTTP websites transfer to HTTPS by installing certificates and people should think how safe you are in HTTPS websites and this will help us why we should be very careful even if it's an HTTPS websites. HTTPS websites may be encrypted but some people like scammers use SSL/TLS certificates to create a phishing site (such as fake website and impostors), scam gambling site, malicious websites and more.

SSL vs TLS: What are the differences of the TWO CERTIFICATES?

If you are reading about TLS and SSL then i'm sure you already know about these two certificate to encrypt important data. These two certificate are used mostly in HTTPS sites. The reason why HTTP sites transfer to HTTPS by installing a certificate. There are different certificate that a website can install. Example of certificates are SSL, TLS, SSH and more. Just the SSL alone there are 6 options that you can choose to secure your website as possible. You can learn about the 6 options of certificate types to install on your website. https://www.liquidweb.com/blog/ssl-certificates/

Now, let's go back to the difference about SSL and TLS.

First, What is SSL? What does SSL stands for?

SSL means Secure Sockets Layer. SSL is a security protocol that binds your server with encryption for online communication. In 1994, Netscape invented SSL to offer security to data transition. It establishes a secure connection between the visitor’s web browser and web server, allows a transition of information without fear of eavesdropping, data theft, message forgery. When SSL is enabled on the website, it changes website URL from http to https. An extra “S” ensures that the website is secured with robust encryption and safe for online transactions. To enable SSL on the website, a web server needs an SSL certificate issued by a certificate authority.
For example, if a visitor on a website transmitting confidential information like credit card, debit card data, or internet banking, the website must have an SSL certificate to encrypt the passing information. If the website is not secured by SSL, no one is going to trust it.

SSL is a boon for website that performs online transactions or has login page. SSL helps to enhance ROI of a business by winning the assurance of visitors and customers. When a website owner makes a request for an SSL certificate, the CA (certificate authority) affirms the details of an organization and issue an SSL certificate. Email servers, web-based applications, and server-to-server communications can be secured with SSL.

Here is an IMAGE showing how SSL WORKS.

What is TLS? What does TLS means?

TLS means Transport Layer Security. It is now-deprecated predecessor, Secure Sockets Layer (SSL).

Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites can use TLS to secure all communications between their servers and web browsers.

The TLS protocol aims primarily to provide privacy and data integrity between two or more communicating computer applications. When secured by TLS, connections between a client (e.g., a web browser) and a server (e.g., wikipedia.org) should have one or more of the following properties:

The connection is private (or secure) because symmetric cryptography is used to encrypt the data transmitted. The keys for this symmetric encryption are generated uniquely for each connection and are based on a shared secret that was negotiated at the start of the session. The server and client negotiate the details of which encryption algorithm and cryptographic keys to use before the first byte of data is transmitted. The negotiation of a shared secret is both secure (the negotiated secret is unavailable to eavesdroppers and cannot be obtained, even by an attacker who places themselves in the middle of the connection) and reliable (no attacker can modify the communications during the negotiation without being detected).
The identity of the communicating parties can be authenticated using public-key cryptography. This authentication can be made optional, but is generally required for at least one of the parties (typically the server).
The connection is reliable because each message transmitted includes a message integrity check using a message authentication code to prevent undetected loss or alteration of the data during transmission.

These are the examples of Asymmetric Key Algorithms that is used to encrypt sensitive information or important data that should be kept safe as possible check this site for more information about these used algorithms.
https://www.ssl2buy.com/wiki/diffie-hellman-rsa-dsa-ecc-and-ecdsa-asymmetric-key-algorithms

Visit this site for more information about the algorithms that are used.
https://en.wikipedia.org/wiki/Transport_Layer_Security

You can check the SSL of a website using a SSL checker like this
https://www.ssl2buy.com/wiki/ssl-installation-checker


How safe you think about SSL/TLS and who can USE IT. Refer quote below.

I think it's important to add - or remember - that sites using SSL / TLS encryption are not always "legit" or "secure" because the connection is encrypted.

A malicious site, scam site, etc .. can use SSL / TLS certificates too. It's pretty easy now with a lot of services offering free certificates. I'm sure a lot of scam sites or phishing sites exposed here had SSL / TLS encryption enabled.

I see a lot of people on Internet thinking "Hey, there is a green padlock symbol, so it's safe to enter some personal info". It's not. You are wrong. It only means that the transmission is encrypted. But if the guy behind the site is malicious, then you are fucked as well.

Now you'll know what are the difference between the SSL and TLS.


Note: I'll still be adding more information which I didn't add yet or forgot to add.

Source:
https://www.globalsign.com/en/blog/ssl-vs-tls-difference/
https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/
https://www.ssl2buy.com/wiki/what-is-ssl-secure-sockets-layer
https://www.ssl2buy.com/wiki/ssl-vs-tls
https://en.wikipedia.org/wiki/Transport_Layer_Security
https://www.ssl2buy.com/wiki/ssh-vs-ssl-tls
https://www.ssl2buy.com/wiki/ssl-installation-checker

[UserU]

TIL. I didn't even know SSL had long depreciated since there were articles advocating for it, or the terms were used interchangeably.

[nakamura12]

TIL. I didn't even know SSL had long depreciated since there were articles advocating for it, or the terms were used interchangeably.

Yes, most website nowadays are https by installing a certificate that will encrypt any sensitive data. Most know that http is more vulnerable to hackers which there is no certificate install such as SSL, TLS, SSH and more. Most commonly used certificate are SSL and TLS. Some websites have their website used SSL and TLS.

Edit: Even SSL also supports different types of algorithms same as TLS and these are the supported algorithms in SSL Symmetric algorithms supported in SSL are DES, 3DES, ARCFOUR, AES, Camellia, RC2, IDEA, SEED, NULL (no encryption).

[Perkjeff]

I think it's important to add - or remember - that sites using SSL / TLS encryption are not always "legit" or "secure" because the connection is encrypted.

A malicious site, scam site, etc .. can use SSL / TLS certificates too. It's pretty easy now with a lot of services offering free certificates. I'm sure a lot of scam sites or phishing sites exposed here had SSL / TLS encryption enabled.

I see a lot of people on Internet thinking "Hey, there is a green padlock symbol, so it's safe to enter some personal info". It's not. You are wrong. It only means that the transmission is encrypted. But if the guy behind the site is malicious, then you are fucked as well.

[nakamura12]

I think it's important to add - or remember - that sites using SSL / TLS encryption are not always "legit" or "secure" because the connection is encrypted.

A malicious site, scam site, etc .. can use SSL / TLS certificates too. It's pretty easy now with a lot of services offering free certificates. I'm sure a lot of scam sites or phishing sites exposed here had SSL / TLS encryption enabled.

I see a lot of people on Internet thinking "Hey, there is a green padlock symbol, so it's safe to enter some personal info". It's not. You are wrong. It only means that the transmission is encrypted. But if the guy behind the site is malicious, then you are fucked as well.

Yes I know about it. I think you may not read it but I still give warning about websites that are HTTPS. Anyway, I'll edit the op to add some information. I make it into bold stating that this will help us very careful even if it's HTTPS websites and the reason why is what you have stated.

[Perkjeff]

I think it's important to add - or remember - that sites using SSL / TLS encryption are not always "legit" or "secure" because the connection is encrypted.

A malicious site, scam site, etc .. can use SSL / TLS certificates too. It's pretty easy now with a lot of services offering free certificates. I'm sure a lot of scam sites or phishing sites exposed here had SSL / TLS encryption enabled.

I see a lot of people on Internet thinking "Hey, there is a green padlock symbol, so it's safe to enter some personal info". It's not. You are wrong. It only means that the transmission is encrypted. But if the guy behind the site is malicious, then you are fucked as well.

Yes I know about it. I think you may not read it but I still give warning about websites that are HTTPS. Anyway, I'll edit the op to add some information. I make it into bold stating that this will help us very careful even if it's HTTPS websites and the reason why is what you have stated.

Yes, I saw your warning but not the reason why  Or may be you were thinking about another reason too.

Anyway, thank you for the edit. It's appreciable someone taking care of his topic instead of only posting a message an never coming back.

Unfortunately, there are a lot of situation like this here :/ So thank you OP 

[akirasendo17]

SSL and TLS in not only for the website itself , for example in the domain name, this domain can also be use for emails like example: test@domainnme.com, we use also this settings , for the email to pass-through or else if you setup an email, in athird party email client
it wont work, SSL also encrypts the message, that travels example to the cloud , but after the email has been sent its no longer encrypted or the email has been recieved, thanks for the informative post, i think i already made a post like this one but still this is helpful nice job

[nakamura12]

SSL and TLS in not only for the website itself , for example in the domain name, this domain can also be use for emails like example: test@domainnme.com, we use also this settings , for the email to pass-through or else if you setup an email, in athird party email client
it wont work, SSL also encrypts the message, that travels example to the cloud , but after the email has been sent its no longer encrypted or the email has been recieved, thanks for the informative post, i think i already made a post like this one but still this is helpful nice job

Thank you for appreciating this thread. I'll edit it again right away and add your statement about SSL and TLS. I'll just quote it because I don't wanna take credit about the information you provide. It's good that people should know how safe if a site have encrypted data using the certificate's algorithm for encryption.

Yes, I saw your warning but not the reason why  Or may be you were thinking about another reason too.

Anyway, thank you for the edit. It's appreciable someone taking care of his topic instead of only posting a message an never coming back.

Unfortunately, there are a lot of situation like this here :/ So thank you OP 

Threads like this should be full of information and since I did not complete fill other details about the SSL and TLS pros and cons so that is why I edited and add some warnings. I have read a reply that the information you can search in the internet are not all correct and some are misleading that will do harm or put a person in trouble like losing funds and other stuff.

[jademaxsuy]

Please check your thread image link were broken. I was following your thread to see some guide you made. It was interesting but it could not be good to see some broken image. Anyway, thanks for this information I was doing research on this one following a certain information regarding on how to deteemine fake and legit site through domain extension. I am not technically incline user so this is why I made some especially in regards to internet and cryptocurrency.

[NotATether]

Nice guide, I think I wrote about this several weeks ago on my blog. As someone else on this thread mentioned, you cannot just trust TLS certificates, especially since you can easily get a free TLS certificate from Lets Encrypt or Cloudflare, you must also trust the owner of the site before you put any personal information in there. TLS certficates do not protect you from bad websites; They only protect you, and the server, from having your connection eavesdropped by a third party (malware, government agencies, etc). HTTPS actually prevents governments from censoring individual pages on websites because the connection is obfuscated, and it forces them to choose between blocking the entire site, or not blocking it at all.

Not just SSL, but you should not even be using TLS 1.0 or 1.1 on HTTPS connections as those versions have practical exploitable vulnerabilities. They are also very ancient, TLS 1.0 was stadardized in 1999, and 1.1 was standardized in 2006. Both of these versions have been disabled in newer browser versions. You should be using at least TLS 1.2, and even better, TLS 1.3 if the site supports it. 1.3 is a fairly new standard from 2018 that removes a lot of features that are not commonly used, so the less features a protocol has, the fewer attack vectors there are to attack it. And you can read about all this stuff on Wikipedia https://en.m.wikipedia.org/wiki/Transport_Layer_Security

I should note that you can't really choose which TLS version is activated; it depends entirely on whether the web server supports it, and if they don't, then their web server software is VERY outdated considering TLS 1.2 was released im 2008, so that old software has other well-known holes and exploits and you should avoid putting any personal information in them entirely. And if you have one of them and are reading this, now is a good time to upgrade your OpenSSL version to newer than 1.0.1f because the Heartbleed vulnerability inside them lets anyone steal the private keys used in TLS handshakes (ouch.)

I've always held the opinion that web server software like Apache and nginx should automatically update to newer versions of the software without user intervention. (package manager automatic updates aren't good enough since it takes time for newer versions to become available, or the latest version available on the repo might be an older version.) Wordpress does it, and it's particularly important for this class of software because there are thousands of websites on the internet that will never be updated. It is best to control the mass patching while you can!

[KingsGambet19]

Getting into the right domain is the right thing to do. If one will be lost or getting phished out the  good luck to the funds at held. This is one of the difficult things to avoid especially if one will not carefully look for the domain correctly. See sample of phishing site I read and reacted in one of our local board posted by @Bafoeng.

Coins.ph Phishing Links

ċoins.ph (xn--oins-4ta.ph)
ćoins.ph (xn--oins-kta.ph)
cóins.ph (xn--cins-qqa.ph)
cȯins.ph (xn--cins-v0b.ph)
ƈoins.ph (xn--oins-zcb.ph)
coĭns.ph (xn--cons-1ya.ph)
coɩns.ph (xn--cons-68b.ph)
coȋns.ph (xn--cons-rvb.ph)
coǐns.ph (xn--cons-cnb.ph)
coỉns.ph (xn--cons-ww5a.ph)
coiňs.ph (xn--cois-x2a.ph)
coiꞑs.ph (xn--cois-7t8o.ph)
coinș.ph (xn--coin-txb.ph)
coinš.ph (xn--coin-j6a.ph)
coinś.ph (xn--coin-o5a.ph)
coinʂ.ph (xn--coin-tdc.ph)
coinŝ.ph (xn--coin-y5a.ph)
coinṣ.ph (xn--coin-ei5a.ph)
coinṡ.ph (xn--coin-3h5a.ph)
coiǹs.ph (xn--cois-7sb.ph)
coiṉs.ph (xn--cois-ne5a.ph)
coiñs.ph (xn--cois-iqa.ph)
coiṅs.ph (xn--cois-2d5a.ph)
coiņs.ph (xn--cois-n2a.ph)
coińs.ph (xn--cois-d2a.ph)
coɨns.ph (xn--cons-18b.ph)
coıns.ph (xn--cons-mza.ph)
coiṇs.ph (xn--cois-de5a.ph)
coïns.ph (xn--cons-6pa.ph)
coīns.ph (xn--cons-rya.ph)
coịns.ph (xn--cons-6w5a.ph)
coíns.ph (xn--cons-wpa.ph)
coìns.ph (xn--cons-rpa.ph)
cọins.ph (xn--cins-gx5a.ph)
cơins.ph (xn--cins-lgb.ph)
cöins.ph (xn--cins-5qa.ph)
cỏins.ph (xn--cins-qx5a.ph)
ĉoins.ph (xn--oins-uta.ph)
čoins.ph (xn--oins-fua.ph)
çoins.ph (xn--oins-zoa.ph)

Pdax Phishing links

ƿdax.ph (xn--dax-qbb.ph)
ṕdax.ph (xn--dax-26y.ph)
ƥdax.ph (xn--dax-r7a.ph)
pḏax.ph (xn--pax-3yy.ph)
ṗdax.ph (xn--dax-b7y.ph)
pḋax.ph (xn--pax-nyy.ph)
pdàx.ph (xn--pdx-bla.ph)
pdɑx.ph (xn--pdx-hsb.ph)
pḑax.ph (xn--pax-czy.ph)
pdąx.ph (xn--pdx-jpa.ph)
pdăx.ph (xn--pdx-bpa.ph)
pdạx.ph (xn--pdx-tgz.ph)
pdǎx.ph (xn--pdx-idb.ph)
pdäx.ph (xn--pdx-rla.ph)
pdãx.ph (xn--pdx-nla.ph)
pdáx.ph (xn--pdx-fla.ph)
pdâx.ph (xn--pdx-jla.ph)
pdåx.ph (xn--pdx-vla.ph)
pɖax.ph (xn--pax-0sb.ph)

You cannot almost see the domain difference but if you always being careful then there is no point of you getting phished out.

[Husna QA]

-snip-
Here is an IMAGE showing how SSL WORKS.

Please check your thread image link were broken. I was following your thread to see some guide you made. It was interesting but it could not be good to see some broken image. -snip-

There seems to be a slight flaw in writing image source site links. It should be like this:

Code:

https://www.websitetoon.com/wp-content/uploads/2018/07/SSL.png

I try to fix the link and adjust the display size of the image as follows:

[nakamura12]

The image is now fixed and shown correctly thanks to husna QA for fixing. I didn't notice that the bbcode of changing the size of image made it like that. So now, the image has been fixed and updated. Maybe it's the size I input that it may be oversize for the forum to display.

[NotATether]

You should fix this too:

Code:

You[img][/img] can check the SSL of a website using a SSL checker like this
https://www.ssl2buy.com/wiki/ssl-installation-checker

You don't need the [img] tag in the middle of the sentence, it just generates an invalid image error because no image is linked, and also it messes up the text flow.

[nakamura12]

You don't need the [img] tag in the middle of the sentence, it just generates an invalid image error because no image is linked, and also it messes up the text flow.

Thanks. I have fixed it now. I haven't notice it until I opened the thread and found an image error and your reply. I have used it before and I forgot to removed it when i'm editing the thread to fix the image as husna qa helped. I know the cause of it why there is a Bbcode in that sentence.