TLS explained – Transport Layer Security vs SSL | GUIDE

Not yet familiar with TLS?

This guide provides an explanation and practical implementation tips!

Let’s get started.

What is TLS?

TLS stands for Transport Layer Security and is a standardised protocol for encrypting computer communication. Most of us use Transport Layer Security (TLS) every day in the form of HTTPS, which securely transmits texts, PDFs, web pages, form content, videos and audio.

TLS is not just limited to the web, but is also suitable for other connections. TLS uses a hybrid variant of asymmetric and symmetric encryption for encryption. Asymmetric communication is secure, slow and gives symmetric encryption a jump-start. Symmetric encryption transports the user data efficiently and securely as a beast of burden.

TLS defines the exact algorithms with the Cypher Suites (explanation below), which must support both client and server.

TLS vs SSL – Which is more secure?

What is SSL? Secure Socket Layer is an outdated protocol for encrypting communication. SSL is the predecessor of TLS. The developers Netscape developed the first SSL versionfor their own (then successful) browser in 1995.

Netscape wanted to get ahead of standardisation and tried to make the Internet secure (well-intentioned – poorly implemented). Today, all versions SSL 1.0 to SSL 3.0 are considered insecure and outdated. In 2026, many companies still advertise with

• Secure SSL download
• Secure payment transactions – protected thanks to SSL
• SSL VPN(Virtual Private Network)

After 15 years of TLS, many people still do not realise that a replacement has taken place or that users expect SSL encryption because marketing popularised the term between 1995 and around 2000. Websites that advertise SSL often use TLS. A modern browser such as Firefox warns you of an SSL connection.

Steffen Lippke

The first meeting – The TLS handshake

The TLS handshake is performed by the client and server at the start of the session.

In the handshake, a procedure, the client and server agree on a collection of algorithms (Cypher Suite). The most important step in this procedure is the computationally intensive exchange of keys.

The client and server use the key to transmit the web pages, audio and video quickly and efficiently. The use of purely asymmetric cryptography takes too long and is very computationally intensive.

What are the Cypher Suites?

A cypher suite is a collection of cryptographic methods that are well-defined and named. The server and the client should be capable of several methods.

Because various hardware and software communicate with each other on the Internet, the software must agree on a selection of cryptography.

A correctly programmed server should ideally reject insecure procedures and terminate communication. Security should take precedence over compatibility!

Steffen Lippke

Old devices and software (zombie servers) offer the requested server an old method such as Ron’s Cypher 4, for example, but the server requires Advanced Encryption Standard (AES) encryption.

A Cypher Suite consists of four elements:

1. A key exchange protocol that allows the client and server to establish symmetric encryption.
   Short-lived Deffi-Hellmann keys (DHE) or elliptic curves (ECC)
2. A hash algorithm for signing messages and verifying the transmission.
   Secure Hash Algorithm 3 with 256 bits (SHA-3-256)
3. A symmetric encryption algorithm that encrypts the main content (images, audio, video and text)
   Advanced Encryption Standard (AES) with a 256-bit long key
4. The algorithm for authentication on the client / server
   RSA / DSA

The name of a Cypher Suite consists of a column of abbreviations separated by _ underscores (super original):

• TLS_AES_256_GCM_SHA384
• TLS_CHACHA20_POLY1305_SHA256
• TLS_AES_128_GCM_SHA256

TLS guide for everyone

How can I use TLS?

As an end user, you have to hope that the website operator uses a modern form of TLS (1.2 or 1.3). Often the redirection from HTTP to HTTPS does not work, so you should try inserting an s after http. Firefox offers the extension HTTPS-Everywhere, so that the browser automatically searches for the HTTPS version. If you upgrade your TLS version to 1.3, also upgrade your HTTP/1 or HTTP/2 to HTTP/3 or QUIC to speed up the transmission.

How can I upgrade TLS 1.2 to TLS 1.3?

An upgrade to the newer versions is only possible if both sides (client / server) are capable of TLS 1.3. The well-known modern browsers such as Google, Firefox, Safari and Opera support this procedure. Old browsers cannot do anything with 1.2 or 1.3.

On the other hand, the server must also be able to handle this protocol. If the server or application can only handle unencrypted HTTP, a reverse proxy adds the encryption.

Alternatives to TLS

If an old server or application does not support TLS, Internet Protocol Security (IPSec) or the Virtual Private Network (VPN) are considered hacky alternatives.

Steffen Lippke

IPSec wraps all communication and IP packets in a dense wrapping paper (encapsulation). IPSec encrypts these packets and sends them to the receiving server. IPSec is particularly suitable for companies that have an old infrastructure and want to upgrade their outdated systems (legacy system) with encryption.

VPN is unified for companies and private users, read the complete guide.

TLS Guide for website operators

Buy a certificate or get one for free

A certificate is the public part of the asymmetric key with metadata about the website, the owner and issuer. These are signed by a certificate authority that has issued them. The certificate authority validates the authenticity of the companies/websites and your browser can check the certificates with the certificate authority.

As a website operator, you have two options. Create a Let’s Encrypt encryption with a free Let’s Encrypt certificate or buy a certificate from another certificate authority.

Implied advantage of TLS

Since 2014, Google has seen the use of HTTPs as a relevant ranking factor. This means that websites that take their security seriously appear higher up on Google. Encryption makes sense because otherwise contact requests or comments would be sent to the website operator unencrypted and unprotected from modification.

If you are upgrading, use HTTP version 3, QUIC, to increase the speed of transmission. QUIC does not transmit the content textually (UTF -8 with 8 bytes), but in binary format (only 0 and 1)

What comes after TLS? In the blog article on post-quantum computer crypto, I explain what is important. Post-quantum computer crypto improves key exchange, which takes place via RSA. Quantum computers can crack RSA with a factorisation.

Are free certificates insecure?

A free certificate is not considered “bad”, “cheap” or “insecure”. A website with a free certificate uses the same crypto methods as a €250 certificate. Make sure that the HTTPS forwarding (.htaccess file) is set correctly. Keys above 4096 are a must for modern websites in 2026!

Dangers with SSL / TLS

Criminals try to persuade the server to communicate via SSL and TLS 1.1 / 1.0 (downgrade attack). This approach helps the criminals to read the encrypted content.

Others use the following cunning strategy: They trick the user into believing that a secure connection exists (with HTTP).

Green locks, green lettering and various seals from antivirus manufacturers look nice, but do not provide any security.

Steffen Lippke

Make sure that the URL bar always says https:// and not http://. Modern browsers now mark HTTP websites in red and display a crossed-out lock when you are on an HTTP website.