localwebadvisor
WIKI← Wiki home

TLS vs SSL: What's the Difference?

By FayUpdated Jul 9, 2026EVERGREEN
⚡ THE ANSWER

TLS (Transport Layer Security) is the modern encryption protocol that secures data traveling between a browser and a website, and it is the direct successor to the older, now-deprecated SSL (Secure Sockets Layer). The two names are used interchangeably in everyday speech, so people still say SSL certificate even though every secure site today actually runs on TLS. The distinction matters mainly for accuracy and security: real SSL versions are obsolete and unsafe, while current TLS versions protect your visitors.

SSL status
All SSL versions (1.0-3.0) are deprecated and insecure (IETF)
Current standard
TLS 1.3, published 2018, with TLS 1.2 still widely supported (IETF RFC 8446)
Everyday naming
"SSL certificate" now means a TLS certificate in practice
Browser signal
HTTPS padlock indicates an active TLS connection (Google Search Central)

What are SSL and TLS? #

SSL and TLS are cryptographic protocols that encrypt the connection between a visitor's browser and a website's server so that data such as passwords, contact form details, and payment information cannot be read or tampered with in transit. SSL, or Secure Sockets Layer, was developed in the mid-1990s and went through versions 1.0, 2.0, and 3.0. Each had security weaknesses, and by the late 2010s all SSL versions were formally deprecated because they could be exploited. TLS, or Transport Layer Security, replaced SSL starting in 1999 with TLS 1.0 and has evolved through 1.1, 1.2, and the current 1.3. Functionally, TLS does the same job SSL did but far more securely and efficiently. When you see a padlock in the browser address bar, your connection is protected by TLS, not SSL, regardless of what the certificate is called. For a fuller primer on how this protection works and why it matters, see /wiki/what-is-an-ssl-certificate.

Why do people still say SSL? #

The term SSL stuck because it dominated the industry for years before TLS became standard, and marketing never caught up with the technology. Certificate authorities still sell products labeled SSL certificates, hosting dashboards say enable SSL, and business owners ask for an SSL. In practice, every one of those certificates works with TLS, and the SSL name is simply a familiar label that never got retired. This is not incorrect in casual use, but it can cause confusion when someone assumes the old SSL protocol is still running. It is not. The certificate you install is protocol-agnostic; it authenticates your site's identity and enables encryption, and the actual handshake and encryption are handled by TLS. So when a client asks us to set up SSL, we install a certificate and configure modern TLS. The naming gap is harmless as long as you understand that behind every SSL certificate today is TLS doing the real security work. Our /services/website-security team handles this configuration correctly so your site uses current protocols.

How does a TLS connection actually work? #

A TLS connection begins with a handshake. When a browser requests a secure page, the server presents its certificate, which contains a public key and is signed by a trusted certificate authority. The browser verifies that the certificate is valid, unexpired, and issued for the correct domain. The two then negotiate an encryption method and exchange keys so that all subsequent data is scrambled and can only be read by the intended parties. TLS 1.3 streamlined this handshake, reducing the number of round trips and speeding up secure connections while removing older, weaker cipher options. The result is that a form submission, login, or checkout on your site is encrypted end to end, protecting both your visitors and your reputation. If any step fails, such as an expired or mismatched certificate, the browser shows a warning that scares visitors away. Keeping certificates valid and TLS configured correctly is part of ongoing maintenance, which our /services/care-plans cover so you never get caught with an expired certificate or an insecure protocol version.

Is my site running SSL or TLS? #

Your site is running TLS, full stop. No modern browser or server negotiates a real SSL connection anymore because those versions are disabled for security reasons. What you have is a certificate, commonly called an SSL certificate, that enables a TLS-encrypted connection. You can confirm this: the padlock icon in the address bar and the https prefix both indicate an active TLS session. To check which TLS version and cipher suites your server supports, security scanners and your hosting control panel report the details. Ideally your server supports TLS 1.2 and TLS 1.3 and has disabled all SSL versions and the older TLS 1.0 and 1.1, which are also deprecated. If you are unsure whether your configuration is current, our /tools/website-grader gives a quick read on whether HTTPS is active, and our /services/website-security review checks that outdated protocols are turned off and strong ciphers are in use so your encryption meets today's standards rather than yesterday's.

Why does the SSL versus TLS distinction matter for security? #

The distinction matters because running genuinely outdated protocols exposes your visitors. The old SSL 2.0 and 3.0 versions are vulnerable to well-documented attacks, and even early TLS versions have known weaknesses. If a server is misconfigured to still accept these, an attacker on the same network could potentially downgrade the connection and intercept data. Payment processors and compliance standards such as PCI DSS explicitly require that SSL and early TLS be disabled, so an e-commerce site accepting cards must use modern TLS or risk failing compliance. For local businesses this is not abstract: a dentist collecting patient details or a law firm handling client intake forms has both a legal and ethical duty to protect that data. Ensuring only current TLS versions are enabled is a basic but essential safeguard. Our /services/website-security service audits and hardens your TLS configuration, and for stores handling payments, /services/ecommerce-development builds on secure foundations. Understanding what a /wiki/what-is-a-payment-gateway does alongside TLS rounds out the security picture.

Do TLS and SSL affect SEO and trust? #

Yes, on both counts. Google has used HTTPS, which is HTTP secured by TLS, as a ranking signal for years, and modern browsers actively mark non-HTTPS pages as Not Secure, which erodes visitor trust the moment they land. A site without valid TLS shows warning screens that most people immediately abandon, costing you leads and sales. Beyond rankings, the padlock has become a baseline trust cue: visitors expect it, and its absence signals an unprofessional or risky site. For a local business competing for clicks, a clean, secure connection is table stakes. TLS also protects the integrity of your pages, preventing injected ads or content from being inserted by intermediaries on unsecured connections. The practical takeaway is that every business site should have valid TLS enabled and forced across all pages. Our /services/web-design builds every site with HTTPS from day one, and /services/local-seo work assumes a secure foundation because ranking and trust both depend on it. See /wiki/what-are-ai-overviews for how secure, trusted sites also factor into modern AI search.

What is an HTTPS connection's relationship to TLS? #

HTTPS stands for Hypertext Transfer Protocol Secure, and it is simply standard HTTP wrapped in a TLS-encrypted layer. When your browser loads a page over HTTPS, it is using HTTP for the web content and TLS underneath to encrypt that traffic. So HTTPS and TLS are closely linked: HTTPS is the secure web protocol that visitors interact with, and TLS is the encryption engine that makes it secure. A valid certificate is what allows the TLS layer to establish trust and encryption. Without TLS, there is no HTTPS, only plain HTTP that transmits data in readable form. This is why enabling a certificate, forcing HTTPS site-wide, and keeping TLS current all work together as one security setup. Redirecting all traffic from HTTP to HTTPS ensures no visitor accidentally lands on the insecure version. Our companion entry /wiki/what-is-an-https-redirect explains how to force that switch correctly, and our /services/website-security team configures both the certificate and the redirect so every visit is encrypted.

How do you keep TLS certificates current and valid? #

TLS certificates have expiration dates, commonly ranging from 90 days for automated free certificates to a year or more for paid ones. An expired certificate triggers alarming browser warnings that block visitors, so renewal is critical. Many modern hosts and certificate providers automate renewal, especially with free certificates from services like Let's Encrypt, which renew every 90 days without manual intervention. Still, misconfigurations, domain changes, or lapsed automation can cause certificates to expire unexpectedly, taking a business site offline in the eyes of visitors. Beyond renewal, keeping the server's TLS configuration updated matters too, since new versions and cipher recommendations evolve as older ones are retired. Proactive monitoring catches problems before customers do. Our /services/care-plans include certificate monitoring and renewal so your site never shows an expired-certificate warning, and our /services/managed-hosting environments handle automated TLS provisioning. If your certificate has already lapsed and your site is showing warnings, /services/website-rescue can restore secure access quickly and audit why the lapse happened.

FAQ

Is SSL still used today?

No. All SSL versions are deprecated and disabled in modern browsers and servers because they contain security vulnerabilities. Although people still say SSL out of habit and certificates are still marketed as SSL certificates, the actual encryption on every secure site today is handled by TLS, the newer and safer successor protocol.

Should I ask for an SSL certificate or a TLS certificate?

Either term works; you will get the same thing. Certificate authorities and hosts almost universally label the product an SSL certificate even though it enables a TLS connection. When our /services/website-security team sets one up, we install the certificate and configure current TLS versions, so the naming does not change what you receive.

Which TLS version should my website use?

Your server should support TLS 1.2 and TLS 1.3 and disable all SSL versions plus the older TLS 1.0 and 1.1, which are also deprecated. TLS 1.3 is faster and more secure. If you are unsure, /services/website-security can audit your configuration and turn off outdated protocols so your encryption meets current standards.

Does TLS slow down my website?

Barely, and modern TLS 1.3 actually reduces the handshake overhead compared to older versions. Any tiny cost is far outweighed by the security, SEO, and trust benefits. If your site feels slow, the cause is almost always page weight or server response rather than TLS. Our /services/speed-optimization service addresses the real bottlenecks.

What happens if my TLS certificate expires?

Browsers display a full-page warning that the connection is not secure, which blocks most visitors from proceeding and effectively takes your site offline for them. Automated renewal prevents this. Our /services/care-plans monitor and renew certificates, and if yours has already lapsed, /services/website-rescue can restore secure access quickly.

Is HTTPS the same as TLS?

Not exactly. HTTPS is the secure web protocol visitors use, and TLS is the encryption layer underneath it that makes HTTPS secure. HTTPS is essentially HTTP wrapped in TLS. You need a valid certificate for the TLS layer, then force all traffic to HTTPS, which our /wiki/what-is-an-https-redirect entry explains in detail.

Was this helpful?