SSL vs TLS vs STARTTLS - What's what with email encryption?

TLS is a successor to SSL. SSL was developed in 1995 and while dealing with security issues went through 3 versions before someone wrote a similar but new protocol to try to address some of the issues inherent in SSL. This new protocol was TLS.

You should be using TLS. SSL 2.0 was deprecated by the Internet Engineering Task Force in 2011 and SSL 3.0 was deprecated in 2015.

I don't understand how to categorize "StartTLS". I partially understand it as a protocol. But some websites describe it as a "protocol extension". Other websites describe it as a "protocol command".

If it's an extension, is it an extension of just the TLS protocol? Just SSL? Or is it an extension of any protocol that supports some subset of standards (that subset being contained in TLS/SSL or both)?

If it's a command, is it up to the implementation software to handle the command?

Whatever it is, it's used by a client to tell a server to turn a regular connection into a secure connection. Even though "tls" is in the name of the protocol, it can be used to start either a TLS or an SSL connection.

Do you need to use both SSL/TLS and StartTLS?

No. I think StartTLS is just so that you can negotiate a secure connection from an insecure one. SSL and TLS have security built into the connection protocol. If SSL or TLS software is running, then that port will only accept secure connections. You can't talk to it at all unless your client initiates the connection over the secure protocol.

If your software accepts insecure connections, then you can support both secure and insecure connections. If a client that doesn't support SSL or TLS wants to connect, they can. If a client does want a secure connection, then it can use StartTLS to upgrade the insecure connection.

Show Comments