The Transport Layer Security protocol makes it possible to communicate securely over a network. Without TLS, sensitive data such as login credentials are transmitted in plain text.
The protocol secures communication channels in three ways:
The terms SSL and TLS are used interchangeably but they are different protocols. The SSL protocol is deprecated and no longer used, and TLS is the successor of SSL. The name SSL has stuck, but when people talk about SSL they typically refer to TLS. An SSL certificate, for instance, is really a TLS certificate.
As at April 2021 there are two current versions of the TLS protocol: 1.2 and 1.3.
Protocol | Released | Deprecated | Notes |
---|---|---|---|
SSL 1.0 | N/A | N/A | Had too many security flaws to even be released. |
SSL 2.0 | 1995 | 2011 | Contained security issues from the start. |
SSL 3.0 | 1996 | 2014 | Vulnerable to the infamous POODLE exploit. |
TLS 1.0 | 1999 | 2020 | Designed as an improved version of SSL 3.0. |
TLS 1.1 | 2006 | 2020 | |
TLS 1.2 | 2008 | N/A | |
TLS 1.3 | 2018 | N/A |
As said, TLS is used everywhere. Obviously, it is what puts the ‘S’ in ‘HTTPS’. It is also what enables secure email communication, secure FTP and SSH. The below table lists the most common protocols, together with the port number and whether or not TLS is used.
Protocol | Port | TLS |
---|---|---|
HTTP | 80 | No |
HTTPS | 443 | Yes |
IMAP | 143 | No |
IMAPS | 993 | Yes |
POP3 | 110 | No |
POP3S | 995 | Yes |
SMTP | 25 | No |
SMTP | 465 | Yes |
SMTP | 587 | Yes |
FTP | 21 | No |
FTPS | 990 | Yes |
FTPES | 21 | Yes |
Telnet | 23 | No |
SSH | 22 | Yes |
The FTP and SMTP protocols have two secure ports. FTPS (port 990) and SMTP over port 465 use explicit TLS. With explicit TLS the connection between a client and server is secured from the start. The connection fails if a secure connection can’t be established. This is different from implicit TLS (FTPES and SMTP over port 587). Implicit TLS starts with a plain text channel to allow the client and server to negotiate how to secure the channel. The logins are submitted only after the connection has been secured.
In particular SMTP over port 465 is a bit of an oddity. Officially, the port wasn’t used for secure SMTP for many years, but in practice it was used everywhere. You can use port 465 for SMTP on all our mail servers. However, you shouldn’t use port 990 for FTP – use FTPES instead.
The reason why old TLS protocols stick around for so long is that many people use operating systems and/or software that lacks support for current TLS protocols. All operating systems and applications that are maintained support TLS 1.2. However, if you run a deprecated version of Windows or macOS then you may run into TLS errors when trying to connect to a server.
Windows 7, 8, 8.1 and 10 all have support for TLS 1.2. Please note that Windows XP and Vista are not supported. Also, you may run into TLS issues if you use Outlook on Windows 7 (you might see the error “Your server does not support the connection encryption type you have specified”). If so, you can install Windows update KB3140245. Of course, Windows 7 is no longer supported by Microsoft – upgrading the operating system is a better option.
On OS X, TLS 1.2 has been supported since version 10.9 (“Mavericks”). If you use Mac Mail for your email then you need to use at least version 10.12 (“Siera”). Thunderbird will work on 10.9.
Mavericks was released in 2013 and has been unsupported since 2016, while Siera appeared on the stage in 2016 and was deprecated in 2019.
Any current Linux, Chrome OS or BSD operating system has support for TLS 1.2, as have email applications available in the repositories for these platforms.
Android has had support for TLS 1.2 since version 4.0 (“Ice Cream Sandwich”). This version was launched in 2011 and reached end-of-life in December 2018.
iOS 10 and later versions all have good support for TLS 1.2. This means that all maintained versions of the operating system will work without problems.