STARTTLS, SSL, and TLS are popular terms related to email security. People often wonder what they entail or confuse them for each other. This article is here to clear the air; it’ll explain what’s behind these terms.
SSL
It is an abbreviation for Secure Sockets Layer, a cryptographic protocol that protects information as it’s being transmitted from one party to another. It uses cryptography to secure connections between servers. Regular applications, like email clients and browsers, also use it as an underlying technique to secure their communications.
The SSL connection starts with a “handshake” between the calling party, aka client, and the computer which will process the request, aka server. They first agree on cryptographic algorithms they’ll use. The client creates a one-time session key that will be used to protect the data exchange. Then it encrypts the session key with the server’s public key and sends it to the server. The server uses its own private key to decrypt the session key.
After that, all data exchange between the two parties is encoded using this unique session key known to no one else. If a malicious actor intercepts the data in transit, they’ll get it in its encrypted form, and it’ll be gibberish for them because they don’t have the key to decrypt it.
TLS
It is an abbreviation for Transport Layer Security, the successor to the SSL protocol. SSL was developed by Netscape, an American technology company, in 1995. It was effective at securing communications. However, it soon showed critical flaws that could not be easily fixed.
Transport Layer Security was introduced in 1999 to address the drawbacks of SSL. It was a joint initiative of several research organizations and was formally proposed by the Internet Engineering Task Force (IETF). It is an upgraded version of the SSL protocol built to address the latter’s shortcomings.
SSL has long been deprecated in favor of its successor. Whenever you hear people mentioning SSL, they’re actually referring to TLS. The former name has just stuck due to being common.
Following the first TLS version in 1999, three more were released in 2006, 2008, and 2018. Versions 1.2 and 1.3 are currently in use, while 1.0 and 1.1 were phased out in 2021.
StartTLS
StartTLS is not a security protocol, unlike the above. Instead, it’s a command used to switch from an insecure connection to a secure one based on TLS. Hence the name, “Start TLS.” This command is implemented in several different protocols, including the Simple Mail Transfer Protocol, or SMTP.
SMTP connections are unencrypted by default, which makes information flowing through them vulnerable to hacking. StartTLS is a command for your mail server to upgrade from the default insecure connection to a secure one protected by TLS. This approach offers greater flexibility for older systems that may use outdated protocols.
You can initiate a secure connection in two ways: implicit and explicit.
- Implicit: With this approach the client initiates a secure connection right from the start. The connection is automatically terminated if the server doesn’t support the TLS protocol.
- Explicit: This approach allows applications to choose between an encrypted and unencrypted connection. The client starts with an unencrypted connection and issues a STARTTLS command asking the server to switch to a secure connection. However, the connection will proceed unencrypted if the parties won’t agree on using TLS.
Conclusion
We have explained what you need to know about StartTLS vs. SSL/TLS. To sum it all up, SSL and TLS are security protocols, while StartTLS is the command that activates secure connection. At this point, you should understand the differences enough to explain them to someone else.