SSL, TLS, and STARTTLS are considered as standard protocols which are used to secure email transmissions. We are often confused around the differences of these abbreviations. In this post, we will get into an in-depth discussion to understand the origin of them.
The abbreviation of SSL is Secure Socket Layer. It provides a way to create a secure communication channel between two machines (e.g., a client and a server). SSL is a depreciated protocol, due to security issues, with two versions SSL v2 and v3. TLS is the successor to SSL with security improvements.
TLS stands for the Transport Layer Security protocol. It was born to take over from SSL. Today we have three official versions of TLS: 1.0, 1.1 and 1.2. The proposed version 1.3 is not yet approved. Our networking components, including FTP, SFTP, Mail, and Bounce Inspector fully support the latest version 1.2. That version is strongly recommended when connecting to an SSL/TLS server.
STARTTLS is mainly used to upgrade an unsecured connection to a secured one using SSL or TSL. After a STARTTLS command, all further communication is encoded between the two machines. It means that the username and password are still sent to the server in plain text without encryption. That issue is discussed in “Issue with STARTTLS” section below.
Technically to some extent, they both are similar to each other individually in providing a communication channel between two servers like a computer and a server. They both provide encoded and secured data to the servers and application that is exchanged over the network. However, TSL is the successor to the SSL. Universally, we call them SSL/TLS nowadays instead of just SSL or TLS.
As mentioned above, TLS is the next version of SSL. They are used interchangeably. STARTTLS, on the other hand, is used to upgrade an existing insecure connection to a secure connection using TLS/SSL.
STARTTLS was created to address the problem that each IMAP, POP3, SMTP, and FTP protocol has 2 or ports: one for insecure communication and others for SSL/TLS. Below is the list of protocols and the corresponding ports:
Having a single port for insecure connections and secured ones pose several issues. One of them is that when a client software sees “login disabled until upgraded” announcement, it just ignores the message and continues using the insecure connection. Or it returns a login failure message to the user, which confuses him or her.
Nowadays, many SSL/TLS servers only allow the secure ports, forcing all connections to be secured using TLS 1.2. That eliminates confusion and compatibility issues when using STARTTLS.