The terms SSL, TLS, and STARTTLS are often used in relation to securing a connection, but not everyone knows what these mean. This article should help provide some basic information about each term.
SSL stands for “Secure Sockets Layer”, and utilized SSL certificates to help identify the server you are connecting to and start encryption. This was one of the recommended protocols used by services that required encryption until 2015. In 2015, the latest version of the SSL protocol (SSL v3.0) was considered insecure due to a flaw that could allow secret information to be read (called the POODLE attack). Because of this, no versions of the SSL encryption protocols have been enabled by default since cPanel 11.46.
Although the protocols specifically defined as SSL are no longer in general use, the term “SSL” can still be used to refer to a secured connection that uses either the SSL or TLS protocols.
TLS stands for “Transport Layer Security” and is the successor for the SSL protocol. As the successor, it is still compatible with SSL certificates. TLS has several similarities with SSL, but it had enough internal differences that the protocol was given its own name instead of SSL v4. With this change, the developers also switched the way versioning was done and only change the minor version with each new release.
Version 1.0 of TLS is also considered insecure at this time (due to the BEAST exploit) and should be avoided if possible. As of cPanel 68, we enable only TLS 1.2 by default. This helps ensure a secure connection to the server and its services. TLS 1.3 has been proposed, and future secured connections will likely continue to utilize newer versions of the TLS protocol.
Unlike the previous items, STARTTLS is not a protocol, but rather a command recognized by other protocols (like SMTP, IMAP, and POP3 for example). This command is used to take an existing non-encrypted connection and encrypt it without requiring a separate secure port. This can use any encryption protocol that is enabled on the server, and it is not necessarily limited to TLS.
Connecting to a service implicitly encrypted by SSL or TLS is done using a separate port. For example, port 465 is used for encrypted SMTP connections and port 993 is used for encrypted IMAP connections. When the initial connection is made, the server itself and the connecting client negotiate on which encryption protocol and version to use. Once the negotiation is complete, all data exchanged between the server and client is encrypted using the agreed upon format.
Connecting to a non-encrypted service also uses its own defined port. For example, port 25 is used for non-encrypted SMTP connections and port 143 is used for non-encrypted IMAP connections. This connection is sent via plain text to the service, and thus considered insecure. It is possible, however, to upgrade this connection to a secure one using the STARTTLS command. Once the command is called by the connecting client, the same negotiation regarding the protocols takes place between the client and server. Upon successful negotiation, the data between the server and client is encrypted. This connection will continue to utilize the standard port, and does not force a change to the SSL port.
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are both encryption protocols used for encrypting the data between services. All versions of SSL have been deprecated and are considered insecure at this time. TLS is the newer protocol, and (at the time of writing) we would recommend using TLS 1.2 on your production servers. STARTTLS is a command used to upgrade an existing standard (non-encrypted) connection into an encrypted one. This allows for secure connections over the non-encrypted port for a service.