The name confusion, cleared up
SSL and TLS are the same idea, one generation apart. SSL came first. It was replaced by TLS, and every version of SSL is long dead and unsafe.
The name stuck anyway. Hosts sell "SSL certificates", control panels have an "SSL" tab, and everyone says "we need SSL". Nobody is going to win the argument, and it does not really matter. Just know that when someone says SSL today, the software doing the work is TLS.
The split is simple. The certificate is the file that proves identity. TLS is the protocol that does the encrypting. HTTPS is what you get when a normal web page is sent over TLS.
What TLS does
Three jobs, all at once.
- →Privacy. Nobody sitting between you and the site can read what is sent. Not the coffee shop wifi, not the network operator.
- →Integrity. Nobody can quietly change what is sent. If it is tampered with, the connection breaks rather than delivering something altered.
- →Identity. The server proves it holds the private key for the certificate it presented, so you know you are talking to the right server and not something pretending.
The handshake, without the maths
Before any real data moves, the browser and the server have a short conversation. It happens in a fraction of a second.
The browser says hello and lists which versions and ciphers it can speak. The server picks one, and sends back its certificate. The browser checks that certificate: is it signed by an authority we trust, is it for this exact domain, has it expired. If the certificate fails, everything stops right there and the visitor sees a warning.
If it passes, the two sides agree on a shared secret key that only they know, and switch to using it. Everything after that point is encrypted. That is the whole handshake. The clever part is that they can agree on a secret in public without anyone listening being able to work it out, and you do not need to know how for any practical decision.
Versions: which ones are fine
This is the part that shows up on security scans.
- →TLS 1.3 is the current version. Faster handshake, fewer options, nothing weak left in it.
- →TLS 1.2 is still fine and still very widely used. Between them, 1.2 and 1.3 are what a healthy site serves.
- →TLS 1.0 and TLS 1.1 are obsolete. Browsers stopped trusting them. A site still offering them is behind and should turn them off.
- →Any version of SSL is dead. If something is genuinely still serving SSLv3, that is a problem to fix today, not a preference.
What TLS does not do
Worth saying, because it gets oversold.
TLS protects the pipe. It says nothing whatsoever about who is on the other end of it or whether they are honest. A scam site running TLS 1.3 with a valid certificate is still a scam site, and it will still show a padlock. Encryption is about keeping the message private in transit, not about vouching for the business sending it.
If you are trying to work out whether a shop is trustworthy, the padlock is not the thing to look at. This guide covers what actually helps.
If you run the site
On a hosted platform you have nothing to do. Shopify, Wix, Squarespace, BigCommerce and Webflow all keep TLS current for you, and you cannot make it worse by accident.
On your own server it is worth checking. Turn off TLS 1.0 and 1.1, keep 1.2 and 1.3 on, and let your host update the underlying software. You can see what your site currently offers with a free check.
We have step by step instructions for every major platform, including the ones that will not let you.
See how to fix SSL on your platform