Every security checklist asks whether your app uses "SSL or TLS encryption." The answer is always TLS. SSL hasn't been safe since 2015. But the question keeps getting asked because the terms are used interchangeably everywhere, including in the names of the certificates that actually run on TLS.
Here is what each term means, which versions are secure in 2026, and the two-minute check to verify your app is using the right one.
TL;DR
SSL is the deprecated predecessor to TLS. SSL 3.0 was retired in RFC 7568 (June 2015) after the POODLE attack made it exploitable. TLS 1.3 (RFC 8446, August 2018) is the current standard. When a security audit asks about "SSL or TLS encryption," the correct answer is TLS 1.2 or TLS 1.3 on every connection. Any version of SSL and TLS 1.0/1.1 must be disabled.
TLS (Transport Layer Security): The cryptographic protocol that encrypts network connections between a client (browser or app) and a server. TLS replaced SSL in 1999 and is what actually runs behind HTTPS today.
SSL (Secure Sockets Layer): The original protocol, developed by Netscape in 1994-1996. All versions are deprecated. SSLv2 and SSLv3 are broken; TLS is the replacement.
Why the Names Are Confusing
The industry kept calling certificates "SSL certificates" even after TLS took over. Vendors still sell "SSL certificates." Hosting dashboards label the setting "SSL." The protocol is TLS; the name is a legacy artifact.
When you see "SSL/TLS" in a doc, it means TLS. When you see "SSL certificate," it means a certificate used with TLS. SSL itself is not in use on any modern server.
The Version Timeline
| Version | Year | Status |
|---|---|---|
| SSL 2.0 | 1995 | Broken (RFC 6176, 2011) |
| SSL 3.0 | 1996 | Deprecated (RFC 7568, 2015) after POODLE attack |
| TLS 1.0 | 1999 | Deprecated (RFC 8996, 2021) |
| TLS 1.1 | 2006 | Deprecated (RFC 8996, 2021) |
| TLS 1.2 | 2008 | Acceptable minimum |
| TLS 1.3 | 2018 | Recommended |
The POODLE attack (October 2014) was the practical end for SSL 3.0. Researchers showed you could decrypt HTTPS traffic if the server fell back to SSL 3.0. Google, Mozilla, and Microsoft disabled SSL 3.0 in their browsers within weeks. The IETF formalized the retirement in RFC 7568 in June 2015.
TLS 1.0 and 1.1 followed in RFC 8996 (March 2021). PCI DSS v3.2 had already required disabling TLS 1.0 for card-handling environments by June 2018.
What TLS Actually Does
A TLS connection starts with a handshake. The client and server:
- Agree on a TLS version and cipher suite
- Exchange certificates (server proves its identity)
- Establish a session key using asymmetric cryptography
- Switch to symmetric encryption for the rest of the session
TLS 1.3 simplified this to a one-round-trip handshake (down from two in TLS 1.2) and removed cipher suites with known weaknesses. That means fewer options for misconfiguration and faster connections.
Why TLS 1.3 is faster: The TLS 1.3 handshake completes in one round trip instead of two. On a 50ms latency connection, that saves 50ms on every fresh TLS session. Repeat sessions can resume in zero round trips (0-RTT mode).
How to Check Your App
Quick terminal check:
# Check what TLS version your server accepts
curl -v --tlsv1.3 https://your-domain.com 2>&1 | grep "SSL connection"
# Look for: SSL connection using TLSv1.3
# Check if old versions are disabled (should return an error)
curl -v --tls-max 1.1 https://your-domain.com 2>&1 | grep "alert"
# Look for: alert handshake failure
Free online scanner: SSL Labs at ssllabs.com/ssltest gives a full report including which TLS versions are enabled, certificate expiry, and cipher suite grades.
Automated scanning: CheckYourVibe checks TLS configuration as part of its security scan. A finding labeled "Weak TLS version supported" means TLS 1.0 or 1.1 is still enabled on your server.
What Security Audits Are Actually Asking
When PCI DSS, SOC 2, or an enterprise customer asks about "use of SSL or TLS encryption," they are checking two things:
- All traffic is encrypted in transit. No plain HTTP endpoints for anything that handles user data.
- The version is TLS 1.2 or higher. TLS 1.0 and 1.1 are explicitly non-compliant for PCI DSS v4.0.
The typical finding in a failing audit is not that TLS is absent. Most hosting platforms enable it by default. The issue is that TLS 1.0 or 1.1 was never disabled after newer versions were deployed.
If you built your app on a managed platform (Vercel, Render, Railway, Supabase), TLS 1.3 is usually enabled by default and old versions are disabled. But if you configured your own Nginx or you have an older server, check explicitly. Default configurations from 2019 or earlier often left TLS 1.0 and 1.1 enabled.
Disabling Old TLS Versions
Nginx:
ssl_protocols TLSv1.2 TLSv1.3;
AWS ALB / CloudFront: Use the ELBSecurityPolicy-TLS13-1-2-2021-06 security policy or newer.
Node.js (if you terminate TLS in code):
const tls = require("tls");
const server = tls.createServer({
minVersion: "TLSv1.2",
// ...
});
What is the difference between TLS and SSL?
SSL (Secure Sockets Layer) was the original encryption protocol for web traffic, developed by Netscape in the mid-1990s. TLS (Transport Layer Security) replaced it starting with version 1.0 in 1999. The underlying mechanism is the same (a handshake that establishes an encrypted channel), but TLS fixed serious security flaws in SSLv3. SSL 3.0 was formally deprecated by the IETF in RFC 7568 (2015).
Is SSL still used in 2026?
No. SSL 3.0 was deprecated in 2015 after the POODLE vulnerability showed it could be exploited to decrypt HTTPS sessions. TLS 1.0 and TLS 1.1 were deprecated in RFC 8996 in 2021. Modern servers run TLS 1.2 (minimum) or TLS 1.3. When people say "SSL certificate" today, they mean a TLS certificate. The name stuck even though the protocol changed.
What does 'use of SSL or TLS encryption' mean in a security audit?
Security audits and compliance frameworks (PCI DSS, SOC 2, HIPAA) ask whether your app encrypts data in transit. The question means: verify that all connections use TLS 1.2 or higher. TLS 1.0, TLS 1.1, and any SSL version are unacceptable answers.
How do I check which TLS version my app uses?
Run curl -v --tlsv1.2 https://your-domain.com and check the handshake output for the negotiated version. SSL Labs (ssllabs.com/ssltest) gives a full report for free. CheckYourVibe scans your live app and flags TLS versions below 1.2 as a configuration finding.
What TLS version should I use in 2026?
TLS 1.3 is preferred: fastest handshake, fewer cipher options that can be misconfigured. TLS 1.2 is an acceptable minimum. TLS 1.0 and 1.1 must be disabled: major browsers, PCI DSS v4.0, and most enterprise security reviews reject them.
Is your app using TLS 1.2 or higher?
CheckYourVibe checks TLS configuration, expired certificates, and insecure cipher suites in one scan.