What are the differences between SSL/TLS vs STARTTLS?

The terms SSL, TLS, and STARTTLS are often confused. This article will discuss the differences between them to make these concepts clear.

What are the differences between SSL/TLS vs STARTTLS?

SSL/TLS

Secure Socket Layer (SSL) and Transport Layer Security (TLS) are both strong encryption protocols that provide security for communication over a network, such as the Internet.

These protocols are used in our daily life in a multitude of applications such as browsing the world wide web, email service, file transfer, instant messaging, teleconferences, VoIP etc. TLS is the continuation of the SSL protocol.

SSL and TLS version numbers from oldest to newest are: SSL v2, SSL v3, TLS v1.0, TLS v1.1, TLS v1.2, TLS v1.3.

As you may already know, the versions currently supported by our infrastructure are TLS v1.2 & v1.3. The remaining versions have been deprecated due to known vulnerabilities.

STARTTLS

STARTTLS differs from SSL and TLS in that it is not a communication protocol. It is a protocol command used to inform the email server that the email client wants to upgrade the connection from a non-secure to a secure connection, using SSL or TLS protocol.

More specifically, in the past before the encrypted communication method was established using secure ports (eg 587, 465, 995, 993), many connections between a client and a server were made in an insecure way, using default ports such as 25, 143 & 110. This posed a risk of interception and alteration of data and important information. STARTTLS came to help reduce this risk by turning an insecure connection into a secure one, using either SSL or TLS.

In other words, STARTTLS, uses ports 25, 143 & 110 but in an encrypted way. The way it works is this: during the first communication the connection is made without encryption and then the client sending the email is going to ask the server if it supports any encrypted method. If the server supports encrypted method, then communication between them will start with encryption. If the server does not support an encrypted method, then the connection will not be upgraded, and will revert to the original communication which will be done in an insecure way (which is not recommended for security and privacy reasons). We recommend that this first communication always be secured because information such as username & password is sent that should not be intercepted.

Let's give an example. During SMTP communication, if communication takes place on port 587 the connection is secure, which is ideal. If the connection is made on port 25, the connection is insecure, but by using STARTTLS, it is possible to send STARTTLS commands and upgrade to a secure connection.