TLS and SSL certificates

TLS certificates secure HTTPS and other protocols; SSL is the older name for the same family of technology. This guide covers what certificates are, how TLS differs from SSL in practice, and how teams use them in investigations.

4 min read

What are TLS and SSL certificates?#

A TLS certificate binds a public key to one or more domain names, enabling encrypted communication over HTTPS and other protocols. TLS (Transport Layer Security) is the current protocol family; SSL (Secure Sockets Layer) refers to older, deprecated versions. In everyday speech people still say "SSL certificate, " but the certificates in use today are for TLS. Modern clients and servers negotiate TLS 1.2 or TLS 1.3. Treat "SSL certificate" as a synonym for "TLS certificate" in vendor and UI copy, but prefer TLS in technical documentation and policy.

TLS 1.0 and 1.1 are deprecated and should not be used. Major browsers dropped support for both versions, and the Payment Card Industry Data Security Standard (PCI DSS) and other compliance frameworks require TLS 1.2 as the minimum. Servers that still offer TLS 1.0/1.1 are vulnerable to known attacks (BEAST, POODLE) and will fail modern security audits.

Why certificates matter for security#

Teams care about TLS certificates because mis-issuance, expiry, or unexpected hostnames often surface abuse before other signals do. Attackers reuse automation to obtain certificates for lookalike domains, and a new certificate on a suspicious domain is a strong signal that the domain is about to be operationalized for phishing or credential harvesting. Adversary-in-the-middle phishing frameworks such as Evilginx automate Let's Encrypt certificate provisioning for attacker-controlled domains, making Certificate Transparency (CT) log monitoring especially relevant for detecting adversary-in-the-middle (AiTM) infrastructure before the first phishing email is sent. When stakeholders disagree on what a certificate proves, detection and response slow down.

How TLS certificates work#

At a high level, a TLS certificate binds a public key to one or more names (specified in the Subject Alternative Name extension). Clients verify the certificate chain by following the chain from the leaf certificate through any intermediates to a trusted root CA. During validation, clients check name match, validity period, and revocation status where applicable.

Certificate issuance is logged through Certificate Transparency, making it possible to detect new certificates for typosquatting or brand-impersonating domains shortly after they are issued. Practitioners correlate certificate issuance with DNS records, registration data, and CT logs when investigating domains.

Certificate validation levels#

CAs issue certificates at three validation levels:

  • Domain Validation (DV). The CA verifies the applicant controls the domain. Fast and automated; used by Let's Encrypt and similar services. DV certificates are the most common type used by attackers because they require no identity verification.
  • Organization Validation (OV). The CA verifies the organization's identity in addition to domain control. Provides more assurance but is not visually distinguished in most browsers.
  • Extended Validation (EV). The most rigorous verification, including legal entity checks. Historically displayed a green bar in browsers, though most browsers have removed this visual indicator.

A DV certificate on a lookalike domain does not indicate the operator is trustworthy, it only proves they controlled the domain at issuance time.

Detection, monitoring, and prevention#

Operational coverage usually blends Certificate Transparency monitoring, internal TLS inventory, and periodic audits. For domain-centric risk, surfacing new certificates that match your brand or suppliers is a strong baseline. Layer passive DNS and safe web checks when judging live content. Ensure email authentication mechanisms like DKIM are also configured to protect your domain's identity across channels.

Key takeaways#

  • Use TLS in technical writing; accept SSL as legacy wording others will still use.
  • TLS 1.0 and 1.1 are deprecated. Ensure servers negotiate TLS 1.2 or 1.3 only.
  • Certificates show what names were validated, not whether the operator is trustworthy.
  • Monitor issuance and expiry as part of domain and brand abuse programs.

More from Threat intelligence

View all

Domain threat intelligence

Domain threat intelligence is the collection and analysis of signals from domain registrations, DNS, certificates, and hosting to detect abuse. This guide covers core data sources, enrichment workflows, and how domain threat intelligence supports incident response.

Malicious domain detection

Malicious domain detection combines registration signals, DNS behavior, content analysis, and reputation feeds to identify domains used for phishing, malware, or fraud. This guide covers detection approaches, scoring models, and false positive management.

What is certificate transparency?

Certificate Transparency (CT) is an ecosystem of public, append-only logs of issued certificates. Originally created to catch rogue certificates after high-profile CA compromises, CT logs have become an important source of threat intelligence for domain and subdomain monitoring.

Put what you learn into practice

Monitor typosquats, investigate infrastructure, and move from reading to detection with continuous domain coverage built for security teams.

Start free trialExplore features