46

Mailclients offer both settings, the STARTTLS and SSL/TLS. What is the difference between STARTTLS and SSL/TLS?

james.garriss
  • 12,959
  • 7
  • 83
  • 96
paweloque
  • 18,466
  • 26
  • 80
  • 136
  • You might also find a number of e-mail clients that mean STARTTLS vs. SSL/TLS when they say TLS vs. SSL. (There was a [similar question](http://stackoverflow.com/questions/3660798/what-happens-on-the-wire-when-a-tls-ldap-or-tls-http-connection-is-set-up) a few months ago.) – Bruno May 18 '11 at 02:55
  • http://serverfault.com/questions/523804/is-starttls-more-safe-than-tls-ssl – Ciro Santilli OurBigBook.com Jan 21 '16 at 10:56

3 Answers3

41

The clearest explanation that I've read is from FastMail:

SSL and TLS both provide a way to encrypt a communication channel between two computers (e.g. your computer and our server). TLS is the successor to SSL and the terms SSL and TLS are used interchangeably unless you're referring to a specific version of the protocol.

STARTTLS is a way to take an existing insecure connection, and upgrade it to a secure connection using SSL/TLS. Note that despite having TLS in the name, STARTTLS doesn't mean you have to use TLS, you can use SSL.

Read the rest of the info they have, including a discussion of port numbers and POP/IMAP vs SMTP, here: https://www.fastmail.fm/help/technology_ssl_vs_tls_starttls.html

Community
  • 1
  • 1
james.garriss
  • 12,959
  • 7
  • 83
  • 96
24

The question is quite vague, but I guess I understand it. STARTTLS means "explicit TLS" where the connection is established on regular port and then STARTTLS command is sent to initiate SSL handshake and switch to protection mode. Another option probably defines implicit SSL/TLS on a dedicated port. In implicit mode first the handshake takes place and then the application-level protocol runs over the established secure channel.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
9

If you select "TLS if available" Thunderbird will make a TCP/IP connection to the mail server and send a command to ask what capabilities the mail server has. If it says it supports STARTTLS Thunderbird will change the connection to a TLS connection. However, if the mail server doesn't support STARTTLS the connection doesn't fail. Thunderbird continues to use a normal connection. This is a security risk since Thunderbird doesn't display some icon to indicate whether the connection is secure like a browser does, and you're vulnerable to man in the middle attacks (MITM).

Source: http://kb.mozillazine.org/Secure_connections_-_Thunderbird

bobo
  • 91
  • 1