Is HTTPS the same as SSL? And what's the difference between SSL and TLS?
Short answer
HTTPS is not a protocol of its own — it is plain HTTP running inside an encrypted TLS tunnel. SSL is the old name: SSL 2.0/3.0 are the deprecated, insecure predecessors of TLS, which superseded them (TLS 1.0 through 1.3). When people say 'SSL certificate' or 'SSL', they almost always actually mean TLS.
This question has two traps stacked together: conflating HTTPS with SSL, and getting the SSL/TLS lineage backwards. Sloppy terminology here signals shallow knowledge even if the candidate "knows" encryption.
HTTPS is not its own thing
HTTPS is simply HTTP layered on top of TLS. The application protocol (HTTP) is unchanged; it just runs inside an encrypted, authenticated tunnel that TLS sets up first. TLS provides confidentiality, integrity, and server authentication; HTTP then flows through it. So "is HTTPS the same as SSL?" is a category mismatch — one is an application protocol over a secure transport, the other is (an old name for) that secure transport.
SSL versus TLS: which came first
SSL (Secure Sockets Layer) came first — SSL 2.0 and 3.0. Both are now deprecated and broken (POODLE killed SSL 3.0). TLS (Transport Layer Security) is the successor standard: TLS 1.0, 1.1 (both deprecated), 1.2, and 1.3 (current). The distractor that says "SSL is current, TLS is the old one" is the exact inversion interviewers listen for.
Why the name persists
Habit and marketing. "SSL certificate" stuck around even though every modern certificate is used with TLS. The protocol on the wire today is TLS; "SSL" is colloquial shorthand.
What interviewers look for
A clear "HTTPS = HTTP over TLS," the correct chronology (SSL then TLS), and the awareness that "SSL" in casual use means TLS. Getting the order right is the real tell.
Likely follow-ups
- Which SSL/TLS versions are considered insecure today and why?
- If HTTPS is 'HTTP over TLS', what does TLS actually add to HTTP?
- Why do we still say 'SSL certificate' when we mean TLS?