Privacy Act 1988 and Your Website's Security Obligations
The Privacy Act 1988 imposes specific security obligations on Australian businesses that collect personal information online. Here's what your website must do to comply.
If you've ever set up HTTPS for a website, you've probably seen both "SSL" and "TLS" mentioned — sometimes in the same sentence, sometimes as if they're the same thing. They're not. Here's what you actually need to know.
The Short Answer
SSL (Secure Sockets Layer) is the original protocol. It's old, deprecated, and insecure.
TLS (Transport Layer Security) is its replacement. It's what your website actually uses today.
When someone says "SSL certificate," they almost always mean a TLS certificate. The name stuck long after the technology moved on.
The History
SSL was developed by Netscape in the 1990s. SSL 1.0 was never publicly released — it was so flawed internally that Netscape scrapped it before launch. SSL 2.0 (1995) was the first public version, followed by SSL 3.0 (1996). Both publicly released versions had significant security vulnerabilities.
TLS 1.0 was released in 1999 as an upgrade to SSL 3.0. It addressed many of SSL's weaknesses. Since then:
- TLS 1.1 — released 2006, deprecated 2021
- TLS 1.2 — released 2008, still widely used
- TLS 1.3 — released 2018, current standard
SSL 2.0 was formally deprecated in 2011. SSL 3.0 was deprecated in 2015 after the POODLE vulnerability made it completely unsafe.
No modern browser supports SSL at all. When you see the padlock in your browser, it's TLS — not SSL.
Why Does This Matter for Your Website?
TLS Version Support
Your server's TLS configuration determines which versions of the protocol browsers can use to connect. If your server still has TLS 1.0 or 1.1 enabled:
- You're supporting outdated clients that have known vulnerabilities
- Some security scanners will flag your site
- PCI DSS compliance (required for e-commerce) prohibits TLS 1.0 and 1.1
Recommended configuration: TLS 1.2 minimum, TLS 1.3 preferred.
The "SSL Certificate" Confusion
Your "SSL certificate" is actually a TLS certificate (formally called an X.509 certificate). It serves the same purpose regardless of what you call it:
- Proves your server owns the domain
- Contains your public key for encrypting the connection
- Is signed by a Certificate Authority (CA) that browsers trust
The certificate itself is protocol-agnostic — TLS 1.2 and TLS 1.3 both use the same certificate format.
Certificate Types Still Matter
Even though TLS has replaced SSL, certificate types still have real differences:
DV (Domain Validation)
- Cheapest and fastest (minutes to issue)
- Only proves you control the domain
- Let's Encrypt certificates are DV
- Good for: blogs, portfolios, most websites
OV (Organisation Validation)
- Certificate Authority verifies your business exists
- Takes 1–3 days to issue
- Shows your company name in certificate details
- Good for: business websites, e-commerce
EV (Extended Validation)
- Strictest vetting — business registration, legal existence verified
- Takes 1–5 days to issue
- Previously showed the green address bar (removed in modern browsers)
- Good for: high-trust sites (banking, government)
Cipher Suites
Beyond TLS version, cipher suites define the exact algorithms used for encryption. TLS 1.3 simplified this — only 5 cipher suites are supported, all considered secure.
TLS 1.2 has dozens of cipher suites, some of which are weak. If your server supports TLS_RSA_WITH_RC4_128_SHA or similar legacy suites, you have a configuration problem.
How to Check Your TLS Configuration
The quickest way is SSL Labs' free test at ssllabs.com/ssltest. It checks:
- Which TLS versions your server supports
- Which cipher suites are enabled
- Whether TLS 1.0/1.1 is still active
- Overall grade (A+, A, B, C, F)
Aim for an A or A+ rating.
What You Actually Need to Do
- Make sure your certificate is from a trusted CA — Let's Encrypt is free and trusted by all browsers
- Keep your certificate renewed — TLS certificates expire, usually after 90 days (Let's Encrypt) or up to approximately 200 days (commercial CAs, as of 2026 — validity periods are being progressively shortened by industry policy)
- Disable TLS 1.0 and 1.1 on your server — most modern hosting panels have a one-click option
- Enable TLS 1.3 — most web servers (nginx, Apache) support it with a configuration flag
- Monitor certificate expiry — the best TLS configuration means nothing if your certificate expires
The Takeaway
SSL is dead. TLS is what your website uses. But the term "SSL" isn't going away — the industry has embraced the shorthand even though it's technically wrong.
What matters practically:
- Your "SSL certificate" is actually a TLS certificate — that's fine
- Make sure your server runs TLS 1.2 minimum, preferably TLS 1.3
- Keep your certificate renewed — this is where most problems actually occur
CertGuard monitors your TLS certificate expiry and alerts you before it expires. Free for up to 3 domains.
Monitor Your SSL Certificates Automatically
CertGuard monitors your certificates automatically and alerts you before anything expires. Free for up to 3 domains.
Start Free →Related Articles
The ACSC Essential Eight and Website Certificate Management
The Australian Cyber Security Centre's Essential Eight framework addresses certificate management through patch management and application hardening. Here's how SSL monitoring fits in.
Certificate Transparency Logs: What They Reveal About Your Domain's Security
Certificate Transparency logs are public records of every SSL certificate ever issued for your domain. Here's what they reveal and how to use them to spot security threats.