Having worked in the Information Security field for close to 20 years
now, one of my biggest pet peeves is when Security professionals use
technical terms that no longer comport to current realities. So as a
word of warning this blog post is going to be a rant.
It is first important to understand some basic history around the
progression of the protocol from SSL to TLS. As is the case with most
security protocols each new version is created to address security
defects in the previous version.
SSL/TLS Implementation Timeline
– SSL First Introducted in 1993-1994 by Netscape
– SSL 1.0 was never released due to serious security flaws
– SSL 2.0 released in 1995 to address the security flaws found in
– SSL 3.0 released in 1996 as a pretty much rewrite of the protocol to
address defects found in SSL 2.0
– TLS 1.0 released in 1999 to address some “minor” issues identified
in SSL 3.0
– TLS 1.1 released in 2006 to provide additional security enhancements
– TLS 1.2 released in 2008 to provide enhancements around SHA-256 along
with support of additional authenticated encryption ciphers.
SSL/TLS Vulnerability Timeline
– 2011 – SSL 3.0 and TLS 1.0 found to be vulnerable to BEAST attack
– 2014 – SSL 3.0 found to be vulnerable to the POODLE attack
As can be deduced from the above timelines, no one should be using
“SSL” as defined in the RFC’s since 1999, but absolutly not since 2011
due to BEAST. Information Security professionals certainly should not
be referring to TLS as SSL as I’ve observed time and time again over
the last decade.
What is the big deal you may ask? Certainly everyone knows what you
are talking about when you tell a client or a customer, “Just secure
the HR website with SSL and you’ll be fine.”. Your client or customer
then does a proverbial Google search and they find that anyone
securing their site with SSL is without doubt a psychotic. They then
call you and ask you why you would configure their highly sensitive HR
website with a protocol that has been exploitable for the past 7+
years. To which you respond, “Oh no, we would never configure your
site with SSL as the security best practice is to only enable it with
TLS 1.1 or above.”.
You have know learned why terminology that reflects actual reality