Having worked in the Information Security field for close to 20 years now, one of my biggest pet peeves is when Security professionals use technical terms that no longer comport to current realities. So as a word of warning this blog post is going to be a rant.
It is first important to understand some basic history around the progression of the protocol from SSL to TLS. As is the case with most security protocols each new version is created to address security defects in the previous version.
SSL/TLS Implementation Timeline – SSL First Introducted in 1993-1994 by Netscape – SSL 1.0 was never released due to serious security flaws – SSL 2.0 released in 1995 to address the security flaws found in SSL 1.0 – SSL 3.0 released in 1996 as a pretty much rewrite of the protocol to address defects found in SSL 2.0 – TLS 1.0 released in 1999 to address some “minor” issues identified in SSL 3.0 – TLS 1.1 released in 2006 to provide additional security enhancements – TLS 1.2 released in 2008 to provide enhancements around SHA-256 along with support of additional authenticated encryption ciphers.
SSL/TLS Vulnerability Timeline – 2011 – SSL 3.0 and TLS 1.0 found to be vulnerable to BEAST attack – 2014 – SSL 3.0 found to be vulnerable to the POODLE attack
As can be deduced from the above timelines, no one should be using “SSL” as defined in the RFC’s since 1999, but absolutly not since 2011 due to BEAST. Information Security professionals certainly should not be referring to TLS as SSL as I’ve observed time and time again over the last decade.
What is the big deal you may ask? Certainly everyone knows what you are talking about when you tell a client or a customer, “Just secure the HR website with SSL and you’ll be fine.”. Your client or customer then does a proverbial Google search and they find that anyone securing their site with SSL is without doubt a psychotic. They then call you and ask you why you would configure their highly sensitive HR website with a protocol that has been exploitable for the past 7+ years. To which you respond, “Oh no, we would never configure your site with SSL as the security best practice is to only enable it with TLS 1.1 or above.”.
You have know learned why terminology that reflects actual reality matters.