The Evolution of SSL and TLS Reading Time: 3 minutes

SSL and TLS are often used interchangeably as they are closely related. Both are online communication protocols and serve the same purpose of encrypting communications between a web server and a user’s web browser by exchange of public and private keys to establish a secure session. The only difference between the two is that TLS evolved out of SSL technology and is a more secure version of SSL. In fact, it is TLS (and not SSL) that is used today to secure online communications, but even then we refer to it as SSL, because the name has stuck on and is more commonly used.

The Shift from SSL to TLS

SSL 2.0 was designed by Netscape (SSL 1.0 was never publicly released because of serious security flaws) and released in 1995. However, due to vulnerabilities which plagued this version, Netscape was forced to design a better and more secure SSL 3.0 which was released a year later. SSL 3.0 was widely used until recently – to be more precise, until 2014 – when a major security vulnerability found by Google security team spelled doom for it.

The Evolution of SSL and TLS

TLS Enters the Scene

Although SSL 3.0 was widely used until recently, TLS which stands for Transport Layer Security emerged out of SSL (Secure Sockets Layer) technology and has eventually overshadowed it. Totally, four different versions of TLS have been released till date, with the latest TLS 1.3 still in its development stages. From a security perspective, TLS 1.3 is being considered a major breakthrough since it is expected to do away with various cryptographic techniques known to be exploitable. For example, sources suggest TLS 1.3 will allow ciphers only if they provide Authenticated Encryption with Additional Data (AEAD).

TLS Offers Several Advantages

TLS 1.3 is expected to be highly efficient and because of this reason is expected to get rid of “session resumption and renegotiation” both of which are known to have accounted for several distinct security related threats in the past. It is also being suggested that it will abandon TLS-level compression entirely as a result of security attacks like CRIME, TIME and BREACH. Taking into consideration all these factors, it can be said that TLS 1.3 will be “much more secure” than its previous versions and its predecessor SSL.

Will TLS 1.3 be a Hack Proof Communication Protocol?

Unfortunately, the answer is ‘No’. A stable situation in terms of online security will always remain an elusive dream. As long as there are security experts try to strengthen the security of the online world, there will be hackers who will try different methods to break into them. Therefore, on paper, TLS 1.3 may seem secure, but in practice, we don’t know yet.

At the moment, there are at least two uncertainties:

  • First: we don’t know how well TLS 1.3 protocol is to be implemented and
  • Two: whether the implementations of the TLS 1.3 protocol will be configured in the manner they are supposed to.

As already mentioned, security landscape is and will always remain a land filled with mines which have to be trodden carefully. And will TLS 1.3 will be able to offer sufficient security? Only time will tell.

SSL Security Certificates