DZone
Security Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Security Zone > A Brief History of TLS

A Brief History of TLS

In this post, we travel back to the dark days before TLS, or even SSL, and show how Transport Layer Security evolved to what it is today.

Christopher Lamb user avatar by
Christopher Lamb
CORE ·
Mar. 01, 18 · Security Zone · Tutorial
Like (2)
Save
Tweet
2.80K Views

Join the DZone community and get the full member experience.

Join For Free

So we've all heard of SSL and TLS, but what are they, and how do you use them securely?

Well, to start with, you don't use Secure Sockets Layer (SSL) securely anymore. But what about TLS? And what versions?

To start to dig into this, we'll begin by looking at what SSL is, where it started, and how it evolved into TLS. Then we'll discuss what exactly TLS is, how it works, how you can configure it, and how you use it with HTTP (creating the ubiquitous HTTPS), and how you can use it without HTTP.

Secure Network Programming started it all, back in 1993. Thomas Woo and his collaborators at the University of Texas at Austin designed a network communications protocol that supported encrypted communications. The interface mirrored the Berkeley Sockets API as much as possible to make the system easy to use. This was desperately needed at the time - until then, all remote connections were via Telnet and were unencrypted. This included administrative connections. All that info flowed across networks unprotected - data, administrative credentials, all of it. It was a good call - it did begin to gain traction, as there was a clear need, and inspired the development of SSL over at Netscape.

SSL v.1.0 was finished in 1994 but never released. It was horribly flawed, and the designers knew it. So they trashed, it, and moved onto version 2.0, which was released in 1995. This version, though not as bad as v.1.0, also had significant issues. Version 3.0, a completely redesigned protocol, was released in 1996 to address these flaws. It remained in common use until 2014, when POODLE was released, which compromised all SSL v.3.0 block ciphers. RC4, SSL v.3.0's only streaming cipher, was also broken. In 2015, SSL v.3.0 was blackballed by the IETF. You can't use it today, but still, a 20-year run isn't bad. And it heavily influenced TLS v.1.0, which was first released in 1999.

TLS v.1.0 was close to SSL v.3.0 but was different enough to warrant a new name and version (plus, SSL was a Netscape thing, and the designers of TLS wanted it to be open). It would still allow users to fall back to SSL v.3.0 (which has been taken advantage of since then to roll encryption back to breakable protocols from relatively unbreakable TLS configurations). Since then, TLS has gone through two more iterations, bringing us to TLS v.1.3. Now, TLS v.1.3 is demonstrably more secure than v.1.2 but is still not the default for most web browsers as v.1.3 isn't as widely supported as it needs to be, and still breaks things like TLS proxies, making it infeasible for larger organizations.

This brings us to where we are today. TLS v.1.3 is as secure of a protocol as we know how to design and has been continuously upgraded to remove breakable algorithms like RC4 or MD5. If you have end-to-end control over your systems TLS v.1.3 is the way to go today. If not, TLS v.1.2 is your friend. SSL, well, best not to be seen with that guy at all.

TLS History (command)

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Creating a REST Web Service With Java and Spring (Part 1)
  • Comparing Distributed Databases
  • Ultra-Fast Microservices: When Microstream Meets Payara
  • An Overview of Key Components of a Data Pipeline

Comments

Security Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo