a brief history of SSL to TLS

Your point and click PKI

Historical outline of the transition from SSL to TLS, in a nutshell.

Hopefully you’ve read are intro to SSL and TLS article  SSL & TLS

1995: Netscape released SSL v2.0 to the public.

  • 2011: The IETF (Internet Engineering Task Force) deprecated SSL V2.0. A few of the key reasons being
    • https://tools.ietf.org/html/rfc6176#section-2
    • Message authentication uses MD5 – Most security-aware users have already moved away from any use of MD5.
    • Handshake messages are not protected – This permits a man-in-the-middle to trick the client into picking a weaker cipher suite than it would normally choose.
    • Message integrity and message encryption use the same key – This is a problem if the client and server negotiate a weak encryption algorithm.
    • Sessions can be easily terminated – A man-in-the-middle can easily insert a TCP FIN to close the session, and the peer is unable to determine whether or not it was a legitimate end of the session.
  • 1996: SSL v3 was released as a new version that fixed several security flaws of SSL v2.
    • 2015: SSL V3.0 was deprecated by IEFT in addition to the now well known 2014 POODLE attack.


For the following reasons:

  • Key Exchange – The SSL V3.0 key exchange is vulnerable to man-in-the-middle attacks when renegotiation or session resumption [TRIPLE-HS] are used.
  • Custom Cryptographic Primitives – SSL V3.0 defines custom constructions for Pseudorandom Function (PRF), Hashed Message Authentication Code (HMAC), and digital signature primitives which lack the deep cryptographic scrutiny that standard constructions used by TLS have received. Furthermore, all SSL V3.0 primitives rely on SHA-1 and MD5, both of which are considered weak.
  • Limited Capabilities – SSL V3.0 is unable to take advantage of the many features that have been added to recent TLS versions such as
    • Authenticated Encryption with Additional Data (AEAD) modes are added in [RFC5246].
    • Elliptic Curve Diffie-Hellman (ECDH) and Digital Signature Algorithm (ECDSA) are added in [RFC4492].
    • Stateless session tickets [RFC5077].
    • A datagram mode of operation, DTLS [RFC6347].
    • Application-layer protocol negotiation [RFC7301].


  • 1999: TLS v1.0 was released with an SSL fallback mechanism for backwards-compatibility.
    • When TLS 1.0 was introduced in 1999 it had little difference from SSL 3.0
      • Key derivation functions are different
      • MACs are different – SSL 3.0 uses a modification of an early HMAC while TLS 1.0 uses HMAC.
      • The Finished messages are different
        • client application data can be sent straight after sending the SSL/TLS Finished message in SSLv3. In TLSv1, it must wait for the server’s Finished message
      • TLS has more alerts
      • TLS requires DSS/DH support
      • Premature closes no longer cause a session to be non-resumable.
  • 2006: TLS v1.1
    Some of the improvements over TLS v1.0 && SSL V3.0 https://www.ietf.org/rfc/rfc4346.txt
    • The implicit Initialization Vector (IV) is replaced with an explicit IV to protect against CBC attacks [CBCATT].
    • Handling of padding errors is changed to use the bad record mac alert rather than the decryption failed alert to protect against CBC attacks.
    • IANA registries are defined for protocol parameters.
    • Premature closes no longer cause a session to be nonresumable.
    • Additional informational notes were added for various new attacks on TLS.


  • 2008: TLS v1.2 is the most current and most common version in use today.


A few of the differences from 1.1 are the following.

  • The MD5/SHA-1 combination in the pseudorandom function (PRF) has been replaced with cipher-suite-specified PRFs.
  • The MD5/SHA-1 combination in the digitally-signed element has been replaced with a single hash. Signed elements now include a field that explicitly specifies the hash algorithm used.
  • Substantial cleanup to the client’s and server’s ability to specify which hash and signature algorithms they will accept.
  • Addition of support for authenticated encryption with additional data modes.
  • TLS Extensions definition and AES Cipher Suites were merged in from external [TLSEXT] and [TLSAES].
  • Tighter checking of EncryptedPreMasterSecret version numbers.
  • Alerts must now be sent in many cases.
  • TLS_RSA_WITH_AES_128_CBC_SHA is now the mandatory to implement cipher suite.
  • Added HMAC-SHA256 cipher suites.
  • Removed IDEA and DES cipher suites.
  • Support for the SSLv2 backward-compatible hello optional.