There Is No SSL

6 thoughts
last posted Oct. 15, 2014, 7:41 p.m.
1
get stream as: markdown or atom
0

The thing that the that OpenSSL implements, that everyone calls "SSL", is actually called "TLS".

0

"TLS" is the standard protocol that programs speak to each other over the internet. "SSL" was a protocol last updated by Netscape used in 1996.

If you're actually using SSL, you should probably stop, because it's just not as good as TLS.

1

There is a popular misconception that "HTTPS" stands for "HTTP over SSL" which reinforces this confusion. For the record, doesn't, it stands for "HTTP Secure".

0

There's also the fact that the wire-level protocol command for other protocols to switch to encrypted communication is STARTTLS, which makes people think that the thing where you switch to TLS is called TLS and the thing where you start the connection with TLS is called SSL.

This is not the case either. They are both TLS. You can use STARTTLS with pre-standard TLS (SSL) if you configure your TLS implementation to do so.

0

I personally make this mistake all the time, even though I'm keenly aware of it. I try not to, but I'm not going to get mad at anybody for making it (and neither should you).

0

In case you didn't think there were enough nails in SSL's 15-year-old-at-this-point coffin, SSLv3 is now completely broken. SSLv2 has been for a long time.

There is no SSL. There is only TLS.