To Resources

SSL is dead - long live TLS!

The original SSL protocol was developed by in the early nineties. In 1995 the SSL 2.0 was released, and became the first version in use. Due to some flaws, SSL 3.0 replaced this version in 1996. SSL 3.0 has been in use for almost two decades, but the POODLE attack in 2014 showed that SSL 3.0 is vulnerable. Based on this attack SSL is considered insecure, and has been refined.


As a replacement for SSL 3.0, TLS version 1.0 was developed in 1999. An improved TLS version 1.1 was released in 2006, and the current version; 1.2, was released in 2008. There are no known major security vulnerabilities associated with the TLS versions when used together with HTTP. Nevertheless, the recommendation is always use the latest versions. TLS is a protocol layer between the application and transport layer according to the Internet Protocol Suite.

The TLS protocol may be used from different application layer protocols, but we often talk about HTTP (HyperText Transport Protocol) as the application layer protocol using TLS. HTTPS is the term for using HTTP over TLS, and this is the most common use of TLS on the Internet today. HTTPS is highly used between browsers and websites. We are expecting an increased use in the future, as browsers will handle HTTPS as default and flag HTTP as non-secure to the end user. HTTPS may also be used in general communication between servers where privacy and integrity is important.

Despite SSL long being dead, SSL is still commonly referring to both SSL and TLS.