Comment by oc1
Comment by oc1 a day ago
Same. I feel so dumb now. After 15 years in this industry i finally figured out that ssl and tls are the same.
Comment by oc1 a day ago
Same. I feel so dumb now. After 15 years in this industry i finally figured out that ssl and tls are the same.
No no, they're not. They're names of specific protocols with specific capabilities and versions. "SSL 1.0" and "TLS 1.0" are very different. (see https://aws.amazon.com/compare/the-difference-between-ssl-an...)
The important bits:
- "SSL" is a set of protocols so ridiculously old, busted and insecure that nobody should ever use them. It's like talking about Sanskrit; ancient and dead.
- "TLS" is way better than "SSL", but still there are insecure versions. Any version before 1.2 is no longer supported due to security holes.
- Technically an "ssl certificate" is neither "SSL" nor "TLS", it's really an "X.509 Certificate with Extended Key Usage: Server Authentication". But that doesn't roll off the tongue. You could use a cert from 1996 in a modern TLS server; the problem would be its expiration date, and the hash/signature functions used back then are deprecated. (some servers still support insecure methods to support older clients, which is bad)
The point is more that SSL 3.0 and TLS 1.0 were nearly identical. That is, the breaks in similarity were at SSL 2.0 -> SSL 3.0 (and TLS 1.2 -> TLS 1.3, to a lesser extent), as opposed to the common misconception that TLS 1.0 is what changed everything.
But yes, it's all a bit irrelevant now that anything below TLS 1.2 is sketchy to use.
Right, but they accomplish the same thing and people move monotonically from SSL to TLS. It’s not like choosing between React and Angular, but like choosing between React version 5 and React version 10 for a new project. SSL and TLS are the same in all meaningful respects from this perspective.
Hotdogs and hamburgers are the same in all meaningful respects.
They are not. But a Chicago dog is meaningfully the same as a New York Dog (just with some more vegetables).
It's a new word in version churn: rename the whole thing on every commit.
In reality, you may never have actually used SSL, and if you're old enough to have, you haven't used it in decades (I hope).
Back closer to the time, there were some people around who insisted that SSL specifically meant the old versions and it was all TLS now. I recall a couple of occasions where people were talking about UCSPI-SSL and someone stepped in to explain that We Don't Do SSL Now. As the headlined article says, that contrived distinction seems silly with the hindsight of decades.
The nomenclature was complicated in people's minds by SMTP. Because there was SMTP over a largely transparent encrypted connection, and SMTP where it started unencrypted and negotiated a switch, as well as plain old cleartext. It didn't help that RFC 2487 explained that STARTTLS negotiated "TLS more commonly known as SSL". RFC 8314 explains some of the historical mess that SMTP got into with two types of SMTP (relay and submission) and three types of transport.
And the "S" for "submission" could be confused with the "S"s in both "SSL" and "TLS". It's not just TLAs that are ambiguous, indeed. There was confusion over "SMTPS" and "SSMTP", not helped at all by the people who named programs things like "sSMTP".
I'm still calling it SSL in 2025. (-: And so is Erwin Hoffmann.
* https://www.fehcom.de/ipnet/sslserver.html
* https://manpages.debian.org/unstable/ssmtp/ssmtp.8.en.html