Comment by disruptiveink

Comment by disruptiveink 6 months ago

4 replies

View on Hacker News

Wait, but didn't TLS 1.0 have significant improvements over SSL 3.0? The article makes it seems that just a couple of things were tweaked just to make it different for the sake of being different.

mcpherrinm 6 months ago

The main difference is in the padding. When the POODLE attack was pre-announced as only affecting SSL3 and not TLS1.0, that was enough to predict it was going to be a padding oracle.

I think it’s fair to say they’re very similar, with a few “bug fixes”. It’s been a while since I’ve thought about either though, and might be forgetting a few things. I’ve only ever implemented SSL3 and TLS1.0 together, so there may be some details I’m forgetting.

Reply View 1 reply
  • nextgens 6 months ago

    TLS1.0 introduced modularity via the concept of "extensions". It's everything but a minor evolution of the protocol.

    Reply View 0 replies
timdierks 6 months ago

The tweaks were minor (smaller than for any other version revision), and mostly just the IETF marking its territory and doing something other than blessing the SSL 3.0 protocol as-is.

Reply View 0 replies
layer8 6 months ago

Indeed there are significant changes and improvements, though it’s not a complete redesign like SSL 3.0 was.

Reply View 0 replies