SSL
SSL (Secure Sockets Layer) is the original cryptographic protocol for encrypting communication between a client and a server over a network, developed by Netscape in the 1990s. g.
Definition
SSL (Secure Sockets Layer) is the original cryptographic protocol for encrypting communication between a client and a server over a network, developed by Netscape in the 1990s. All SSL versions are now deprecated and considered insecure; the term 'SSL' is still used colloquially (e.g. 'SSL certificate') to refer to what is technically its successor protocol, TLS.
Overview
SSL was created by Netscape, with SSL 2.0 released in 1995 and SSL 3.0 in 1996, to secure web traffic by encrypting data between browsers and servers and verifying server identity via digital certificates. It established the core handshake model still used today: a client and server negotiate a cipher suite, the server presents a certificate signed by a trusted Certificate Authority (CA), and both sides derive a shared symmetric key used to encrypt the session. All versions of SSL (2.0 and 3.0) have since been found to have serious vulnerabilities — most notably the POODLE attack against SSL 3.0 — leading the IETF to formally deprecate SSL in favor of TLS (Transport Layer Security), first standardized as TLS 1.0 in 1999 as a direct successor. Modern browsers, servers, and security standards (like PCI DSS) reject SSL connections entirely and require TLS 1.2 or TLS 1.3. Despite this, 'SSL' remains deeply embedded in industry terminology: certificates used for HTTPS are still commonly called 'SSL certificates', certificate authorities sell 'SSL certificates', and phrases like 'SSL/TLS' are used interchangeably to refer to the general practice of encrypting web traffic, even though the actual protocol in use today is virtually always TLS. Understanding this distinction matters for security configuration: administrators should explicitly disable SSL 2.0/3.0 and early TLS versions (1.0/1.1, also deprecated) on servers, and ensure only TLS 1.2+ is enabled, even if the certificates involved are marketed as 'SSL certificates'.
Specification
- Original protocol for encrypting client-server communication (now deprecated)
- Introduced the certificate-based handshake model still used by TLS
- SSL 2.0 and 3.0 both have known critical vulnerabilities (e.g. POODLE)
- Formally superseded by TLS, its direct successor protocol
- Term persists colloquially in 'SSL certificate' despite TLS being the actual protocol
- Disabled by default in all modern browsers and servers
Use Cases
History
Secure Sockets Layer was the original protocol for encrypting web traffic, introduced by Netscape in 1994 and designed by the company's chief scientist, Taher Elgamal, often called "the father of SSL." SSL 1.0 was never released because of serious security flaws; the first public release was SSL 2.0 in 1995, which established enduring concepts such as the handshake, X.509 certificates, and server authentication. SSL 3.0, a substantial redesign, followed in November 1996. Both versions were eventually found insecure: the IETF formally deprecated SSL 2.0 in 2011 (RFC 6176) and SSL 3.0 in June 2015 (RFC 7568, prompted by the POODLE attack). SSL's successor, TLS, superseded it — though "SSL" persists colloquially as a name for TLS-based encryption.
Sources
- IETF — RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0 · as of 2026-07-17
- IETF — RFC 7568: Deprecating Secure Sockets Layer Version 3.0 · as of 2026-07-17