Shahid Roofi Khan

Microsoft Technologies Blog

Why SSL fate is doomed and TLS is the only option left

SSL, which refers to Secure Socket Layer, is a protocol used to provide secure connections between a client and a server. A TCP connection can provide a reliable link between a server and a client but cannot provide services such as confidentiality, integrity and end point authentication. So, SSL was introduced by Netscape in early 1990s to provide these services. The first version of SSL, which is known as SSL 1.0, was never released to the public as it had many security holes. However, in 1995, SSL 2.0, which provided better security than SSL 1.0, was introduced and, in 1996, SSL 3.0 was introduced with more improvements. The next versions of the SSL protocol appeared under the name TLS.

SSL, which is implemented in the transport layer, can secure a protocol such as TCP by applying various security measures. It will provide confidentiality by using encryptions to prevent anyone from eavesdropping. It uses both asymmetric and symmetric encryption. First, using asymmetric key encryption, a symmetric session key is established which then would be used for encrypting the traffic. Asymmetric key cryptography is also used for digital certificates used to authenticate the server. Then Message Authentication Code, which uses various hashing techniques, is used to provide integrity (identify any unauthenticated modification done to the real data). So a protocol like SSL allows transmitting sensitive information such as banktransactions and credit card information over the internet. Also, it is used for providing confidentiality for services such as email, web browsing, messaging, and voice over IP.

SSL is now outdated and has many security issues where its usage is not much recommended currently. SSL 3.0 was enabled by default until recently in many browsers but now they are planning to disable in the future versions due to severe security bugs such as POODLE attack.