SSL

Definition

Secure Sockets Layer – cryptographic protocol for secure internet communications

Classification & Usage

• Type: Cryptographic protocol (software) – SSL is deprecated; modern deployments use TLS 1.2/1.3. Often accelerated by dedicated hardware (HSMs, SSL offload cards).
• Where it is used: HTTPS on every website, email (SMTPS, IMAPS), VPNs (OpenVPN, AnyConnect), instant messaging (XMPP-TLS), VoIP, database connections (Postgres, MySQL), API calls, IoT telemetry, and payment terminals. Since 2018 browsers flag any HTTP-only site as ‘Not Secure’.
• How it is used: A server presents an X.509 certificate issued by a trusted CA (Let’s Encrypt, DigiCert). Client and server perform a handshake – agreeing on cipher suite, exchanging keys via ECDHE, and verifying the certificate chain. Once established, application data is encrypted with AES-GCM or ChaCha20-Poly1305. Ops teams automate renewal with Certbot/ACME and monitor with tools like ssllabs.com.

Etymology & Origin

SSL stands for ‘Secure Sockets Layer’. ‘Sockets’ references the Berkeley sockets API — the fundamental abstraction for network endpoints on Unix and later Windows — indicating that SSL operates directly above the transport (TCP) socket. The ‘Secure’ modifier distinguishes it from plain unencrypted sockets. The protocol was later renamed TLS (Transport Layer Security) when standardized by the IETF in 1999, though ‘SSL’ persists in common usage.

Historical Development

SSL was designed by Netscape in 1994 to protect early e-commerce on its Navigator browser. SSL 1.0 was never released publicly due to serious flaws. SSL 2.0 (February 1995) had weaknesses exploited within months. SSL 3.0 (1996), designed primarily by Paul Kocher, Phil Karlton, and Alan Freier, became the basis for subsequent work. The IETF’s TLS working group produced TLS 1.0 (RFC 2246, January 1999).

Implementation History

OpenSSL (forked from SSLeay in 1998) became the dominant open-source implementation, running on a majority of web servers. The 2014 Heartbleed vulnerability in OpenSSL prompted industry-wide auditing and the LibreSSL and BoringSSL forks. Let’s Encrypt, launched in 2015 by the Internet Security Research Group, made automated free certificates universal, driving HTTPS adoption from under 40% to over 90% of web traffic within five years.

Current Relevance

TLS 1.3 (RFC 8446, August 2018) is the current standard, dropping legacy cipher suites and reducing handshake latency. SSL 2.0 and 3.0 are formally deprecated; TLS 1.0 and 1.1 were deprecated by RFC 8996 (2021). Modern practice mandates HSTS, certificate transparency logs, and automated renewal. Post-quantum cryptography migration is under way, with NIST standardizing ML-KEM (Kyber) and ML-DSA (Dilithium) in 2024 for eventual deployment in TLS.

Visual References

Examples

• SSL/TLS process includes: handshake negotiation, certificate verification, key exchange, symmetric encryption establishment, and secure data transmission. SSL certificates authenticate server identity and encrypt data in transit.

Additional Images

Videos