Comment by 0xbadcafebee

5 months ago

No no, they're not. They're names of specific protocols with specific capabilities and versions. "SSL 1.0" and "TLS 1.0" are very different. (see https://aws.amazon.com/compare/the-difference-between-ssl-an...)

The important bits:

- "SSL" is a set of protocols so ridiculously old, busted and insecure that nobody should ever use them. It's like talking about Sanskrit; ancient and dead.

- "TLS" is way better than "SSL", but still there are insecure versions. Any version before 1.2 is no longer supported due to security holes.

- Technically an "ssl certificate" is neither "SSL" nor "TLS", it's really an "X.509 Certificate with Extended Key Usage: Server Authentication". But that doesn't roll off the tongue. You could use a cert from 1996 in a modern TLS server; the problem would be its expiration date, and the hash/signature functions used back then are deprecated. (some servers still support insecure methods to support older clients, which is bad)

10 comments

0xbadcafebee

Reply
creatonez  5 months ago

The point is more that SSL 3.0 and TLS 1.0 were nearly identical. That is, the breaks in similarity were at SSL 2.0 -> SSL 3.0 (and TLS 1.2 -> TLS 1.3, to a lesser extent), as opposed to the common misconception that TLS 1.0 is what changed everything.

But yes, it's all a bit irrelevant now that anything below TLS 1.2 is sketchy to use.

MOARDONGZPLZ  5 months ago

Right, but they accomplish the same thing and people move monotonically from SSL to TLS. It’s not like choosing between React and Angular, but like choosing between React version 5 and React version 10 for a new project. SSL and TLS are the same in all meaningful respects from this perspective.