Comment by disruptiveink
5 months ago
Wait, but didn't TLS 1.0 have significant improvements over SSL 3.0? The article makes it seems that just a couple of things were tweaked just to make it different for the sake of being different.
5 months ago
Wait, but didn't TLS 1.0 have significant improvements over SSL 3.0? The article makes it seems that just a couple of things were tweaked just to make it different for the sake of being different.
The main difference is in the padding. When the POODLE attack was pre-announced as only affecting SSL3 and not TLS1.0, that was enough to predict it was going to be a padding oracle.
I think it’s fair to say they’re very similar, with a few “bug fixes”. It’s been a while since I’ve thought about either though, and might be forgetting a few things. I’ve only ever implemented SSL3 and TLS1.0 together, so there may be some details I’m forgetting.
TLS1.0 introduced modularity via the concept of "extensions". It's everything but a minor evolution of the protocol.
The tweaks were minor (smaller than for any other version revision), and mostly just the IETF marking its territory and doing something other than blessing the SSL 3.0 protocol as-is.
Indeed there are significant changes and improvements, though it’s not a complete redesign like SSL 3.0 was.