Comment by accrual
1 day ago
Why are we still using the term "SSL" anywhere? It feels immediately like someone forgot the last 10 years of tech.
1 day ago
Why are we still using the term "SSL" anywhere? It feels immediately like someone forgot the last 10 years of tech.
I'm one of the few using "TLS", but it's hard.
When doing this, you see that some people feel that you are being pedantic.
And the biggest issue is that it creates confusion. During calls with customers, when I tell that we're going to setup their TLS certs, they reply, worried: "no, we need SSL certs!".
I see it as another chicken & egg situation: regular people don't know about TLS, and business are afraid of communicating about TLS because they don't want their customer going elsewhere because they don't understand what TLS is and want SSL
I went on Cloudflare to try and illustrate this, and it's... complicated https://www.cloudflare.com/application-services/products/ssl...
The path says SSL but most of the page it about TLS, unless sometimes it's SSL...
There are no TLS certs, it's x509 certs :) SSL certificate is still the name used by everybody though. For the protocol, TLS is correct (apart from SSLv3 which is very deprecated).
SSL was developed by Netscape in the 90s and evolved into TLS. Netscape Navigator essentially evolved into Mozilla.
"They've" been at it from the beginning, so it somehow seems understandable that Mozilla has a lot of "SSL" momentum or carryover.
actually we wrote this many years ago and left mozilla ans nobody is really updating it other than adding new configs. its not super useful anymore :)
at the time it made sense to us because you couldnt have good SSL configuration everywhere (it was not well supported) so we had trade-offs and created tiers of configs. We barely had TLS coming out, so SSL eas still the name of the game.
nowaday just use the latest TLS defaults and you're golden.
Back in the day, SSL didn't exists. When it came into existence, it was quite an expensive novelty.
It became a generic name that everyone knew for encrypted HTTP connections. It still is a generic name for that, even though the underlying protocol changed name to TLS.
The main answer is a lot of the software on that page predates SSLs deprecation and people (sysadmins especially, because they wrote some bash script 20 years ago and want it to keep working) like backwards compatibility.
I think the bigger answer is certificate vendors won't stop using the term.
Maybe, but who is actually still buying tls certs from a vendor?
20 replies →
TLS is basically SSL 4. They only changed the name to signal the backwards incompatibility.
Not quite.
The name was changed from SSL to TLS as part of the adoption in IETF. I imagine different people had different motivations, but in part it was a signal that it was going to be controlled by IETF rather than Netscape.
As far as compatibility goes, TLS is backward compatible with SSLv3 [0] in that the client can send a ClientHello that is acceptable to both SSLv3 and TLS servers and the server can select the version to use.
Re: the version number, we're now on TLS 1.3, so I guess that would be SSLv7.
[0] The situation is more complicated with SSLv2, which had a different ClientHello format.
You might as well decry "Hoover" for a vacuum cleaner. I haven't seen a Hoover for way longer than SSL -> TLS. OK I have but I blanked it!
I’m going to xerox this Kleenex.
I think xerox still exits but darn if I haven’t seen one in ages.
I did this recently then put it in my Tupperware (which most people have never seen or used since it was only sold at those at home Tupperware parties and not at stores).
The printers still exist, but the branding is deprecated.
Xerox -> Fuji-Xerox -> FUJIFILM Business Innovation
TLS is a Microsoftie term. I use SSL out of stubbornness.
https://news.ycombinator.com/item?id=44282378
It's also the official name in the RFC. TLS 1.0 may be the same as SSL 3.0, but TLS 1.1, 1.2 and 1.3 are just TLS 1.1, 1.2 and 1.3.
TLS 1.0 actually is slightly different from SSLv3.
Because “OpenSSL” was too lazy to rename themselves to “OpenTLS”
That's good! I'll use TLS when OpenSSL gets renamed :-D (I own many SSL domains and projects)
ElGamal says he uses them interchangeably. He says TLS exists for historical reasons, but the essence of the technology is the same. I got into the habit of using SSL/TLS.
I use it all the time.
I tend to expand TLS thread-local storage, so SSL is less confusing for me.
SSL is not going away, might as well forget TLS instead.
https://www.fortinet.com/resources/cyberglossary/ssl-vpn
I had to double check my nginx configuration and the variables use SSL in the names even though I define the protocol to be TLS. I have the certbot commands and their naming conventions use SSL. Perhaps you've never actually implemented SSL or TLS and just use the latest tech jargon to fake understanding?
Good luck renaming OpenSSL...
[flagged]
That's the opposite of what happened with TLS.
Surely you mustn't be referring to OpenSSL, which was forked multiple times — under duress — to maintain the safety and security of the web.
1 reply →
If OpenSSL were dispoed of,^1 then where would that leave "TLS"
1. For example if software stopped linking to OpenSSL libraries instead of alternatives
"OpenSSL" (the library as well as the binary) is quite "bloated" compared to WolfSSL, LibreSSL, BoringSSL, etc.
If the name "TLS" signifies something meaningful then why do the majority of TLS-implementing projects still include "SSL" in their name