100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cybersecurity

SSL

IntermediateProtocol10.9K learners

SSL (Secure Sockets Layer) is the original cryptographic protocol for encrypting communication between a client and a server over a network, developed by Netscape in the 1990s. g.

Definition

SSL (Secure Sockets Layer) is the original cryptographic protocol for encrypting communication between a client and a server over a network, developed by Netscape in the 1990s. All SSL versions are now deprecated and considered insecure; the term 'SSL' is still used colloquially (e.g. 'SSL certificate') to refer to what is technically its successor protocol, TLS.

Overview

SSL was created by Netscape, with SSL 2.0 released in 1995 and SSL 3.0 in 1996, to secure web traffic by encrypting data between browsers and servers and verifying server identity via digital certificates. It established the core handshake model still used today: a client and server negotiate a cipher suite, the server presents a certificate signed by a trusted Certificate Authority (CA), and both sides derive a shared symmetric key used to encrypt the session. All versions of SSL (2.0 and 3.0) have since been found to have serious vulnerabilities — most notably the POODLE attack against SSL 3.0 — leading the IETF to formally deprecate SSL in favor of TLS (Transport Layer Security), first standardized as TLS 1.0 in 1999 as a direct successor. Modern browsers, servers, and security standards (like PCI DSS) reject SSL connections entirely and require TLS 1.2 or TLS 1.3. Despite this, 'SSL' remains deeply embedded in industry terminology: certificates used for HTTPS are still commonly called 'SSL certificates', certificate authorities sell 'SSL certificates', and phrases like 'SSL/TLS' are used interchangeably to refer to the general practice of encrypting web traffic, even though the actual protocol in use today is virtually always TLS. Understanding this distinction matters for security configuration: administrators should explicitly disable SSL 2.0/3.0 and early TLS versions (1.0/1.1, also deprecated) on servers, and ensure only TLS 1.2+ is enabled, even if the certificates involved are marketed as 'SSL certificates'.

Specification

  • Original protocol for encrypting client-server communication (now deprecated)
  • Introduced the certificate-based handshake model still used by TLS
  • SSL 2.0 and 3.0 both have known critical vulnerabilities (e.g. POODLE)
  • Formally superseded by TLS, its direct successor protocol
  • Term persists colloquially in 'SSL certificate' despite TLS being the actual protocol
  • Disabled by default in all modern browsers and servers

Use Cases

Historical/legacy reference point for understanding TLS's origins
Terminology still used when purchasing HTTPS certificates from a CA
Security audits check for and disable legacy SSL support on servers
Compliance standards (PCI DSS) explicitly prohibit SSL and early TLS

History

Secure Sockets Layer was the original protocol for encrypting web traffic, introduced by Netscape in 1994 and designed by the company's chief scientist, Taher Elgamal, often called "the father of SSL." SSL 1.0 was never released because of serious security flaws; the first public release was SSL 2.0 in 1995, which established enduring concepts such as the handshake, X.509 certificates, and server authentication. SSL 3.0, a substantial redesign, followed in November 1996. Both versions were eventually found insecure: the IETF formally deprecated SSL 2.0 in 2011 (RFC 6176) and SSL 3.0 in June 2015 (RFC 7568, prompted by the POODLE attack). SSL's successor, TLS, superseded it — though "SSL" persists colloquially as a name for TLS-based encryption.

Frequently Asked Questions