Skip to content

SSL/TLS Protocol Evolution

1995 to August 2018.Cybersecurity.Standard published.Date precision, month.Evidence grade, primary.2 primary sources

Drivers:

Security incidentUser demandRegulatory requirement

E-commerce growth demanded secure transactions. Repeated vulnerabilities (BEAST, POODLE, Heartbleed) forced protocol updates. Regulatory requirements for data protection drove HTTPS adoption. Browser vendors pushed for universal encryption.

TLS is the technology that puts the padlock icon in your browser. When you visit a website starting with 'https://', TLS encrypts everything between your browser and the website so no one can spy on your passwords or credit card numbers. It was invented by Netscape in the 1990s to make online shopping safe.

SSL/TLS Protocol Evolution event plate

Structured atlas record showing date, domain, evidence grade, source count, and predecessor and successor links.

Event plate: SSL/TLS Protocol Evolution Convergence-divergence layout. The central hero card carries the event year, type, title, evidence grade, domain and era band. 0 predecessor cards on the left feed in with red arrows labelled "absorbs". 0 successor cards on the right derive with red arrows labelled "spawns". Key terms below the hero pin the vocabulary the event introduced. EVENT PLATE Source: https://www.rfc-editor.org/rfc/rfc2246 1995 - STANDARD PUBLISHED SSL/TLS ProtocolEvolution primary evidence Domain: AI and machine learning Era band: E6 AI-scale systems KEY TERMS - VOCABULARY THE EVENT INTRODUCED TLS SSL HTTPS certificate Convergence-divergence: predecessors absorbed, successors spawned Hero card carries year, evidence and domain. 0 predecessors flow in from the left; 0 successors flow out to the right. Key termsbelow pin the vocabulary the event introduced.

Forecasts and counterfactuals stay labelled as opinion in the event data. Source: Computer History Museum.

Before

Early internet communication was unencrypted. Anyone could intercept data in transit, including passwords and financial information. E-commerce could not develop without secure communication. HTTP transmitted everything in plain text.

What changed

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) provided encrypted, authenticated communication over the internet. HTTPS became the standard for secure web traffic. TLS 1.3 (2018) modernised the protocol with improved security and performance.

How it happened

Netscape developed SSL 2.0 (1995) and SSL 3.0 (1996) for secure web browsing. IETF standardised TLS 1.0 (RFC 2246, 1999) as an open standard. Subsequent versions addressed vulnerabilities: TLS 1.1 (2006), TLS 1.2 (2008), and the major revision TLS 1.3 (RFC 8446, 2018). Each version deprecated insecure algorithms and improved the handshake.

Outcomes

  • Enabled secure e-commerce and online banking
  • Made HTTPS the default for web communication
  • Established certificate authority ecosystem
  • Protected billions of daily internet transactions

Limitations

  • Certificate authority model has trust weaknesses
  • Legacy protocol versions remain vulnerable
  • Implementation complexity leads to errors
  • Man-in-the-middle attacks possible with compromised CAs

Lessons learnt

  • Protocol evolution must deprecate weak algorithms
  • Backward compatibility creates security risks
  • Certificate transparency improves trust model
  • Simplification improves security (TLS 1.3)

Stakeholders and artefacts

Organisations

  • NetscapevendorDeveloped SSL
  • IETFstandards_bodyStandardised TLS
  • Let's Encryptopen_source_communityFree certificate authority (2015)

Individuals

  • Taher ElgamalDesigner, NetscapeLed SSL protocol development
  • Eric RescorlaEditor, RTFM Inc./MozillaEdited TLS 1.3 specification

Artefacts

  • TLSprotocolTransport Layer Security for encrypted communication
  • X.509 CertificatespecificationStandard format for public key certificates
  • HTTPSprotocolHTTP over TLS

Key terms

TLSSSLHTTPScertificatehandshakeencryption

Causality

Preceded by: Public Key Cryptography Invented.

On this course

Read in the path Cybersecurity: Threats and Defences.

Sources

1Tim Dierks, Christopher Allen. "RFC 2246: The TLS Protocol Version 1.0". IETF, 1999-01.authoritativewww.rfc-editor.org/rfc/rfc2246
2Eric Rescorla. "RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3". IETF, 2018-08.authoritativewww.rfc-editor.org/rfc/rfc8446