SSL/TLS - what is that?

Secure Sockets Layer - invented by Netscape. Then became standardized as TLS.

Why was it an amazing innovation - prior to Netscape security wasn’t a consideration for the early academic internet. All the protocols like HTTP, FTP, SMTP didn’t have encryption.

This was a way to add a layer between the socket code and the protocol code without changing the protocol code which make it easy for everyone to use this approach with previous code they already had.

i.e. it gave a way to add security to existing protocols with symmetry. The code didn’t need to change much.

Other reasons it took off as pointed out by Vismay:

  • Netscape was an influential company at the time.

  • It solved a huge problem that everyone had at the time with security and the internet.

Underneath the hood SSL isn’t that simple. It’s quite complicated to implement from scratch - believe me! I have tried! Many vendors use a common implementation of SSL called openssl.

This is a bit of a security issue for the industry in that:

  • No one really understands all of the depths of openssl.

  • Yet it’s used universally in the industry in all sorts of places.

  • What could possibly go wrong?

Read TLS Handshake for an overview of how TLS secures communication between a client and server.