SSL was first introduced by Netscape back in 1993-1994. The growth of the Internet was rising, and so was the need for transport security. Today SSL/TLS it is used in almost every conceivable online service. Version 1.0 of SSL was never released as it had serious security flaws. The first official release of SSL, version 2.0 was issued a year later, in 1995. The final of version of the SSL protocol, version 3.0, was released in November 1996.
In 2011 SSL V2.0 was deprecated by IETF (Internet Engineering Task Force) and asked users to stop using it, as according to a document they had released, SSL V2.0 had the following deficiencies.
- Message authentication uses MD5 – Most security-aware users have already moved away from any use of MD5.
- Handshake messages are not protected – This permits a man-in-the-middle to trick the client into picking a weaker cipher suite than it would normally choose.
- Message integrity and message encryption use the same key – This is a problem if the client and server negotiate a weak encryption algorithm.
- Sessions can be easily terminated – A man-in-the-middle can easily insert a TCP FIN to close the session, and the peer is unable to determine whether or not it was a legitimate end of the session.
Similarly, SSL V3.0 was deprecated by IEFT in June 2015. Even though TLS 1.0 was introduced in 1999, 16 years later servers/users would still use SSL 3.0. As per the document IEFT had released, any version of TLS is more secure than SSL 3.0 because of the following reasons.
- Key Exchange – The SSL V3.0 key exchange is vulnerable to man-in-the-middle attacks when renegotiation or session resumption [TRIPLE-HS] are used.
- Custom Cryptographic Primitives – SSL V3.0 defines custom constructions for Pseudorandom Function (PRF), Hashed Message Authentication Code (HMAC), and digital signature primitives which lack the deep cryptographic scrutiny that standard constructions used by TLS have received. Furthermore, all SSL V3.0 primitives rely on SHA-1 and MD5, both of which are considered weak.
- Limited Capabilities – SSL V3.0 is unable to take advantage of the many features that have been added to recent TLS versions such as
- Authenticated Encryption with Additional Data (AEAD) modes
- Elliptic Curve Diffie-Hellman (ECDH) and Digital Signature Algorithm (ECDSA)
- Stateless session tickets
- A datagram mode of operation, DTLS
- Application-layer protocol negotiation
TLS 1.0 was first introduced in 1999 as an upgrade to SSL V3.0 with not many changes.
- The implicit Initialization Vector (IV) is replaced with an explicit IV to protect against CBC attacks.
- The bad_record_mac alert rather replaced the decryption_failed alert to protect against CBC attacks.
- IANA registries are defined for protocol parameters.
- Premature closes no longer cause a session to be non-resumable.
- Additional informational notes were added for various new attacks on TLS.
TLS 1.2 was released in August 2008. As of the time of this writing, TLS 1.3 is on the horizon. Some major differences from 1.1 are the following.
- The MD5/SHA-1 combination in the pseudorandom function (PRF) has been replaced with cipher-suite-specified PRFs.
- The MD5/SHA-1 combination in the digitally-signed element has been replaced with a single hash. Signed elements now include a field that explicitly specifies the hash algorithm used.
- Substantial cleanup to the client’s and server’s ability to specify which hash and signature algorithms they will accept.
- Addition of support for authenticated encryption with additional data modes.
- TLS Extensions definition and AES Cipher Suites were merged in from external [TLSEXT] and [TLSAES].
- Tighter checking of EncryptedPreMasterSecret version numbers.
- Alerts must now be sent in many cases.
- TLS_RSA_WITH_AES_128_CBC_SHA is now the mandatory to implement cipher suite.
- Added HMAC-SHA256 cipher suites.
- Removed IDEA and DES cipher suites.
- Support for the SSLv2 backward-compatible hello optional.
History of TLS/SSL