SSL (Secure Sockets Layer) is the original cryptographic protocol designed to secure communications over a computer network, most commonly between a web browser and a web server. It was developed by Netscape in the mid-1990s and has long since been replaced by TLS (Transport Layer Security), but the SSL name persists in common usage including phrases such as “SSL certificate” and “SSL/TLS”.
A short version history
SSL 1.0 (1994) was never released publicly because of design flaws. SSL 2.0 (1995) and SSL 3.0 (1996) shipped but both contain weaknesses that make them unsafe to use today. TLS 1.0 (1999) and TLS 1.1 (2006) are also deprecated and disabled by modern browsers and servers. TLS 1.2 (2008) and TLS 1.3 (2018) are the protocols in current use; TLS 1.3 is the default on modern systems and offers improved security and lower handshake latency.
What TLS provides
Confidentiality ensures that traffic between the two parties cannot be read by an eavesdropper.
Integrity guarantees that the data has not been altered in transit.
Authentication proves that the server (and optionally the client) is who it claims to be, through certificates issued by a trusted authority.
Certificates
An SSL/TLS certificate binds a public cryptographic key to a domain name and is signed by a Certificate Authority (CA) the client trusts. When a browser connects, the server presents its certificate; the browser validates the signature chain, the validity dates, the domain match, and any revocation information. Free certificates from Let’s Encrypt and ZeroSSL are now standard, alongside commercial offerings that add organisation validation, extended validation, or wildcard coverage.
Common issues
Penetration tests routinely surface TLS misconfigurations: expired or self-signed certificates, hostname mismatch, weak cipher suites such as RC4 and 3DES still being offered, support for legacy SSLv3 or TLS 1.0/1.1, missing HSTS, certificates signed with deprecated algorithms such as SHA-1, and lack of certificate transparency logging. Tools such as testssl.sh and the SSL Labs server test from Qualys identify these issues quickly.
Best practice in 2026
Disable SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 entirely. Offer TLS 1.2 and TLS 1.3 with modern cipher suites only. Use certificates with at least 2048-bit RSA or 256-bit elliptic curve keys, signed with SHA-256 or stronger. Enable HSTS to enforce HTTPS browser-side, and consider OCSP stapling for revocation checking. Renew certificates well before expiry to avoid outages.
Related terms
See also: man-in-the-middle attack, web application penetration testing, and vulnerability.
Leave a Reply