SSL TLS evolution timeline

This page covers high level time line of evolution of TLS in chronological order.

TLS timeline

The Transport Layer Security protocol aims primarily to provide privacy and data integrity between two communicating computer applications. Major websites use TLS to secure all communications between their servers and web browsers.

TLS ensures

  • authentication by verifying the certificates
  • confidentiality by encrypting the data with a secret key,
  • integrity by digesting the data,
  • does not provide the nonrepudiation, In TLS, the Message Authentication Code (MAC) value of the data transmitted is calculated with a shared secret key, known to both the client and the server. Shared keys can’t be used to achieve nonrepudiation.

SSL TLS timeline


SSL 1.0 (1994)

  • Netscape Communications introduced SSL in 1994 to build a secured channel between the Netscape browser and the web server it connects to. This was an important need at that time, just prior to the dot-com bubble. The SSL 1.0 specification was never released to the public, because it was heavily criticized for the weak crypto algorithms that were used.

SSL 2.0 (1994)

  • Netscape – SSL 2.0 (released to public) – Nov 1994
  • In November 1994, Netscape released the SSL 2.0 specification with many improvements.1 Most of its design was done by Kipp Hickman, with much less participation from the public community. Even though it had its own vulnerabilities, it earned the trust and respect of the public as a strong protocol. The very first deployment of SSL 2.0 was in Netscape Navigator 1.1.

Private Communication Technology - PCT (1995)

  • Researchers found vulnerability in the random-number-generation logic in SSL 2.0
  • Microsoft responded to its weaknesses by developing its own variant of SSL in 1995, called Private Communication Technology (PCT).3 PCT fixed many security vulnerabilities uncovered in SSL 2.0 and simplified the SSL handshake with fewer round trips required to establish a connection.

SSL 3.0 (1998)

  • SSL 3.0 introduced a new specification language as well as a new record type and new data encoding, which made it incompatible with SSL 2.0. It fixed issues in its predecessor, introduced due to MD5 hashing. The new version used a combination of the MD5 and SHA-1 algorithms to build a hybrid hash. SSL 3.0 was the most stable of all.

TLS (1999)

  • In 1996, Microsoft came up with a new proposal to merge SSL 3.0 and its own SSL variant PCT 2.0 to build a new standard called Secure Transport Layer Protocol (STLP). SSL 3.0 + PCT2.0 -> Secure Transport layer security
  • In 1996 the IETF initiated the TLS working group to standardize all vendor-specific implementations.
  • IETF Released TLS in 1999.
  • The differences between TLS 1.0 and SSL 3.0 aren’t dramatic, but they’re significant enough that TLS 1.0 and SSL 3.0 don’t interoperate.

TLS 1.1 (2005)

  • In April 2006, RFC 4346 introduced TLS 1.1, which made few major changes to 1.0

TLS 1.2 - 2008

  • RFC 5246 introduced TLS 1.2.

TLS 1.3 - 2016

  • As of July 2016, TLS 1.3 is a working draft, and details are provisional and incomplete.

References


# Reference
1 Advanced API security
2 http://tools.ietf.org/html/draft-benaloh-pct-00
3 http://www.homeport.org/~adam/ssl.html
4 http://www.cs.berkeley.edu/~daw/papers/ddj-netscape.html
5 https://en.wikipedia.org/wiki/Transport_Layer_Security

Version History


Date Description
2015-07-01    Initial Version