Cryptography Reference
In-Depth Information
FROM SSLV2 TO TLS 1.2: THE HISTORY OF THE SSL PROTOCOL
SSL is currently on its fi fth revision over its fi fteen-year history, and has
undergone one name change and one ownership change in that time period.
This topic focuses mainly on TLS 1.0, which is the version in most widespread
use. This section looks over the history of the protocol at a high level. This
overview is a helpful segue into the details of TLS 1.0 — some elements of TLS
1.0 make the most sense if you understand the problems with its predecessors
that it means to solve.
SSLv2: The First Widespread Attempt at a Secure Browser Protocol
In 1995, most people had never heard of a “web browser.” The Internet itself
had been a reality for quite a while, but it was clear to a handful of visionar-
ies that the World Wide Web is what would bring networked computing to the
masses. Marc Andreessen had written Mosaic, the fi rst graphical web browser,
while at the University of Illinois. At the time, Mosaic was incredibly popular,
so Andreessen started a company named Netscape which was going to create
the computing platform of the future — the Netscape browser (and its com-
panion server).
The World Wide Web was to become the central platform for the fl edgling
“e-commerce” industry. There was one problem, though — its users didn't
trust it with their sensitive data. In 1995, Kipp Hickman, then an employee of
Netscape Communications, drafted the fi rst public revision of SSLv2, which
was at the time viewed as an extension to HTTP that would allow the user to
establish a secure link on a nonsecure channel using the concepts and tech-
niques examined in previous chapters.
Although SSLv2 mostly got it right, it overlooked a couple of important
details that rendered it, while not useless, not as secure as it ought to have
been. The details of SSLv2 aren't examined in detail here, but if you're curious,
Appendix C includes a complete examination of the SSLv2 protocol.
The cracks in SSLv2 were identifi ed after it was submitted for peer review,
and Netscape withdrew it, following up with SSLv3 in 1996. However, by this
time, in spite of the fact that it was never standardized or ratifi ed by the IETF,
SSLv2 had found its way into several commercial browser and server imple-
mentations. Although its use has been deprecated for a decade, you may still
run across it from time to time. However, it's considered to be too unsafe to
the extent that the Payment Card Industry, which regulates the use of credit
cards on the Internet, no longer permits websites that support SSLv2 to even
accept credit cards.
SSL 3.0, TLS 1.0, and TLS 1.1: Successors to SSLv2
The IETF was much happier with the SSLv3 proposal; however, it made a few
superfi cial changes before formally accepting it. The most signifi cant superfi -
cial change was that, for whatever reason, they decided to change the name
from the widespread, recognizable household name “SSL” to the somewhat
awkward “TLS.” SSLv3.1 became TLS v1.0. To this day, the version numbers
Search WWH ::
Custom Search