Understanding the Different Versions of SSL and TLS
SSL (Secure Sockets Layer) and Transport Layer Security (TLS) are cryptographic protocols for establishing an encrypted link between two points in a computer network. The two points could be servers or it could be web servers and clients. The encrypted link ensures that all communication between the two points remains private and confidential. SSL and TLS are commonly referred to as SSL/TLS or SSL. Data transmitted in unencrypted form can be intercepted, modified or stolen. SSL/TLS serve the important purpose of ensuring data security and integrity of communication. Different SSL/TLS versions have been defined over the years, and each version features better security measures than the earlier versions. The original SSL protocols were developed by Netscape. Though SSL version 1.0 was developed it was not released publicly. SSL version 2.0 was released in 1995, while SSL version 3.0 was released in 1996. In 1999 TLS 1.0 was released, followed by TLS 1.1 in 2006, and TLS 1.2 in 2008. Post SSL version 3.0, the newer SSL/TLS versions have been named as TLS 1.x, as it was considered to be more appropriate. The Internet Engineering Task Force (IETF), an open standards organization that develop and promotes voluntary Internet standards, had defined the TLS protocol in 1999 and has since then updated them. This protocol is based on earlier SSL versions. Along with the newer versions, some older versions are also being used in applications such as instant messaging, e-mail and web browsing. The specifications of TLS version 1.3 are yet to be finalized, however, they are already being accepted and adopted by many website security vendors and browsers due to the additional security capabilities and fixes for vulnerabilities. Firefox is supporting TLS 1.3 from its March 2017 releases. TLS 1.3 is considered to be faster, forward secure and with better encryption capacity. Differences between protocol versions: SSL 3.0 SSL 3.0 featured major improvements over SSL 2.0, which was declared insecure due to numerous vulnerabilities and malware attacks. The transport of data was separated from the message layer. The key exchange protocol allowed non-RSA certificates and Diffie-Hellman and Fortezza key exchanges. 128-bit keys were used. It was backward compatible with SSL 2.0, and it had the facility for sending chains of certificates by the server and the client. TLS 1.0 TLS 1.0 was an upgrade from SSL 3.0. They are not interoperable. The MACs and Key derivation functions are different. TLS 1.1 In TLS 1.1, Cipher block chaining (CBC) attacks are prevented with explicit IV, while TLS 1.0 used the Implicit Initialization Vector (IV). Explicit IV offered better protection. Sessions could be resumed
even after premature closure. TLS 1.2 Some of the enhancements in TLS 1.2 were: Cipher-suite-specified pseudorandom functions (PRF) were used instead of MD5/SHA-1 combination. Acceptance of hash and signature algorithms by server and client were reworked. A single hash now replaced the MD5/SHA-1 combination. This version had improved flexibility. AES Cipher Suites and TLS Extensions definition were also added. TLS 1.3 TLS 1.3 has not been officially released, however, it has already been adopted by browsers and web security organizations. Some of the major differences of TLS 1.3 from TLS 1.2 include: SSL or RC4 negotiation has been prohibited for backward compatibility. Session hash has been integrated. MD5 and SHA-224 cryptographic hash functions are no longer supported. Weak named elliptic curves are also not supported. Mandatory requirement of digital signatures even for earlier configurations has been specified. Support enabled for 1-RTT handshakes. Support dropped for unsecure or obsolete ciphers and features. New key exchange protocols, digital signature algorithms and stream ciphers with MACs have been added. To know more details about SSL Certificate Visit:- https://www.instantssl.com/ssl-certificate.html