SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are protocols used to encrypt online communications. They define how a client and a server should communicate securely and find the best way to protect the data exchange.
The story behind SSL
SSL 1.0 was never released as it contained serious vulnerabilities.
SSL 2.0 was released in 1995, but was quickly deemed unsafe and is today completely blocked.
SSL 3.0 became a complete rewrite and appeared in 1996. It was used until 2014, when The Poodle Vulnerability was discovered.
Since 2015, the recommendation has been to avoid SSL 2.0 and SSL 3.0 altogether and instead use TLS -- which in practice can be considered a kind of “SSL 4.0”.
The evolution of TLS
TLS is a further development of SSL and continuously introduces improvements to address new and potential vulnerabilities. The protocol is backward compatible, but deliberately blocks SSL 2.0 and 3.0.
TLS 1.0 — released in 1999
TLS 1.1 — released in 2006
TLS 1.2 — released in 2008
TLS 1.3 — released in 2018
Are older TLS versions unsafe?
Not necessarily. A server that only supports e.g. TLS 1.0, can still be secure if properly configured — for example, by disabling weak encryption algorithms. But it is not possible to assess the safety based solely on the TLS version, as one can with SSL 2.0/3.0.
Recommendations from the industry
Banks, credit card providers and other security-conscious organizations clearly recommend using TLS 1.2 o superiore.
