SSL and TLS are not two competing protocols. SSL is dead — deprecated since 2015, broken since the early 2000s. TLS is its successor. When someone says “SSL certificate,” they mean a TLS certificate. When a vendor sells “SSL inspection,” they mean TLS inspection. The name stuck; the technology moved on.
Here’s the actual history, what changed, and why it matters for your infrastructure today.
The Timeline
| Year | Protocol | Status |
|---|---|---|
| 1995 | SSL 2.0 | Released by Netscape. Broken — multiple critical vulnerabilities. |
| 1996 | SSL 3.0 | Fixed some issues. Broken — POODLE attack (2014). |
| 1999 | TLS 1.0 | Renamed from “SSL 3.1” for political reasons (not Netscape-owned). Deprecated 2020. |
| 2006 | TLS 1.1 | Minor improvements. Deprecated 2020. |
| 2008 | TLS 1.2 | Major upgrade. Still widely used. Current minimum standard. |
| 2018 | TLS 1.3 | Complete redesign. Faster, simpler, more secure. Recommended. |
The key fact: SSL hasn’t been used on the internet since ~2015. Every “SSL certificate” you buy is actually a TLS certificate. The protocol negotiated is TLS 1.2 or 1.3 — never SSL.
Why SSL Died
SSL 2.0 (1995) — Broken from Birth
- Weak MAC construction (message authentication)
- Cipher suite downgrade attacks
- No protection against truncation attacks
- Disabled by all browsers since 2011
SSL 3.0 (1996) — POODLE Killed It
The POODLE attack (2014) exploited SSL 3.0’s CBC padding to decrypt data byte-by-byte. After POODLE:
- RFC 7568 (2015): “SSLv3 MUST NOT be used”
- All major browsers disabled SSL 3.0
- PCI DSS prohibited SSL 3.0
# Test if a server still supports SSL 3.0 (it shouldn't)
openssl s_client -connect example.com:443 -ssl3
# Expected: "handshake failure" (good — SSL 3.0 is disabled)What TLS Changed
TLS 1.0 (1999) — SSL 3.1 in Disguise
TLS 1.0 was essentially SSL 3.1 — renamed because the IETF (not Netscape) took over standardization. Changes were minimal:
- Slightly different MAC calculation
- Different alert codes
- PRF (Pseudo-Random Function) changes
Still vulnerable to BEAST attack (2011). Deprecated by all major browsers in 2020.
TLS 1.2 (2008) — The Current Standard
Major improvements:
- SHA-256 replaced MD5/SHA-1 for PRF and signatures
- AEAD cipher suites (AES-GCM) — authenticated encryption
- Configurable hash algorithms in signatures
- Removed hardcoded MD5/SHA-1 dependencies
TLS 1.2 with proper configuration (ECDHE + AES-GCM, no CBC) is secure and widely deployed.
TLS 1.3 (2018) — The Modern Standard
Complete redesign:
- 1-RTT handshake (down from 2-RTT)
- Removed all insecure options (RSA key exchange, CBC, RC4, 3DES, SHA-1)
- Encrypted server certificate (privacy improvement)
- Only 5 cipher suites (all secure — can’t misconfigure)
- Mandatory forward secrecy
”SSL Certificate” vs “TLS Certificate”
There is no difference. They’re the same thing — an X.509 certificate. The certificate doesn’t know or care which protocol version is used. It works with TLS 1.2, TLS 1.3, or (theoretically) SSL 3.0.
The name “SSL certificate” persists because:
- Certificate Authorities marketed them as “SSL certificates” for 20 years
- The term is embedded in product names, documentation, and culture
- “TLS certificate” is technically correct but less commonly used in marketing
What to call it: Use “TLS certificate” in technical documentation. Accept “SSL certificate” in conversation. They mean the same thing.
What You Should Use Today
# Correct Nginx configuration (2026)
ssl_protocols TLSv1.2 TLSv1.3;
# Do NOT include: SSLv2, SSLv3, TLSv1, TLSv1.1
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305';
# Do NOT include: RC4, 3DES, CBC ciphers, RSA key exchangeMinimum: TLS 1.2 with ECDHE + AEAD ciphers Recommended: TLS 1.3 (with TLS 1.2 fallback for legacy clients) Prohibited: SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1
How to Check What Your Server Supports
# Quick check with OpenSSL
openssl s_client -connect yoursite.com:443 -tls1_3 # Test TLS 1.3
openssl s_client -connect yoursite.com:443 -tls1_2 # Test TLS 1.2
openssl s_client -connect yoursite.com:443 -tls1_1 # Should FAIL
openssl s_client -connect yoursite.com:443 -ssl3 # Should FAIL
# Comprehensive scan
nmap --script ssl-enum-ciphers -p 443 yoursite.comCompliance Requirements
| Framework | Requirement |
|---|---|
| PCI DSS 4.0 | TLS 1.2 minimum. SSL and TLS 1.0/1.1 prohibited. |
| HIPAA | ”Strong encryption” — TLS 1.2+ satisfies this. |
| NIST SP 800-52 Rev 2 | TLS 1.2 minimum, TLS 1.3 recommended. |
| FedRAMP | TLS 1.2 minimum for all federal systems. |
| CA/Browser Forum | Certificates work with any TLS version (protocol is server config). |
FAQ
Q: Do I need to buy a new certificate to use TLS 1.3? A: No. Your existing certificate works with any TLS version. The protocol version is a server configuration choice, not a certificate property.
Q: Is TLS 1.2 still secure? A: Yes — with proper cipher suite configuration (ECDHE + AES-GCM, no CBC). TLS 1.3 is better (faster, simpler, fewer misconfiguration risks), but TLS 1.2 is not a vulnerability.
Q: Why do people still say “SSL”? A: Habit and marketing. The term has been used for 30 years. It’s technically wrong but universally understood. Don’t correct people in conversation — just ensure your infrastructure actually uses TLS.
Q: Can an attacker downgrade my connection from TLS 1.3 to SSL 3.0? A: No. TLS 1.3 has built-in downgrade protection (the server includes a sentinel value in the random field that TLS 1.3 clients detect). And if you’ve disabled SSL 3.0 on your server (which you should have), there’s nothing to downgrade to.
Q: What about “SSL termination” and “SSL offloading”? A: Same thing as “TLS termination” — the terms are used interchangeably. The actual protocol is TLS, regardless of what the load balancer vendor calls it.