TLS1.0 introduced modularity via the concept of "extensions". It's everything but a minor evolution of the protocol.

One of the many things it brought is session tickets, enabling server-side session resumption without requiring servers to keep synced-up state. Another is Server Name Indication, enabling servers to use more than one certificate.

> Each of these protocols has been designed so that you could automatically negotiate versions, thus allowing for clients and servers to independently upgrade without loss of connectivity.

And ensuring decades of various downgrade attacks

Well, at least they were not just versioned by year number. ;)

I don't think it was Microsoft that killed Java applets. I mean, for one thing, they always worked in IE, which was really the only avenue through which MS could have affected them.

No, Java applets failed because they became the poster child for "Java is slow" take. Even though it wasn't exactly true in general, it was certainly true of applets, what with waiting for them to download and then waiting for the JVM to spin up.

What killed them was 1) HTML/JS itself getting better at dynamic stuff that previously required something like applets, and 2) Flash taking over the remaining niche for which HTML wasn't good enough.

Applets died because of many reasons, like absurd startup time for the JRE (often just for silly animations), absurd memory requirements (for the time) and associated crashes, weird compatibility issues in the initial releases of the Java platform, a silly security model based on the assumption that only good actors will be able to get a CA certificate in order to do whatever they want in your PC, an immature sandboxing technology in browsers (not only IE), etc.

> M$ (appropriate name for that time)

It’s even more appropriate nowadays, I’d say.

Microsoft hasn't really changed that much besides getting a better PR department.

It is like ages since SSL was obsoleted but people still refer to the name meaning encrypted network traffic.

Would be much easier if everyone just talks about TLS to mean modern encrypted network traffic. Mention SSL if you really use it because you have legacy system running.

The main issue was explaining to the layman that TLSv1.0 was in fact newer and better than SSLv2 and SSLv3. I remember having quite a few discussions about this with people who assumed that the bigger number must be better..

Same. I feel so dumb now. After 15 years in this industry i finally figured out that ssl and tls are the same.

I learned about that around 2010, but before that was also clueless about it. What triggered me was that in Java you still use a SSLSocket to start encrypted connections even when using TLSv1.3 today!

1. SSL. For a long time I didn't even know TLS was the "same thing", but even now that I know it is, I still say SSL 9 times out of 10.

2. 38 - Started working in 2011, but my first forays into network programming was in something like 2004-2005.

Looked over onto my other screen and sure enough the function I'd literally minutes before added an if statement to went

        public Builder sslCertNotBefore(Instant sslCertNotBefore) {
            if (sslCertNotBefore.isAfter(MAX_UNIX_TIMESTAMP)) {
                sslCertNotBefore = MAX_UNIX_TIMESTAMP;
            }
            this.sslCertNotBefore = sslCertNotBefore;
            return this;
        }

I think possibly part of the problem is that we as programmers typically don't deal with TLS directly. The code above is part of a system I wrote that extracts detailed certificate information from HTTPS connections, and man was it ever a hassle to wrestle all the information I was interested in out of the java standard library.

Sure on the one hand it's easier to not mess up if it's all automatic and out of sight, but at the same time, it's not exactly beneficial to the spread of deeper awareness of how TLS actually works when it's always such a black box.

I think most people call it SSL because they use OpenSSL library to deal with secure communication have SSL in their names. Openssl being the most dominant one). Other libraries are BoringSSL, LibreSSL, wolfSSL etc.

Libraries with TLS in their names are less frequently used

GnuTLS, mbedTLS, s2n-tls and RustTLS.

I usually say SSL, because it has a greater chance of being understood than the more correct TLS (nobody uses SSL 3.0 anymore). It's also in the name of many SSL (I mean, TLS) libraries, like the classic OpenSSL.

But yeah, I learned about SSL back in the crypto wars days of the 1990s, back when you had to pirate the so-called "US only" version of Netscape if you wanted decent SSL encryption, so I might be just using the old term out of habit.

I say "https" because sometimes even regular people know what that means.

These days I tend to say "TLS" more and more, but until just a year or two ago it was almost always "SSL". And "SSL" still slips out occasionally.

I'm 51, started working in IT in the mid 90's.

I say HTTPS certificate.

If I need to specifically say SSL or TLS, it's SSL (as in OpenSSL, LibreSSL, BoringSSL, SSL certificates, Qualys SSL Labs, SSL Server Test). TLS is a made up name for SSL.

I do say e.g. "TLSv1.2" if I need to name the specific protocol, that's about it.

I was working before 1999.

Reflex is to say SSL but usually correct myself to TLS. Started in IT in 2006 (was a nerd a few years before that though)

TLS (outside dealing with PG options named like sslmode)

No

1. I say both somewhat 50/50. I say SSL instinctively, and TLS when I think about it and remember we don't say SSL anymore. It's been like that for around 10 years now, before that I'd only say SSL.

2. I started programming professionally in 1998 and I'm in my early 50s.

SSL, 27. I would call it `tls` in code, though (and maybe “SSL/TLS” in docs, for clarity).

1) SSL, even though I know the difference. More accurately, I know there is a difference, but SSL gets the point across.

2) before 1999. IIRC, the first SSL certificate I was involved with getting required the use of a fax machine.

Nobody ever says "TLS Certificate". It's only an "SSL Certificate". On that alone, it's just easier to stick to "SSL" for consistency and everyone knows what you mean.

1. SSL

2. I'm 56 and was active in computer clubs in the late 80s, no network, no hard drive, thousands of floppy's.

SSL - In my 40s, over 20 plus years.

When do I say TLS, when that one annoying guy joins the call that always corrects you. Everyone hates him, and he doesn’t care.

(1) SSL

(2) 37. I've been an Internet user since ~1995 and been working in tech since 2004.

TLS probably. 2004

I think the TLS v1.2 pushed me that way

TLS: Rolls off the tounge easier. Feels nicer in mouth. Easier to slur smoothly. Flows better on keyboard.

It's the ergonomic choice (;

SSL. Working as a sysadmin since 2010. It just feels more right to me, and honestly, it hasn’t been until recently that I’ve noticed more of a concerted effort to rebrand it to TLS — not sure if that’s just my perception or not.

1. SSL

2. I’m old enough to remember 56-bit SSL encryption in browsers

To users: https

To devs: SSL

Did not start working before 1999. Started using Linux in 2003.

SSL, started computer science in 2010

TLS. 1989.

Even today, people and marketing pages promote "SSL" term. Unless you specifically google, "What is the deference between SSL and TLS?" most people would have no idea what TLS is.

I tell my developers to be compliant that they need to use TLS/SSL

1. SSL (probably https in that specific scenario)

2. Graduated and started in 2015.

1. Cloudflare could probably use my choice of the day as another source for their randomness.

2. Started my first IT job on a computer networking team in 2012.

I always say HTTPS because in the context of my area of speciality, the details of how HTTPS works don't matter and neither do secure communication protocols besides HTTPS.

1. SSL 2. Started working in 2000, right on the boundary

I say TLS, and started working in the field in 1994.

SSL 42-started studying security in mid 90s as a teen started working 2000

SSL, started programming in maybe 2012. Possibly because of HTTPS or similarity with SSH.

SSL, born 1997

Almost always ssl. Started professionally in 1999. But! mTLS is always mTLS

1. TLS

2. Started working after 1999

1. SSL

2. Started working before 1999

SSL. Started working around 2000.

SSL, 40s

Nice try, targeted advertiser!

Mid 30s, SSL.

I work in cybersecurity and all the tools in the firewall/cert world still say "SSL decryption" and "SSL certificate". TLS is just a "major version" of SSL in my mind.

1. SSL 2. 57

The problem is that TLS was already in widespread use for "thread local storage".

Transport Layer Security is widely documented as beginning in 1999.

I can find references to "Thread Local Storage" going back to at least 1996. That particular term seems more common in the Microsoft (and maybe IBM, does anyone have an OS/2 programming manual?) world at the time; Pthreads (1995) and Unix in general tended to call it "thread-specific data".

It's possible that the highly influential 2001 Itanium ABI document (which directly led to Drepper's TLS paper) brought the term to (widespread) use in the broader Unix world, though Sun (for both Solaris and Java?) was using the term previously. But it's also possible that I'm just missing the reference material.

I think SSL is a better fit, actually. In theory TLS could be a transport-layer security mechanism that would let arbitrary protocols run on top of it (like IPSec does), but in practice it's pretty much tied up to TCP sockets. The UDP variant (DTLS, and I suppose QUIC) isn't part of the TLS spec for instance. Of course we have kernel TLS on Linux now, and Windows also has infrastructure like that, but it isn't as easy as setting a flag on a socket to turn TLS on.

Plus, who doesn't like to sound like a snake sometimes? Snakes are badass.

The best name is, whatever was first and stuck.

“SSL” is easier to pronounce, because the tongue barely changes position between the three letters, compared to “TLS”.

picture kaa from the jungle book discussing tcp security and arguing for the s-s-l name. In fact maybe adding a 3rd s.

> This was written in 1996. The language used feels already much different from today's publications. God I feel old.

That depends on which publications you're looking at, just as it did in 1996. An article from LWN [1] today, for example, reads in a fairly similar style. Maybe slightly less stuffy, because it's targeted at a slightly more general audience.

[1] https://lwn.net/

The main difference is in the padding. When the POODLE attack was pre-announced as only affecting SSL3 and not TLS1.0, that was enough to predict it was going to be a padding oracle.

I think it’s fair to say they’re very similar, with a few “bug fixes”. It’s been a while since I’ve thought about either though, and might be forgetting a few things. I’ve only ever implemented SSL3 and TLS1.0 together, so there may be some details I’m forgetting.

Indeed there are significant changes and improvements, though it’s not a complete redesign like SSL 3.0 was.

But how many clients are still using it? As far as my understanding goes, no relevant, up to date piece of software/library still supports

There's really not much chance of that, given that the protocol is maintained by the IETF TLS Working Group.

“TLS” is also used in a bunch of places already, too. Updating config file formats and function signatures will be a PITA.

Please don't give anybody any ideas!

IIRC they were using a cipher suite to signal the new version. Cipher suites were basically the only signaling mechanism in SSLv2 (and SSLv3/TLS 1.0 before extensions were introduced).

When TLS 1.3 was finally standardized, there was quite a bit of debate about whether in light of the how different it was from TLS 1.2 we should continue to use the 1.3 version number. ISTR that TLS 2 and TLS 4.0 were both floated--though I don't recall SSL 3.4--but eventually the WG decided to stick with the 1.3 version number we had been using throughout the rest of the process.

[dead]

Forcing the name to be chnaged from SSL to TLS seems pretty petty to me.

Two decades later, and it is still common for people to call TLS SSL.

Microsoft was the bad guy in a movie where you have a war right before aliens invade and you figure out that there's bigger enemies.

FSF hated Microsoft because they released binaries without source code, they were THE enemy, nowadays, you are lucky if you get a binary to study and modify! The standard from any competitive developer is to hide the binary and source behind a server. Try to study and modify that!

Fool me once, shame on you. Fool me twice?

> But Netscape in this instance acted like kids

Oh, please.

https://en.wikipedia.org/wiki/Criticism_of_Microsoft

The "velvet sweatshop" one is sufficient, but plenty of others to choose from. Don't have a source at hand but I remember it was known for its "work 3 years there and then you need to retire early from burnout" culture. There's also a really good (and highly depressing) 2001 German documentary around that "feature" called "Leben nach Microsoft" (Life after Microsoft).

And the classic https://en.wikipedia.org/wiki/Microserfs

There was really less than zero reason to trust M$ in the 90s and early 00s.