Posted on 12/6/2024
We’re in the year 2024, and while we (Developers, SysAdmins, Engineers, etc.) are still debating how to pronounce “GIF” correctly, we’re completely ignoring a much more obvious mistake:
In 1995, Netscape developed SSL 1.0 to ensure privacy, authentication, and data integrity on the internet. Over the following years, two more versions were introduced: SSL 2.0 and SSL 3.0.
Fast forward to 1999: the IETF published a new standard—TLS 1.0. This was followed by TLS 1.1 in 2006, TLS 1.2 in 2008, and the current standard, TLS 1.3, released in 2018.
By late 2014, most browsers ended support for SSL 3.0 due to a critical security flaw (the POODLE attack). In 2015, SSL was officially deprecated.
Since then, no major browser has supported SSL, and the same applies to non-HTTPS connections. Yet, for some baffling reason, people still say "SSL."
Just try a quick search for “SSL” on your favorite search engine. You’ll find countless articles, guides, and even ads selling "SSL Certificates."
Even today, major websites—some of them security-focused—use "SSL" interchangeably with "TLS." Certificate sellers, in particular, perpetuate this confusion.
This has to stop.
SSL is a protocol that has been deprecated for nearly a decade. It’s insecure, outdated, and should never be used.
And one more thing:
There’s no such thing as an “SSL Certificate,” “TLS Certificate,” or even “HTTPS Certificate.”
What you’re really using is an X.509 certificate, which facilitates transport encryption. But X.509 certificates are versatile—they’re also used for email signatures, code signing, and client authentication.
Let’s call things by their proper names and leave "SSL" where it belongs: in the history books.