anavem.
Back to Glossary
S

SSL (Secure Sockets Layer)

SSL is a cryptographic protocol originally designed to secure communications over a network by encrypting data between a client and a server.

What is SSL?

Secure Sockets Layer (SSL) is an early encryption protocol developed to protect data exchanged between applications over a network, most notably between web browsers and servers. SSL ensures that transmitted data remains confidential and tamper-resistant. Although the term SSL is still widely used, the protocol itself has been deprecated and replaced by TLS.

Why SSL matters (historically)

SSL was foundational because it:

  • Introduced encrypted communication on the web
  • Enabled secure online transactions
  • Prevented eavesdropping and basic man-in-the-middle attacks
  • Established trust using digital certificates

Modern internet security evolved directly from SSL.

SSL vs TLS

While often used interchangeably, they are not the same:

  • SSL: legacy protocol (SSL 2.0 / 3.0 – insecure)
  • TLS (Transport Layer Security): modern, secure successor

Today, when people say "SSL," they almost always mean TLS.

How SSL/TLS works (simplified)

A secure connection involves:

  1. The client requests a secure connection
  2. The server presents a digital certificate
  3. The certificate is validated via PKI
  4. Encryption keys are negotiated
  5. Encrypted communication begins

This process enables HTTPS, secure email, VPNs, and APIs.

SSL certificates

An "SSL certificate" is technically a TLS certificate:

  • Binds a domain name to a public key
  • Issued by a trusted Certificate Authority (CA)
  • Used to authenticate servers and enable encryption

Certificates may support domain, organization, or extended validation.

Security risks of SSL

Legacy SSL versions are insecure because they:

  • Use weak cryptographic algorithms
  • Are vulnerable to known attacks (e.g., POODLE)
  • Lack modern protections

For this reason, SSL is disabled by default on modern systems.

Best practices

Modern security standards require:

  • Disabling all SSL protocols
  • Using TLS 1.2 or TLS 1.3 only
  • Strong cipher suites
  • Proper certificate management and renewal
  • Continuous monitoring for certificate issues

Common misconceptions

  • "SSL and TLS are the same"
  • "SSL is still secure if configured properly"
  • "SSL certificates encrypt data by themselves"
  • "HTTPS means a website is trustworthy"