SSL and TLS Versions: Celebrating 30 Years of History
 SSL and TLS Versions: Celebrating 30 Years of History
1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5, rated)
Loading...
March 17, 2025 0

SSL and TLS Versions: Celebrating 30 Years of History

in Beyond Hashed Out, Hashing Out Cyber Security, Monthly Digest

March 2025 marks the 30th anniversary of the secure sockets layer (SSL) protocol’s version 2.0 debut. Celebrate with us as we explore the history of the various SSL and TLS protocol versions over the last three decades

When Netscape Communications unveiled its groundbreaking Netscape Navigator browser in November 1994, few knew of the innovations that were taking place behind the company’s closed doors.  

It was here that the first iteration of the secure sockets layer (SSL) protocol was born (i.e., SSL 1.0). Although this version was never publicly released, the second version of the SSL protocol (SSL 2.0) made its public debut in Netscape Navigator 1.1 early the following year. It was this version of the SSL protocol that laid the groundwork for establishing the foundation of digital trust that we often take for granted today.

As we celebrate SSL 2.0’s 30th anniversary, it’s the perfect opportunity to look back to explore how this pioneering technology has evolved over time — from the vulnerable SSL 2.0 to the robust security of the latest TLS protocol versions (TLS 1.2 and 1.3) that protect our digital lives today.   

Let’s hash it out.

A Timeline of the Different SSL & TLS Protocol Versions

You can’t do anything meaningful online — at least not securely — without the help of transport layer security (TLS). But it hasn’t always been the case — there have been earlier SSL versions of security protocols that have come and gone, having paved the path for the modern versions of the TLS protocol that followed.

Explore our interactive timeline to learn more about the different versions of the SSL and TLS protocols and how each has contributed to improving internet security over the last 30 years.  

A History of the SSL & TLS Protocol Versions

March 1995

SSL 2.0 launched with Netscape Navigator v1.1, the world’s first publicly available internet browser, in early ’95. It provided enhanced cryptographic encryption & authentication over Netscape’s SSL 1.0 internal release in November ’94. The SSL Protocol was submitted as a draft to the IETF in April ’95.

November 1995

SSL 3.0 rolled out to mitigate several of the security issues that were prevalent in SSL 2.0. In addition to bringing even stronger algorithms, this protocol version also introduced additional cipher suites.

January 1999

TLS 1.0 — The first version of the transport layer security protocol (TLS version 1.0) to debut was built upon its SSL 3.0 predecessor but aimed to resolve many of its issues. Despite SSL 3.0 being its foundational design, the two protocols aren’t interoperable.

April 2006

TLS 1.1 — This updated version of the TLS protocol was standardized in April 2006 as IETF RFC 4346. Its purpose was to make minor updates to TLS 1.0 to help address some of the security vulnerabilities that were present in the earlier protocol.

August 2008

TLS 1.2 — The release of the TLS 1.2 standard quickly followed in August 2008 and was published as RFC 5246. Even today (in 2025), it remains the most popular TLS version in use online.

March 2011

IETF RFC 6176 was released as a bid for the deprecation of SSL 2.0. However, the proposal’s goal was not truly successful, as more than half of HTTPS servers at the time still supported the outdated SSL version of the protocol.

June 2015

SSL 3.0 — This version of the protocol was formally deprecated by IETF RFC 7568 in the summer of 2015.

August 2018

TLS 1.3 officially launched in August 2018 as RFC 8446 after five years of standards work. While the use of TLS 1.3 is recommended, the adoption of this protocol still isn’t mandatory (even in 2025), despite several critical vulnerabilities coming to light in the years in between.

March 2021

TLS 1.0 and 1.1 — Both versions of this protocol were formally deprecated via IETF RFC 8996, although different products and services have been implementing the deprecation on their own schedules.

TL;DR: An Overview of the SSL and TLS Version Standards

Don’t have time for a full article? No worries — here are the highlights of the history and versions of both the SSL and TLS protocols in the following table. Alternatively, click on a specific protocol version from the top row in the list below or keep scrolling to read more about all of them:

 SSL 2.0SSL 3.0TLS 1.0TLS 1.1TLS 1.2TLS 1.3
Official StandardThe SSL Protocol (an expired draft standard)RFC 6101 (NOTE: The “closest to original” doc is an expired draft)RFC 2246RFC 4346RFC 5246RFC 8446
Release DateFeb-March 1995November 1995January 1999April 2006August 2008August 2018
Examples of VulnerabilitiesInsecure handshakes, insecure authentication algorithm, shared keys, restricted encryption key sizes (related to U.S. export laws), and vulnerable to MitM attacksInsecure ciphers (e.g., CBC-mode ciphers), small key sizes, weak signature primitives, MitM-vulnerable key exchanges, and vulnerabilities to threats such as POODLEOutdated cipher suites, weak cryptographic algorithms, key exchange mechanism vulnerabilities, and vulnerabilities to known threats (e.g., POODLE)Outdated cipher suites, weak hash functions, protocol downgrade support, insecure renegotiation, and static key exchangesLack of perfect forward secrecy (PFS), protocol downgrade support to serve legacy systems, and continued limited use of SHA-1 TBD
Still Supported by Modern Servers?NoNoNoNoYesYes
Deprecation Date/End of Life DateMarch 2011June 2015March 2021March 2021Technically obsoleted by TLS 1.3 (but not deprecated) in 2018, although it’s still supported by all major providers N/A
Deprecated By Which StandardRFC 6176RFC 7568RFC 8996RFC 8996N/A N/A

The Precise Release Date of SSL 2.0 Is Tricky to Narrow Down

I’ve seen release dates ranging from February 1995 to March 1995. As it turns out, Netscape released SSL v2 in its Netscape Navigator 1.1 and followed it up by submitting the official specification to the IETF in April 1995.

It’s for this reason we’ve decided to go with the March 1995 crowd.

SSL Version History Did (and Didn’t) Start with SSL 1.0

Technically, Netscape introduced SSL version 1.0 in late 1994. However, it was riddled with security issues and was never released publicly. (It was only used within Netscape Communication’s internal environment.)

As such, SSL version 2.0 is often looked upon as the true history maker rather than its deeply “troubled” predecessor. This is why we’ll jump right in with SSL version 2.0 instead and walk you through the last three decades until we conclude with the latest TLS version.

SSL Version 2.0

This version of the SSL protocol is what set the stage for the succeeding SSL/TLS protocols that have been used to secure public websites for the last three decades. SSL protocol version 2.0 was a groundbreaking concept when it was released as part of Netscape Navigator version 1.1. It established a process known as the SSL handshake, which both parties could use to establish a secure, encrypted connection.

A handshake allows one or both parties to authenticate using X.509 digital certificates (e.g., an SSL/TLS certificate for server authentication) and use an asymmetric cryptographic key pair to securely exchange session keys. (An SSL certificate, essentially, is your website’s digital identity equivalent of a driver’s license or state ID.)

Throughout history, encrypted communications required two parties to exchange a key that could be used to encrypt and decrypt information. This means that they had to meet face to face so they could verify that the person receiving the key was, in fact, the intended person. (Not exactly conducive to remote or instantaneous global communications, am I right?)

SSL 2.0 aimed to change all of that by providing a means to exchange keys remotely to enable remote encrypted communications.

A screenshot of Verizon.com from 1997 that was captured via the Wayback Machine
Image caption: Verisign, established in 1995, was the world’s first public certification authority (CA) to issue SSL/TLS certificates. For fun, enjoy this “throwback” from the company’s website in June 1997. (This screenshot was captured via the Wayback Machine from the domain Verisign.com on June 26, 1997.)  

However, SSL 2.0 was plagued by numerous security issues — some of which, though not all, were intentionally induced (e.g., the U.S. government’s regulations relating to the export of cryptographic software and devices). Which brings us to SSL v3…

SSL Version 3.0

Mozilla reports that support for SSL 3.0 rolled out in November 1995 to fill in some of the security gaps that were present in its predecessor (although the final version of the standard draft wasn’t published until November 1996). Here are a few examples of the ways it did this:

  • Introduced authenticated Diffie-Hellman key exchanges as an alternative to RSA key exchanges
  • Introduced the “chain of trust” certificate hierarchy
  • Enhanced keygen security by implementing better PRFs
  • Introduced three Fortezza cipher suites to the baseline list
  • Enabled special PKCS #1 block formatting to allow servers to reject SSL v2 sessions from establishing with SSL 3.0-capable clients

Despite its improvements, SSL v3 wasn’t perfect, either. It was ultimately phased out starting in 2014 due to a series of serious security issues — namely, POODLE. This type of protocol downgrade attack, which exploits padding-related vulnerabilities on servers supporting SSL 3.0 with cipher block chaining (CBC) mode ciphers, enabled attackers to recover plaintext data.

The design of this core protocol version carries through even in the latest versions of TLS. However, the responsibility of heading up future standards shifted from Netscape to the Internet Engineering Task Force’s (IETF’s) new TLS Working Group, which was created in 1996.

TLS Version 1.0

TLS 1.0 is foundationally based on SSL 3.0, this new protocol was created with the goal of addressing some of its predecessor’s vulnerabilities. Unlike the previous SSL standards, this was one headed up by the IETF.

Although it was designed to replace the SSL protocol and not interoperate with it, TLS allowed protocol rollbacks (downgrades) to the less secure SSL protocols to support older systems. (This is also why some versions of the TLS protocol were still vulnerable to the aforementioned POODLE attacks.)

This newer version of the protocol:

  • Marked the shift from Netscape’s proprietary protocol development process to an IETF “request for comments” (RFC) standard development process
  • Added support for expanded cryptographic cipher suites
  • Enhanced certificate validation requirements
  • Eliminated the SSL protocol’s “NoCertificate” client response option in favor of other alert values
  • Combined MD5 and SHA-1 hash functions for enhanced pseudorandom functions (PRFs)
  • Moved to use of HMAC calculations with MD5/SHA-1 in lieu of MAC construction in RSA signing

Ultimately, TLS 1.0 wasn’t officially deprecated until many years later (March 2021), and the protocol version is still being phased out by major browsers and operating systems.

TLS Version 1.1

TLS version 1.1, which rode the coattails of version 1.0, provided “small security improvements, clarifications, and editorial improvements” to:

  • Provide info to mitigate TLS-focused attacks
  • Define IANA registries (TLS Cipher Suite, TLS Alert, TLS HandshakeType, etc.) for specific protocol parameters
  • Swap out implicit (predictable) initialization vectors (IV) for explicit ones to mitigate CBC attacks (CBCATTs)
  • Reduce the Klima version-check oracle attacks

NOTE: In 1999 (after TLS 1.0 was implemented), the U.S. finally loosened its restrictions relating to the export of cryptographic software and devices that were previously in place. This means that the restrictions that were in place when SSL 2.0, SSL 3.0, and TLS 1.0 were implemented were no longer in effect for TLS 1.2 and 1.3, allowing the use of bigger encryption key sizes.

Where Does TLS 1.1 Stand Today?

While it’s true that this TLS protocol version is deprecated across the modern major browsers (Chrome, Firefox, Safari, and Edge), older versions of these clients may still provide partial support. They’ll display warning messages and icons to users who try to connect using the insecure protocol.

TLS Version 1.2

The TLS 1.2 specification made several notable changes, which included the following:

  • Eliminated some of the outdated cryptographic functions and elements
  • Made cipher suite improvements based on the cryptographic security knowledge of the time (e.g., mandated use of the TLS_RSA_WITH_AES_128_CBC_SHA cipher suite and elimination of the MD5/SHA-1 PRFs in favor of cipher suite specified PRFs)
  • Added data mode support for authenticated encryption (i.e., authenticated encryption with associated data, or “AEAD” for short)
  • Specified that clients without certificates must provide an empty certificate list
  • Optimized the cryptographic hash and signature specification process

Where Does TLS 1.2 Stand Today?

TLS 1.2 is still the most widely supported version of the protocol you’ll find supported by servers and clients online. (Data from Qualys SSL Labs’ SSL Pulse tool showed that 99.9% of the 150,000 SSL/TLS-enabled sites surveyed supported TLS 1.2 protocol as of May 2024.) However, despite all of the changes listed above, it still wasn’t enough to make TLS 1.2 impervious to the ever-growing list of threats.

  • Weak algorithms left the protocol vulnerable to downgrade attacks,
  • Its lack of mandated perfect forward secrecy left encrypted data vulnerable in the event of a future key compromise
  • The protocol version’s reliance primarily on RSA and Diffie-Hellman key exchanges left it vulnerable to the factoring- and discrete logarithm-related issues identified by Shor’s Algorithm.

More still needed to be done to make online transactions and data transmissions more secure. This now brings us to the latest version of the TLS protocol…

TLS Version 1.3

TLS 1.3 essentially took sections of the existing TLS 1.0-1.2 rulebooks and designs and threw them out the window. The result? A simplified, streamlined design that made it faster (at scale) and more secure than its predecessors.

Among the biggest changes seen in version 1.3 relates to how the session keys are derived and how online certificate status protocol (OCSP) messages are transmitted. But what are some of the other notable changes of this TLS protocol version?

  • Eliminated use of weak symmetric encryption and hashing algorithms (e.g., SHA-1, MD5, RC4, DES, 3 DES, CBC-mode AES, etc.)
  • Mandated use of perfect forward secrecy via ephemeral keys (which resulted in RSA and static DH key exchanges getting kicked to the curb)
  • Streamlined the TLS 1.3 handshake to a single round-trip interaction (1-RTT mode) or, in cases where a client and server have previously communicated, it’ll reduce it to zero round-trip time (0-RTT). Previous TLS protocol versions used two round trips.
  • Swapped out MAC-then-encrypt (i.e., a MAC + cipher combo) for authenticated ciphers (e.g., AEAD bulk encryption ciphers such as AES-CCM, AES-GCM, and ChaCha20 [when paired with Poly1305])
  • Offered additional downgrade attack protection

Where Does TLS 1.3 Stand Today?

This protocol version is in use, although it isn’t widely adopted as TLS version 1.2. As of May 2024, 70.1% of websites surveyed by the Qualys SSL Labs (from the same SSL Pulse tool cited earlier) supported the TLS 1.3 protocol.

Looking to the Future of SSL and TLS: Quantum-Resistant Cryptography

Quantum Cryptography is one of the things that’s going to require not just a different mindset and approach to implement, but ongoing changes as technologies and threats evolve as well. This is primarily due to the fact that cryptographically relevant quantum computers (CRQCs) are forecast to make TLS 1.2 and the public key cryptographic algorithms we rely on now virtually useless.

It’s for this reason that as part of the shift to using post-quantum cryptography (PQC) algorithms, the IETF proposes that the use of TLS 1.3 must be supported for TLS applications, and TLS 1.2 protocol may be supported only in specific circumstances.

Major providers are starting to transition to pairing TLS 1.3 with hybrid PQC. Cloudflare reports that as of March 2025, “well over a third of the human web traffic reaching the Cloudflare network is protected against these attacks by TLS 1.3 with hybrid ML-KEM key exchange.”

This graphic showcases the post-quantum encryption adoption rate increase between March 1, 2024 and March 1, 2025. This graphic is courtesy of Cloudflare via the Cloudflare Radar platform.
Image caption: A chart showcasing the amount of HTTPS traffic that Cloudflare serves via encrypted connections using post-quantum encryption algorithms. Image courtesy of the Cloudflare Radar platform.

An Overview of Recent and Ongoing Changes That Are in the Works

  • NIST published 3 PQC standards in August 2024. These digital signature and key encapsulation mechanisms, which were selected from a list of 80+ PQC algorithm submissions, are expected to eventually replace modern public key algorithms.
  • On Feb. 26, 2025, the IETF released the Internet Draft, “Post-Quantum Cryptography Recommendations for TLS-based Applications.” This document highlights potential best practices to help organizations figure out the best way of handling the challenges associated with transitioning applications to utilizing post-quantum cryptography to help stave off harvest now, decrypt later (HNDL) and CRQC-related threats.
  • On March 11, 2025, NIST published the “Status Report on the Fourth Round of the NIST Post-Quantum Cryptography Standardization Process.” This document summarizes the fourth-round key establishment algorithm candidates (i.e., BIKE, Classic McEliece HQC, and SIKE) and covers the one chosen for standardization (HQC). The next steps include preparing and sharing a draft standard for public comments, which will be adjudicated, and then the final version is expected to be published approximately two years later.

Check Out These SSL and TLS Version History Resources

Want to learn more about the history of the SSL/TLS protocols? Check out these great resources:

Be the first to comment

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *

Author

Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.

Recent Posts

Follow Us

Free Ebooks

eBook
Email Spoofing Defense 101 (A 5-Step Guide)

Download Now

eBook
Certificate Lifecycle Management Best Practices Guide

Download Now

eBook
10 Code Signing Best Practices

Download Now