DEV Community

Cover image for The history of HTTPS

Posted on • Updated on

The history of HTTPS

Two computers follow a series of agreed-upon steps to establish a communication tunnel with each other. A protocol outlines these compulsory steps. HTTP protocol is the protocol that clients and web servers use to communicate with each other.

HTTP was developed by Tim Berners-Lee and his team between 1989-1991 while he was working at CERN. It was intended to exchange files between the multiple computers at the laboratory. It was a clear text protocol.
Other computers outside of CERN adopted the protocol in their internet usage. As internet evolved, sensitive information were being shared via this protocol.
However, since HTTP transfers data between client and server as plain text, it posed a problem. A malicious intruder that intercepts the network segment between you(the client) and the server, is able to view sensitive information such as passwords and credit card numbers. Or the intruder could intercept a client's request and serve back malicious files pretending to be the server.

Therefore, adding an encryption layer to the HTTP protocol was necessary.

TLS is an acronym for Transport Layer Security. And it is an encryption layer added to the HTTP protocol to stop malicious intruders from snooping sensitive and restricted data happening in between client and the server. HTTP protocol that includes an encryption layer upgrades to the acronym of HTTPS(HyperText Transfer Protocol Secure). Hence sensitive information shared via HTTPS protocol can reliably be considered as safe and confidential from eavesdropping attacks.

TLS was not formed outright as the step of trial and error had not to be skipped. TLS is a successor of SSL(Secure Sockets Layer).

SSL developments

As mentioned above, TLS is a successor of SSL.

SSL was a cryptographic protocol developed by Netscape. SSL version 1.0 was developed in 1994. But it was never publicly released because it was discovered to have serious flaws. In February 1995, version 2.0, was developed and released to the public. However it was quickly discovered to contain a number of security and usability flaws.
Microsoft released the first version of its PCT(Private Communication Technology) protocol, designed to address the security flaws in SSL Version 2. PCT never gained traction outside Microsoft products and was later on superseded with SSL version 3.

Back at Netscape, the critical security issues in version 2 necessitated the complete redesign of the protocol from the ground up. SSL version 3.0 was then released in 1996.

Birth and timeline of TLS

In 1996, a working group was formed at IETF(Internet Engineering Task Force) to standardize SSL. This is after an agreement where both Netscape and Microsoft would support the IETF taking over the protocol and standardizing it in an open process.

Three years later(in 1999), the 1st upgrade to SSL version 3.0 was published as TLS 1.0 in RFC 2246. TLS 1.0 had minor changes to SSL 3.0 as stated in the RFC:

differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough that TLS 1.0 and SSL 3.0 do not interoperate

Tiem Dierks, an editor in RFC 2246, later on says in his blog:

As a part of the horsetrading, we had to make some changes to SSL 3.0 (so it wouldn't look the IETF was just rubberstamping Netscape's protocol), and we had to rename the protocol (for the same reason). And thus was born TLS 1.0 (which was really SSL 3.1).

TLS was born as from version 1.0 and today it is still being used as the standard encryption layer on HTTP protocol. Countable TLS vesions have being released since then i.e TLS 1.0, TLS 1.2 and TLS 1.3. The most recent version(as of 2023) is TLS 1.3 which was released in August 2018.

Earlier versions of TLS have been overshadowed with the recent and more bullet-proof versions. In October 2018, Apple, Google, Microsoft, and Mozilla jointly announced they would deprecate TLS 1.0 and 1.1 in March 2020. TLS 1.0 and 1.1 were formally deprecated in RFC 8996 in March 2021.

SSL has never received an update since its SSL 3.0 release in 1996 and hence new vulnerabilities have been found with the evolved cyber security attacks. SSL 3.0 was deprecated in June 2015 in RFC 7568.

Here is the encryption protocol layer history summarized in a table:

protocol published status
SSL 1.0 unpublished unpublished
SSL 2.0 1995 Deprecated in 2011 (RFC 6176)
SSL 3.0 1996 Deprecated in 2015 (RFC 7568)
TLS 1.0 1999 Deprecated in 2021 (RFC 8996)
TLS 1.1 2006 Deprecated in 2021 (RFC 8996)
TLS 1.2 2008 In use since 2008
TLS 1.3 2018 In use since 2018

Despite that SSL was replaced more than 20 years ago by TLS, many people still use the term SSL when they mean TLS.

Let's connect on twitter.

Top comments (0)