Why SSL was renamed to TLS in late 90s (2014)

Original Article ↗ Hacker News Discussion ↗

Naming, Politics, and Version Numbers

  • Many readers echo the article’s conclusion: SSL→TLS was mostly politics and “territory marking,” not a clean technical break.
  • TLS 1.0 was very close to SSL 3.0; TLS 1.0–1.2 are incremental, while SSLv2→SSLv3 and TLS 1.2→1.3 are the real big jumps.
  • Internally, TLS 1.3 uses protocol version bytes 03 04, leading some to jokingly call it “SSL 3.4.” There was serious discussion about calling it TLS 2 or TLS 4 but the WG stuck with 1.3.
  • Several commenters find forcing the name change from SSL to TLS petty in hindsight, especially as “SSL” is still the dominant colloquial term.

Is “Transport Layer Security” the Right Name?

  • One side argues TLS behaves like a transport-layer abstraction over TCP (reliable byte stream), so the name fits the OSI/IP models.
  • Others note that in practice it’s tightly bound to TCP, with DTLS and QUIC split out, so “socket-level” SSL arguably described reality better.
  • There’s some joking about TLS also meaning “Thread Local Storage,” which predates the security protocol in some ecosystems and adds to terminological confusion.

Protocol Mechanics, Extensions, and Downgrades

  • TLS 1.0 introduced a framework for extensions, enabling later features like SNI and session tickets (though those appeared in separate RFCs).
  • Multiple comments walk through the protocol family: SSLv2 (deeply broken), SSLv3 (new design), TLS 1.0/1.1 (bugfixes and modest changes), 1.2 (new hashes + AEAD), 1.3 (substantial redesign, AEAD-only, simplified).
  • Version/cipher negotiation enabled smooth upgrades but also decades of downgrade attacks, especially when clients retried with weaker options after failure.
  • TLS 1.3 adds explicit downgrade protections and signs more of the handshake; deployment was slowed by “ossified” middleboxes, and only strong browser pressure forced the ecosystem to adapt.

Microsoft, Netscape, and Trust

  • Some recall Microsoft’s PCT and early SSL work as technically better and more shareable than Netscape’s, suggesting Netscape acted “childishly” and politics drove the split.
  • Others strongly counter that, given Microsoft’s 90s/00s history (embrace–extend–extinguish, standards capture, workplace culture), skepticism about letting it control a core security protocol was rational, not petty.

Everyday Usage: SSL vs TLS vs HTTPS

  • An informal age-poll shows most people, old and young, still say “SSL” in speech, especially when talking about “SSL certificates,” tools (OpenSSL, BoringSSL, SSL Labs), or “SSL decryption” in firewalls.
  • Some consciously correct themselves to “TLS,” especially in precise technical contexts (e.g., “TLSv1.2”).
  • Many default to “HTTPS” when talking to non-technical users; deeper protocol details are treated as a black box.

Legacy and the Long Tail

  • SSL (especially v2) is universally described as obsolete and insecure, yet scans show hundreds of thousands of Internet-exposed services still support SSLv2.
  • Commenters stress that real clients should no longer be using it, but acknowledge that ancient, unmaintained systems linger.