Tuesday, February 7, 2017

Let's say "TLS" instead of "SSL"

A trend I noticed within information security circles is to use the term "SSL" even when we mean "TLS".  TLS is the newer and more secure replacement for SSL.  All versions of SSL, even the latest SSLv3 flavor, are considered to be insecure at this point. 

It's habit to say "SSL".  Our infosec minds auto-translate it to "TLS", but there are interesting, concrete reasons that the IETF chose the name TLS back in 1999.  In addition, words have meaning and many people who don't eat, drink, and sleep security aren't up to speed on the nuances of this stuff.  This includes millions of IT personnel who are responsible for configuring servers in a secure manner.  It also includes newbies who are entering the infosec field every day.

Information security professionals can be arrogant.  If someone isn't as knowledgeable as them, then that person is called stupid. For example, application security experts tend to denigrate developers for writing insecure code.  That bothers me a lot.

Here's another example:

So people who don't know about SSL vs. TLS are not clever.  Nice.

Years ago I didn't know much about security.  I was a developer and appreciated the opportunity to learn from others.  So let us be technically accurate and use "TLS", even if it turns out to be a losing battle in the end.

0 comments:

  © Blogger templates The Professional Template by Ourblogtemplates.com 2008

Back to TOP