Why people who know better still say 'SSL'. And 'hoverboard'.

It's 17 years since TLS was standardised. Is it time to move on?

July 12, 2021
We're Expedited Security. We help SAAS applications prevent and recover from attack, overcome regulatory or integration security requirements or just stop "weird" traffic before it becomes a problem.

We feel your pain. You're a devops person or system administrator and why is everyone talking about SSL? It's called TLS now, and it has been for 17 years.

This happens a lot in technology:

TLS is the correct name for the current protocol, but the name 'TLS' has never really taken off. The entire technology industry, including infosec and devops folk, still uses 'SSL' far more frequently. Obviously, people still talk about 'SSL certificates', 'SSL clients' and services. But more recent developments still use the term:

Why do we do this? Because the technically outdated term 'SSL' conveys meaning better than the newer more correct term 'TLS'.

Here's a test:

Ask a devops person - particularly someone who uses the term 'TLS' in conversation - where they're 'terminating their TLS'.

Even though they know what TLS is, they'll probably still pause a moment to think what you mean.

If you want people outside infosec, like the web developers setting up most servers these days - to pay attention to your message, you have to use the same language as they do.

One possible solution is avoiding use of TLS or SSL completely: Google uses HTTPS in documentation and this may be a good way forward: 'HTTPS' surpassed 'SSL' as a search term in 2011. However the use of 'HTTPS certificate' hasn't taken off

You could spend time in the noble cause of educating the world about the correct terminology. Or, given their limited amount of attention, you could spend that much time focusing on making sure they actually set up their web server properly. Picking the latter battle will make the world a better place.

That said, I totally hear you about the hoverboards.

1. Well, a Linux kernel and probably glibc, since a lot of technology people don't consider Android (which uses it's own libc) to be 'Linux'. Some consider Android 'Bionic/Linux' rather than 'GNU/Linux' which is also technically true. See 3.

2. Eg, from man dnsdomainname: dnsdomainname command will print the domain part of the FQDN (Fully Qualified Domain Name) - FQDNs are a way of specifying a host, and hosts live inside domains. However the baseline requirements have a more liberal definition, which is the label assigned to a node in the Domain Name System'. See 3.

3. Another side effect of being overly strict about terminology is distracting conversations like 1 and 2.