Why people who know better still say 'SSL'. And 'hoverboard'.

It's 17 years since TLS was standardised. Is it time to move on?

July 12, 2021

We're Expedited Security. We help SAAS applications prevent and recover from attack, overcome regulatory or integration security requirements or just stop "weird" traffic before it becomes a problem.

We feel your pain. You're a devops person or system administrator and why is everyone talking about SSL? It's called TLS now, and it has been for 17 years.

This happens a lot in technology:

We talk about Linux, when we usually mean Operating Systems using a Linux kernel. ¹
We talk about 'domain names' when, at least in Unix terminology, we mean host name or fully qualified domain name. ²
Those 'hoverboards' that don't hover.

TLS is the correct name for the current protocol, but the name 'TLS' has never really taken off. The entire technology industry, including infosec and devops folk, still uses 'SSL' far more frequently. Obviously, people still talk about 'SSL certificates', 'SSL clients' and services. But more recent developments still use the term:

Recent OpenSSL forks BoringSSL and LibreSSL
SSL termination guides
The SSL Labs SSL Test
Domain validated SSL and EV HTTPS
Mozilla SSL Config generator
Even Bulletproof SSL and TLS - the most popular book on the topic - has to include the term 'SSL' in its name, despite it being quite impossible to make SSL v1-v3 bulletproof.

Why do we do this? Because the technically outdated term 'SSL' conveys meaning better than the newer more correct term 'TLS'.

People who know what TLS is know SSL was rebranded into TLS by Microsoft as part of SSL's standardisation process - here's a first hand account.
People who don't know what TLS is are still far more likely to know what SSL is.

Here's a test:

Ask a devops person - particularly someone who uses the term 'TLS' in conversation - where they're 'terminating their TLS'.

Even though they know what TLS is, they'll probably still pause a moment to think what you mean.

If you want people outside infosec, like the web developers setting up most servers these days - to pay attention to your message, you have to use the same language as they do.

One possible solution is avoiding use of TLS or SSL completely: Google uses HTTPS in documentation and this may be a good way forward: 'HTTPS' surpassed 'SSL' as a search term in 2011. However the use of 'HTTPS certificate' hasn't taken off

You could spend time in the noble cause of educating the world about the correct terminology. Or, given their limited amount of attention, you could spend that much time focusing on making sure they actually set up their web server properly. Picking the latter battle will make the world a better place.

That said, I totally hear you about the hoverboards.

1. Well, a Linux kernel and probably glibc, since a lot of technology people don't consider Android (which uses it's own libc) to be 'Linux'. Some consider Android 'Bionic/Linux' rather than 'GNU/Linux' which is also technically true. See ³.

2. Eg, from man dnsdomainname: dnsdomainname command will print the domain part of the FQDN (Fully Qualified Domain Name) - FQDNs are a way of specifying a host, and hosts live inside domains. However the baseline requirements have a more liberal definition, which is the label assigned to a node in the Domain Name System'. See ³.

3. Another side effect of being overly strict about terminology is distracting conversations like ¹ and ².

ᗕ Back to Blog Home