History of SSL (TLS)
Many years ago the web founded ‘HTTP’ the Hyper-Text Markup Language and it was great, it’s still used by every web browser today displaying you content on the internet! As the web grew so did a need for securely sending personal information from your device to the end server and that’s when SSL v1.0 was introduced along side ‘HTTPS’ or Hyper-Text Markup Language (Secure) and the browser padlock. This brought about a layer of cryptography to the information submitted in login forms, checkout baskets etc… the list goes on.
As the years passed so did enhancements to the standard later introducing SSL v2.0 and v3.0 both of which have since been depreciated in 2011 and 2015 respectively. Simultaneously back in 1999 an enhanced revised standard was released called ‘Transport Layer Security’ or ‘TLS’ for short and like ‘SSL’ it has seen multiple revisions and the depreciation of v1.0 and 1.1 in 2020.
Every modern website should now be using TLS v1.2 or v1.3 and with the web slowly moving over to the new HTTP/3 standard this is becoming more essential for a better experience.
Why is it still called an SSL certificate?
This is primarily due to ‘brand recognition’ as both ciphers ran side by side and could be interchangable from site to site meaning the average person wouldn’t think / know to check if the site they were connected to runs SSL 3.0 or TLS 1.x. Depreciation of the legacy standards has helped massively especially with browsers now showing warnings for sites using these legacy cryptography suites.
Below is an example from Google Chrome version 81
However even with these alerts you can see the ‘SSL’ branding despite the feature targeting TLS v1.0 and v1.1, these browser prompts will get people talking and becoming aware of ‘TLS’ but ultimately the ‘SSL’ branding is here to stay for the forseeable future.
Why you NEED to use it
While this list could be endless we’re only going to discuss some of the huge points.
Google announced back in late 2017 that sites which don’t utilise HTTPS will see negative action against their site on Goolge rankings in a bid to push HTTPS Everywhere.
HTTP only in 2022 is Lazy
With one-click deployments and companies like Cloudflare, Lets Encrypt and more all with a unified effort of securing the web it just shows to your end customers that you’re lazy and don’t take the time to implement the bare minimum practices.
No HTTP/3-QUIC Support
QUIC is a much faster, refined take on the HTTP/2 specification and utilises newer encryption technologies that offer improvements over traditional TLS and TCP connections.
If you’re looking to go for PCI certification you MUST have that small grey padlock in the browser, if you’re processing payments this is a must and without it there will be legal implications.
Protection of Data
If you’re using login forms, sending data this must be encrypted and you could be fined under many data protection laws if you haven’t followed the recommended practices.
SSL Certificates (that are atleast OV / EV spec) have a level of ‘real-world verification’ take place before they are issued and are primarily found in sensitve environments that need additional layers of trust over DV Certificates.