RIP SSL

IETF has officially deprecated SSL 3.0 with the publication of  RFC 7568: SSLv3 Is Not Secure. RFC 7568: SSLv3 Is Not Secure. TLS clients and servers MUST NOT send a request for an SSLv3 session. Similarly, TLS clients and servers MUST close any session requesting SSLv3. According to RFC2119, must means mandatory.
POODLE signed the certificate of death.
As a consequence, we should avoid using anymore the vocable SSL when indeed we mean TLS. During a long period, we often merged SSL and TLS when writing. We should discipline ourselves now. Will the community dare remove SSL from OpenSSL or LibreSSL? Will it be rebaptized OpenTLS, or keep SSL name as a tribute?

Leave a Reply

Your email address will not be published. Required fields are marked *