Glossary · Definition

SSL

SSL (Secure Sockets Layer) is the obsolete encryption protocol that became TLS in 1999. The term stuck culturally — 'SSL certificate' actually means a TLS certificate today — but every secure connection on the modern web is TLS, not SSL.

Updated May 2026 · 4 min read

100% in-browserNo downloadsNo sign-upMalware-freeHow we keep this safe →

Definition

What it means

SSL was developed at Netscape in the mid-1990s. SSL 1.0 was never released, 2.0 had serious flaws, 3.0 (1996) was the dominant version until TLS 1.0 superseded it in 1999. Both SSL 2.0 and 3.0 have been formally deprecated by the IETF (2011 and 2015 respectively, after the POODLE attack proved SSL 3.0 was insecure). Despite this, 'SSL' remains the marketing term for HTTPS — Certificate Authorities sell 'SSL certificates' that are actually TLS certificates, and admins talk about 'SSL termination' to mean TLS termination.

Why it matters

Anywhere you see 'SSL' in 2026 it should be read as 'TLS'. If you see a configuration that actually enables SSL 2.0 or 3.0 — disable it. Modern config: TLS 1.2 + 1.3 only, no SSL versions, ECDHE cipher suites with AES-GCM or ChaCha20-Poly1305, HSTS header set. SSL Labs (Qualys) gives every public HTTPS site a letter grade — A or A+ is achievable with default configs from Let's Encrypt + a reasonable nginx/Caddy/Vercel setup.

Frequently asked questions

Should I worry if I'm still using SSL?

Yes. SSL 2.0 and 3.0 are broken. If your server config explicitly mentions SSL, audit the cipher suite list and disable everything pre-TLS 1.2.

Why is the term still everywhere?

Inertia. 'SSL certificate' is what cert vendors trained the market to say. 'SSL termination' is what load-balancer docs called the feature. Renaming everything to TLS would be technically correct but commercially inconvenient.

What it means

Why it matters

Frequently asked questions

Related terms