45

Since TLS is preferred over SSL, why do we still use the terms SSL and HTTPS generally?

The former could be anecdotal, but most people I speak to still say SSL in general conversation. The term HTTPS is more objective, since that means HTTP over SSL.

Why don't we say HTTPT (HTTP over TLS) and use the scheme httpt://?

Ian Newson
  • 503
  • 1
  • 4
  • 6
  • 60
    The "S" in HTTPS can stand for "Secure". – SilverlightFox Jun 24 '15 at 10:06
  • @SilverlightFox: Can't find this in the RFCs. Got a source? – StackzOfZtuff Jun 24 '15 at 10:47
  • 5
    @StackzOfZtuff: [Google mention it here](https://support.google.com/webmasters/answer/6073543?hl=en): `You can make your site secure with HTTPS (Hypertext Transfer Protocol Secure),`. Also colloquially it can be known as HTTP Secure. – SilverlightFox Jun 24 '15 at 10:52
  • 2
    Related question with Thomas Pornin's answer: [What's the difference between SSL, TLS, and HTTPS?](https://security.stackexchange.com/questions/5126/whats-the-difference-between-ssl-tls-and-https) – StackzOfZtuff Jun 24 '15 at 11:09
  • 4
    @SilverlightFox: Huh. It's actually [in the IANA registry as "Hypertext Transfer Protocol Secure"](https://www.ietf.org/assignments/uri-schemes/uri-schemes.xml)! But that's the only official source I can find it as that long name. – StackzOfZtuff Jun 24 '15 at 11:12
  • 16
    @StackzOfZtuff: If you're after an RFC, it's in [RFC 7230](http://tools.ietf.org/html/rfc7230#page-62). – SilverlightFox Jun 24 '15 at 11:15
  • 1
    HTTPS never meant HTTP-SSL, that is an assumption that doesn't follow the RFC. SFTP => Secure FTP not SSL-FTP. – Fiasco Labs Jun 25 '15 at 04:56
  • That the varieties of ethernet are all called "ethernet" is even more intriguing -- and equally meaningless in the context of having your computer perform some high level task (as in, print an invoice or show you sexy pictures when you tell it to). – zxq9 Jun 25 '15 at 12:49
  • You don't need HTTP to use SSL. – Engineer2021 Jun 25 '15 at 14:05
  • Related: 2013-06-20, SecSE, [Why isn't TLS just called SSL v 4.0?](https://security.stackexchange.com/questions/37747/why-isnt-tls-just-called-ssl-v-4-0) – StackzOfZtuff May 14 '19 at 12:45

3 Answers3

78

Huge effort. Little technical return.

Introducing a new scheme (schemes are e.g. http://, https://, ftp://, etc.) and deploying it would mean breaking backwards compatibility. Not worth it.

Political rather than technical
Ivan Ristic devotes some sentences in the introduction to his book to this.

The book is called Bulletproof SSL and TLS. You've got both the "SSL" and "TLS" right in the title. (Go figure.)

The introductory chapter is free online. The naming controversy is mentioned in section "SSL versus TLS" (page xix) and section "Protocol History" (page 3).

It seems the whole reason for renaming from SSL to TLS was political rather than technical. Ristic's footnotes link to the blog of Tim Dierks. Dierks wrote the SSL 3.0 reference implementation in 1996 and this is his take on the naming:

  • Tim Dierks, 2014-05-23, Security Standards and Name Changes in the Browser Wars (archived here):

    As a part of the horsetrading, we had to make some changes to SSL 3.0 (so it wouldn't look [like] the IETF was just rubberstamping Netscape's protocol), and we had to rename the protocol (for the same reason). And thus was born TLS 1.0 (which was really SSL 3.1). And of course, now, in retrospect, the whole thing looks silly.

Further reading

  • Here's another take on the naming. It's by Mike McCana (who operates a CA himself):
    Mike McCana, CertSimple.com blog, 2016-01-05, Why do we still say SSL? (Archived here.)
StackzOfZtuff
  • 17,923
  • 1
  • 51
  • 86
  • 1
    Thanks for your excellent answer. Gets right to the heart of the issue. – Ian Newson Jun 24 '15 at 15:38
  • If anyone cared enough, I guess a cheap way to fix this would be to call TLS 1.3 SSL 4, or similar. I'm guessing the political landscape of the 90s is no longer an issue. – Ian Newson Jun 24 '15 at 15:40
  • 3
    I'd simply add that it doesn't really matter if we call it SSL, TLS, RTS, FPS, SSS, STP, STS, or any other three letter acronym (some I think are rather clever and less dry than official names, too bad I'll forget them in 30 minutes). All non-techies care about is the *S*-- security. They want A (themselves) to speak with B (someone else) without C (a Bad person) getting in the middle. – phyrfox Jun 24 '15 at 17:27
  • 7
    @phyrfox Maybe call it the AB!C protocol then. – lkraider Jun 25 '15 at 04:14
12

Why don't we say HTTPT (HTTP over TLS) and use the scheme httpt://?

Because it would be a waste of time and money to change everything without effectively gaining anything?

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • 4
    I don't think it's right to say nothing is gained, as inconsistency costs time. It would be fair to say that not enough is gained though, or in other words the cost/benefit ratio doesn't justify it. I realise I'm splitting hairs! – Ian Newson Jun 24 '15 at 13:18
  • 1
    How this question can answer the question? Can you prove that adding a protocol would be a waste of time and money? (I'm splitting hairs too) – A.L Jun 24 '15 at 14:04
  • @A.L: I considered it obvious that it would take considerable resources to rename something which is hard-wired into millions of devices and software and is written into documentation, books etc. And the net effect is just the renaming. – Steffen Ullrich Jun 24 '15 at 14:21
  • 4
    @IanNewson: TLS is just another word for SSL, in fact TLS 1.0 is protocol SSL 3.1 etc. It would be much cheaper to teach this fact than to rename everything. – Steffen Ullrich Jun 24 '15 at 14:23
  • TLS isn't a word. It's an acronym. And stands for something different than SSL. I understand that TLS should have been SSL 3.1, but it's not. – Ian Newson Jun 24 '15 at 18:46
  • @IanNewson: TLS is another acronym saying effectively the same as SSL: a secure layer for transporting data. It's better to teach that SSL is not the broken and TLS the new and shiny thing, but that the relevant difference is the protocol version, not the protocol name. Then it is also easier to argue that people should move up to TLS 1.2 and not stay with TLS 1.0, because this one has also design problems. – Steffen Ullrich Jun 24 '15 at 19:03
  • @IanNewson: I think the key here is that while there are contexts where it's useful to consistently avoid referring to "TLS" as "SSL", this benefit of consistently doesn't extend to inventing another hypertext transfer protocol. It's easier to re-interpret/extend the existing protocol name "https" to mean, "http over a secure socket protocol" than it is to distinguish old "https" from new "httpt", with all the cost that entails. – Steve Jessop Jun 25 '15 at 08:45
  • @IanNewson, acronyms *are* words: ["a word formed from..." —Dictionary.com](http://dictionary.reference.com/browse/acronym), ["a word formed from..." —Merriam-Webster](http://www.merriam-webster.com/dictionary/acronym). – Olathe Jun 25 '15 at 13:44
  • 2
    I think people are ignoring the actual answer. the 's' means secure so the encryption you use to do so doesn't matter. TLS, SSL etc are all separate encryption methods to create a secure protocol. Why would you ever change your URL scheme to reflect your encryption key name? The fact that one exists is why the 's' is there in the first place. – Ben Racicot Jun 25 '15 at 14:19
  • The whole discussion looks more and more like [bike shedding](https://en.wiktionary.org/wiki/bikeshedding). – Steffen Ullrich Jun 25 '15 at 16:45
4

Mostly tradition. People have been using "SSL" to refer to encrypted communications for so long that even though the protocols called SSL have all been replaced, the name has stuck around.

As for why we don't call it HTTPT, a big part of the reason is that Cool URLs Don't Change. A huge number of links in existing Web pages would break, and many of them would likely never be updated. As depressing as it can sound, we cannot count on users to understand how to convert these into HTTPT links, even though it might mean changing only one character.

Besides, Berkeley Breathed and the authors of ack might get mad.

The Spooniest
  • 1,647
  • 9
  • 11