Transport Security

Understanding TLS & SSL Versions

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. When you see the padlock icon in your browser’s address bar, it means the connection to the website is encrypted using SSL/TLS.

Understanding the difference between protocol versions and configuring your server to negotiate only secure versions is critical to protecting your users’ data and maintaining your search engine visibility.

Why Encrypted Transport Matters

When a browser connects to a web server over unencrypted HTTP, all data is sent in plain text. This exposes the connection to two primary risks:

  1. Eavesdropping (Sniffing): Any intermediate router or actor along the network path (like a public Wi-Fi hotspot operator) can read the sensitive data being transmitted, such as usernames, passwords, session cookies, or payment information.
  2. Tampering (On-path attack, formerly man-in-the-middle): Attackers can inject malicious content, scripts, or unwanted advertisements into the web page before it reaches the user’s browser.
sequenceDiagram
    participant B as Browser (Client)
    participant S as Web Server

    B->>S: 1. ClientHello (Supported Cipher Suites)
    S-->>B: 2. ServerHello, Certificate (Public Key)
    Note right of B: Browser verifies Certificate<br/>(Valid Authority, Not Expired, Domain Match)
    B->>S: 3. ClientKeyExchange (Initial shared secret encrypted with Server Public Key)
    S-->>B: 4. Server Finished
    B->>S: 5. Client Finished
    Note over B,S: Secure TLS Tunnel Established
    B->>S: HTTP GET / (Encrypted)
    S-->>B: 200 OK (Encrypted HTML)

SSL/TLS solves both problems by establishing an encrypted channel using symmetric cryptography and verifying the identity of the server using asymmetric public-key cryptography.

The Evolution of Protocol Versions

The protocol has evolved significantly since the mid-1990s:

ProtocolRelease YearStatusReason
SSL 2.01995DeprecatedFatal security flaws in handshake and cryptography.
SSL 3.01996DeprecatedOutdated; vulnerable to attacks like POODLE.
TLS 1.01999DeprecatedWeak cryptographic primitives; vulnerable to BEAST.
TLS 1.12006DeprecatedInsecure hash functions (MD5, SHA-1); vulnerable to BEAST.
TLS 1.22008Active (Secure)Robust, widely supported standard. Supports modern authenticated encryption.
TLS 1.32018Active (Secure)Fast, simplified handshake; removes legacy and insecure cipher suites.

Why Old Versions Were Deprecated

Protocols like SSL 3.0, TLS 1.0, and TLS 1.1 rely on outdated cryptographic algorithms (such as RC4 and MD5) that are no longer secure against modern hardware and codebreakers. The IETF formally deprecated TLS 1.0 and 1.1 in March 2021 (RFC 8996).

Using deprecated protocols exposes your site to downgrade attacks, where an attacker tricks a client and server into negotiating an insecure legacy connection to exploit known vulnerabilities.

How to Harden Your TLS Configuration

To secure your website’s transport layer:

  1. Disable SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 on your web server configuration.
  2. Enable TLS 1.2 and TLS 1.3.
  3. Configure Strong Cipher Suites: Restrict your server to negotiate only secure ciphers (e.g. ECDHE ciphers for TLS 1.2, and AEAD ciphers for TLS 1.3).

[!TIP] To learn how to inspect your domain’s active certificates, view certificate chains, or test validation status using browsers and CLI tools, read our guide on How to Check TLS Certificate Validity.

Example: Nginx Configuration

Ensure your Nginx configuration blocks insecure protocols:

# In your nginx.conf file
server {
    listen 443 ssl;
    http2 on;
    server_name example.com;

    ssl_certificate /path/to/signed_cert.crt;
    ssl_certificate_key /path/to/private_key.key;

    # Only allow secure protocols
    ssl_protocols TLSv1.2 TLSv1.3;

    # Prefer secure server ciphers
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
}

Sources & Standards

How Vioro monitors this

Vioro automatically verifies your server's SSL/TLS version negotiation, ensuring that deprecated and weak protocols (SSL 2.0/3.0, TLS 1.0/1.1) are disabled, and only secure, modern versions (TLS 1.2 and 1.3) are accepted.