Security is one driving factor in the evolution of technology. Here’s a timeline showing how the history of SSL/TLS and PKI advanced as security needs increased since its introduction in 1995. The timeline was created by Ivan Ristić of Feisty Duck, who has done a fantastic job of documenting SSL/TLS and PKI history.
The deployment of SSL v2 protocol in Netscape Navigator 1.1 in March 1995 marks the advent of SSL/TLS. The protocol development is shown through the timeline to the expected readiness of TLS 1.3.
The timeline shows how the industry has developed ways to mitigate vulnerabilities such as HTTP Secure Transport Security (HSTS), HTTP Public Key Pinning (HPKP), and Certificate Transparency. These types of preventions help to state: a) that the website is understood to be secure, b) whether or not the certificate chain is using the right key, and c) to monitor certificate issuance to determine if authorized certificates were issued for a domain name.
Along the way, many vulnerabilities cropped us such as BEAST, CRIME and Heartbleed. Other notable attacks appear such as the code signing issuance attack on VeriSign in 2001 and, of course, the Comodo and DigiNotar attacks in 2011.
The timeline also illustrates more stringent oversight noting how the browsers and the certification authorities (CAs) worked together to improve the issuance and management of certificates in order to create a more secure Internet. For example, the Extended Validation (EV) SSL/TLS guidelines were released in 2007 to provide a new certificate with higher verification standards in order to decrease the issuance of certificates used for phishing. The Baseline Requirements (BRs) were released in 2011 and were supported by the CAs in 2012. The BRs extend minimum standards for all SSL/TLS certificates including domain validated (DV) and organization validated (OV) certificates.
The latest upgrade in digital certificates is the deprecation of SHA-1 hashing algorithm. There was a hashing algorithm attack on MD5 late in 2008 and another in 2012. Although CAs were no longer allowed to sign certificates using MD5, the Flame attack in 2012 used an MD5 collision. Due to the poor deprecation of MD5 in 2008, Microsoft deprecated SHA-1 in the fall of 2013 (not shown in the history) prohibiting all CAs from signing certificates with SHA-1 as of January 2016, and browsers will no longer support SHA-1 beginning in January 2017.
The history is very useful in illustrating how the SSL/TLS has progressed over the years. The timeline will continue as we look forward to seeing how the future unfolds.