8

What I'm looking for

I'm looking for an approximation of the date that the development on each TLS or SSL version started (so the development start date). So I do not want to know the date when the first RFC was released, but when people started working on the RFC (this could be something like the first draft, or some post on an email list). The date may be as accurate as a year or a quarter of a year, it does not have to be very specific.

Why?

I'm making a timescale to illustrate the history of TLS and SSL versions. As the newest TLS version (TLS 1.3) is still in development, I would like to display this version as 'in development'. To make my timescale more consistent, I want to add the in development part to the other versions as well. As the timescale is mostly an illustration, an approximation or anecdotal reference is enough.

What do I know

I do know the following data:

I have looked at the following sources:

Does somebody know more information about the history of these protocols?

user23127
  • 203
  • 1
  • 5
  • 1
    have you looked at the RFCs? – schroeder Jul 04 '15 at 17:12
  • and you looked at wiki, of course: https://en.wikipedia.org/wiki/Transport_Layer_Security – schroeder Jul 04 '15 at 17:14
  • I looked at the RFCs and the wiki: both only say when the spec was released, not when development started. Is there a way to find old drafts of RFCs? Then I could just find the first draft as an approximation (which is obviously not very accurate). – user23127 Jul 04 '15 at 17:19
  • Please include the research that you have done in your question. Also highlight that you want to know when development started and not when it was released. I'm also unsure about what you would accept as the "start" of development. What kind of data are you looking for? – schroeder Jul 04 '15 at 17:22
  • Nothing is going to be official in terms of "I started thinking about improving the current spec around ...." aside from anecdotal evidence. I'm really not sure that you will find what you are looking for. Can I ask why you are looking for this or what you will use the data for? – schroeder Jul 04 '15 at 17:24
  • I'm making a timescale of the development of SSL and TLS protocols. It will give an idea how old various protocols are and when development started. As TLSv1.3 is just being developed, it seemed like a good idea to include an approximation of when the protocols were being developed. It does not need to be very accurate, anecdotal references would be enough. I'll update the question to include this information. – user23127 Jul 04 '15 at 17:27
  • 1
    Cool. For completeness sake, I'd list both the 'development start date' and the 'release date'. That will make the question more clear. – schroeder Jul 04 '15 at 17:30
  • Hmm... If a feature was deferred from one release to a later one, what would be the release date of the later one? – Neil Smithline Jul 05 '15 at 04:45
  • You mean development date? For my purpose i would just go with when they had the first meeting about the new version, so that van be directly after the previous release? – user23127 Jul 05 '15 at 08:34
  • Tls working group archives have all the info for tls 1 and later. The Netscape protocols were not developed in the open. – Z.T. Jul 05 '15 at 09:02

2 Answers2

5

Tldr

This is what the little research I did was able to find. Most of these dates are as you can read in the longer version, based on the first submitted draft of the respective protocols and not the first time they've been talked about. I hope this might help in your work anyway, and that it might help when doing further research.

  • SSLv1 - November/December 1993.
  • SSLv2 - At the end of year 1994, before November 29.
  • SSLv3 - 5. December 1995.
  • TLS1.0 - 26. November May 1996.
  • TLS1.1 - 19. February 2002.
  • TLS1.2 - February 2006.
  • TLS1.3 - 17. April 2014.

This is by no means a complete and "100%" list, and I hope someone wants to take the little research I've done and further expand on it.

The longer, more historical version

AS StackzOfZtuff also noted, the IETF Datatracker is a valuable tool for digging backwards in the history of RFCs, and will be a nice companion for the rest of your digging.

Netscape

SSLv1

Netscape Communications started to develop the SSL protocol soon after the National Center for Supercomputing Applications (NCSA) released Mosaic 1.0 - the first popular Web browser - in 1993. Eight months later, in the middle of 1994, Netscape Communications already completed the design for SSL version 1 (SSL 1.0)

SSL and TLS: Theory and Practice by Rolf Oppliger

Version 1 of Mosaic was released for the Windows platform November 11, 1993. (In the beginning there was NCSA Mosaic....). We could then guess that SSLv1 was done around July 1995.

Version 1 was never released publicly. Rolf Oppliger tells the tale why in SSL and TLS: Theory and Practice:

[SSL v1] circulated only internally (i.e., inside Netscape Communications), since it had several shortcomings and flaws. For example, it didn't provide data integrity protection. In combination with the use of the stream cipher RC4 for data encryption, this allowed an adversary to make predictable changes to the plaintext message. Also, SSL 1.0 did not use sequence numbers, so it was vulnerable to replay attacks. Later on, the designers of SSL 1.0 added sequence numbers and checksums, but still used an overly simple cyclic redundancy check (CRC) instead of a cryptographically strong hash function that is one-way and collision-resistant.

SSLv2 (Also known as SSL 0.2)

Netscape Communications came up with SSL Version 2. (SSL 2.0) at the end of 1994, to resolve the problems mentioned with SSL 1. SSL and TLS: Theory and Practice by Rolf Oppliger

tools.ietf.org/html/draft-hickman-netscape-ssl-00.txt

There is a mirror of the SSL 2.0 draft located in Mozilla's archives, but there is no date when the draft was orignally started or submitted, only when it was revised.

The spec got revised a couple of times:

  • November 29, 1994
  • December 22, 1994
  • January 17, 1995
  • January 24, 1995
  • February 9, 1995

Funfact:

Both SSL2 and SSL3 have 16-bit (two-byte) version number fields. SSL2 interprets this as a single 16-bit integer, and the official number is 2, e.g. 0x0002. SSL3 interprets two-byte version numbers as a one byte "major" number and a one byte "minor" (or fractional) number. So the value 0x0002 is interpret by SSL3 as version 0.2, not 2.0. http://www-archive.mozilla.org/projects/security/pki/nss/ssl/

SSLv3

SSLv3 was according to this draft first submitted to IETF 5. December 1995. draft-freier-ssl-version3-00.

IETF

TLS 1.0

The first TLS 1.0 draft was written in November 26, 1996 according to draft-ietf-tls-protocol-00.txt.

[edit 14:22 5/7/2015] As commented by @user23127, development of TLS 1.0 was started in May of 1996. "SSL and TLS: Designing and Building Secure Systems" by Rescorla, Eric, page 49, section 2.6

TLS 1.1

The earliest document I can find for TLS 1.1 is the [draft-ietf-tls-rfc2246-bis-00](https://tools.ietf.org/id/draft-ietf-tls-rfc2246-bis-00.txt https://datatracker.ietf.org/doc/rfc4346/history/). Uploaded to IETF 19. February 2002 . Note that the header of that documents says:

The TLS Protocol

Version 1.0

They first added version 1.1 to the draft in the second revision published 6. October 2002: draft-ietf-tls-rfc2246-bis-02

TLS 1.2

The draft draft-ietf-tls-rfc4346-bis-00 states February 2006.

TLS 1.3

The earliest draft on IETF is this one: draft-ietf-tls-tls13-00.txt uploaded 17 April 2014. This matches the first commit on the GitHub repo tls13-spec that you linked to.

Community
  • 1
Mrtn
  • 1,274
  • 10
  • 18
  • 1
    This is great! Thank you. I just want to note that I found one refinement in "SSL and TLS" by Rescorla: development of TLS 1.0 was started in May of 1996 (page 49, section 2.6). If you could add that I'll accept this answer. – user23127 Jul 05 '15 at 12:21
  • @user23127 Done! Great find, I really wanted to get my hands on that book as well, might have to pick it up later! – Mrtn Jul 05 '15 at 12:31
2

The IETF has a data tracker for its RFCs.

This means that you can flesh out the development timeline by adding the various drafts for each RFC. And you can narrow down dates to the date of the first published draft.

What this doesn't tell you when development for the first submitted draft of each RFC started.

Also the "SSL" named protocols were not developed through the RFC process.

Datatrackers

Partial timeline

  • 1996-12-03, TLS 1.0, first draft (of 6)
  • 1999-01-01, TLS 1.0, RFC published
  • 2002-02-19, TLS 1.1, first draft (of 13)
  • 2006-03-02, TLS 1.2, first draft (of 10)
  • 2006-04-26, TLS 1.1, RFC published
  • 2008-08-15, TLS 1.2, RFC published
  • 2014-04-17, TLS 1.3, first draft

Further reading

  • Ivan Ristić, Bulletproof SSL and TLS, introductory chapter is free online. Section "Protocol History" on page 3.

    • And especially this quote:

      For a much more detailed history of the early years of the SSL protocol, I recommend Eric Rescorla’s book SSL and TLS: Designing and Building Secure Systems (Addison-Wesley, 2001), pages 47–51.

  • Nice scrollable timeline here: Ivan Ristić, SSL/TLS and PKI History

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
  • This is accurate enough for my purposes. The first drafts seem to start almost directly after the release of the previous version, so the development can't be started much earlier (except TLS 1.1 and TLS 1.3). It's a bummer that SSL was developed internally. I'll accept this answer, if no answer regarding SSL comes up. – user23127 Jul 05 '15 at 10:30
  • 1
    I've added a further reading section. Mentions Rescorla's book. Haven't read it myself, though. – StackzOfZtuff Jul 05 '15 at 11:06
  • Yeah, I actually just found that myself and planned to pick up rescorla's book in the university library. Thank you! – user23127 Jul 05 '15 at 11:35
  • Okay, the book doesn't give much extra information, except that TLS v1.1 development was started in May of 1996. – user23127 Jul 05 '15 at 12:19