For AWS encryption, SSL is always mentioned. In physical world web application security, SSL has been replaced with TLS due to vulnerabilities and features. Why the disparity?
1 Answers
Today’s standard security technology for establishing secure connections is called TLS (Transport Layer Security).
SSL (Secure Socket Layer) is a family of protocols that used to be the standard security technology for establishing an encrypted link between the web server and the browser. This secure link ensures that all data transferred remains confidential. The SSL Protocol was adopted by Netscape in 1994 as a response to the growing concern over Internet security. SSL 3.0 and earlier are vulnerable to a class of attacks that render those protocols fundamentally insecure.
Unfortunately, people (including companies like AWS) still refer to SSL when talking about "SSL-certificates" or "SSL-Termination". They, in fact, refer to just "a certificate" used for secure transmission/communication or a resource facilitating the handling of encrypted transmission. Correct implementation of encryption should be used to secure connections to keep (personal) data safe from monitoring and tampering while in-transit. SSL should be explicitly disabled or TLS 1.2 or newer explicitly configured.
In my opinion, the underlying reason is simply, that SSL was earlier and when TLS got introduced in 1999, people kept referring to SSL instead of TLS and that "stuck". Also the fact that it has "Secure" in its name kind of does a lot…
AWS has been using TLS for years. They even have their own slimmed down version they open-sourced called "s2n". SSL is just a generic term for encrypted transport.