What does TLS (Transport Layer Security) provide and where does it sit in the network stack?
TLS provides confidentiality, integrity, and authentication of the TCP byte stream. It sits between the transport layer (TCP) and the application layer (HTTP, SMTP, IMAP, …) — application-agnostic.
The stack:
HTTP / SMTP / IMAP / … ← Application
↓
TLS / SSL ← The security layer
↓
TCP ← Transport
↓
IP / Ethernet / … ← Lower layers
TLS sub-protocols:
| Sub-protocol | Role |
|---|---|
| Handshake Protocol | Negotiate cipher suite, exchange keys, authenticate server (and optionally client) |
| Record Layer | Frame, encrypt, MAC, and decrypt the data stream |
| Change Cipher Spec | Signal "subsequent records will use the new keys" (TLS ≤1.2 only) |
| Alert Protocol | Error / warning notifications between peers |
| Application Data | The actual encrypted payload (HTTP request bodies, IMAP commands, etc.) |
Why it's application-agnostic: because TLS frames bytes generically, any protocol that runs over TCP can be wrapped in TLS just by switching ports (HTTP→HTTPS port 80→443, IMAP→IMAPS port 143→993). No application-level changes required.
Historical naming: the protocol was called SSL (Secure Socket Layer) v1/v2/v3 by Netscape (1995). After IETF standardisation it became TLS v1.0 in 1999. Versions:
| Version | Year | Status |
|---|---|---|
| SSL 2.0 | 1995 | ❌ Insecure, disabled everywhere |
| SSL 3.0 | 1996 | ❌ POODLE attack (2014) |
| TLS 1.0 | 1999 | ❌ Deprecated 2020 |
| TLS 1.1 | 2006 | ❌ Deprecated 2020 |
| TLS 1.2 | 2008 | ✅ OK, still common |
| TLS 1.3 | 2018 | ✅ Modern default — fewer round trips, AEAD-only, mandatory PFS |
Tip: "SSL" is still colloquially used (SSL certificate, OpenSSL the library) but technically you almost always mean TLS today. Servers should disable SSL 2/3 and TLS 1.0/1.1 entirely.