Zum Inhalt springen

HTTPS Was Invented by Netscape

Zusammenfassung

The “S” in HTTPS — the secure protocol that protects every banking transaction, password submission, and private communication on the web — was invented by Netscape Communications in 1994 as SSL (Secure Sockets Layer). Netscape designed SSL to enable secure e-commerce on the web; their first commercial application was protecting credit card transactions in Netscape Commerce Server. Every HTTPS connection in history traces to engineering decisions made by a company that was acquired by AOL in 1998 and no longer exists. The protocol has been revised four times since (SSL 2.0, SSL 3.0, TLS 1.0–1.3) but the fundamental architecture Netscape designed has remained intact.

The Problem SSL Solved

When Netscape was building its web browser and server software in 1994, the World Wide Web was entirely unencrypted. HTTP sent data in plaintext; anyone who could observe network traffic between client and server could read everything — usernames, passwords, credit card numbers, personal communications.

For the web to support e-commerce, this had to change. Netscape’s chief scientist Taher Elgamal designed SSL 1.0 (never publicly released) and SSL 2.0 (shipped with Netscape Navigator 1.1 in early 1995). The design combined several existing cryptographic techniques:

  • Public-key cryptography (RSA): The server presents a certificate containing its public key; the client uses it to establish an encrypted session key.
  • Symmetric encryption (RC4 or DES): Once the session key is established, data is encrypted symmetrically for performance.
  • Message authentication codes: Each message includes a cryptographic hash that detects tampering in transit.

The certificate system — where trusted Certificate Authorities (CAs) vouch for the identity of servers — was Netscape’s design and has remained the fundamental trust model of HTTPS.

The Standardization

SSL 3.0 (1996) fixed significant vulnerabilities in SSL 2.0 and became the standard for HTTPS connections through the late 1990s. When the Internet Engineering Task Force (IETF) took over the protocol, they renamed it TLS (Transport Layer Security) to distinguish the open standard from Netscape’s proprietary name. TLS 1.0 (1999) was essentially SSL 3.1 with minor changes.

TLS 1.2 (2008) added support for stronger cipher suites and hash functions. TLS 1.3 (2018) removed support for known-vulnerable algorithms (RC4, MD5, SHA-1, 3DES) and simplified the handshake to reduce latency. Modern HTTPS connections use TLS 1.3.

The Legacy

SSL/TLS is now the foundational security layer of the internet. It protects:

  • Every HTTPS web connection (browser to website)
  • Email submissions (SMTP with TLS)
  • VPN protocols
  • API connections between services

The certificate authority ecosystem Netscape designed has experienced its own crises: DigiNotar (2011) was a CA whose compromise allowed forged certificates for Google, Microsoft, and others; Symantec’s CA operations were distrusted by Google in 2018 after systematic misissuance. The ecosystem has been hardened through Certificate Transparency (publicly logged certificates) and CAA DNS records.

📚 Sources