[jjarmoc]

Please, can we stop calling it SSL?

SSL means something very specific; something that people should no longer be deploying. The article notably uses the term 'Non-secure HTTP' which at this point in time means HTTPS leveraging TLS (probably at least 1.2) but leaves some room for future interpretation as newer versions or entirely different standards arise.

No one is advocating for 'SSL' here, and continuing to use the term 'SSL' or 'SSL/TLS' when we really mean 'TLS' further confuses the situation.

[sp332]

It's not that specific. You could even negotiate a downgrade with a TLS server to use SSL. The first 3 versions of the protocol were named SSL and the later ones were named TLS but they're not really different.

[jjarmoc]

The differences are significant when it comes to the security of the underlying protocol, and the downgrade is why it's important you refuse to support SSL entirely. SSL of any version (v2 or v3.. the v1 you refer to was never publicly in use) comes with security problems that are resolved in TLS.

I won't bore you with the details, they're well explained at http://disablessl3.com/ among other places. All major browsers have ended support for SSL, and more secure alternatives have been available for years.

It's not a high risk; attacks require scenarios that may not be common, but it remains true that there's no reason to deploy SSL today.

[sp332]

TLS 1.0 was also vulnerable to BEAST. I'm assuming that pointing to TLS 1.0 as the "minimum" is temporary. Over time, we will decide that the cutoff should be TLS 1.1 and we'll deprecate TLS 1.0. At that point, everything you're saying about SSL will be true of TLS 1.0. It's really just a difference in version number.

[jjarmoc]

Yes, it likely will. That's probably why the article mentions a deprecation of "Non-Secure HTTP" rather than prescribing a specific TLS version. It's the sort of language that will stand the test of time as newer protocols become deprecated. The comments here, however, largely encourage "SSL" which is poor advice.

BEAST can be mitigated through ciphersuite selections and other measures. This makes it somewhat different than POODLE which is a protocol design flaw for which no reliable mitigation exists.

Suggesting folks not deploy SSLv3 is hardly a controversial statement. It's not just a difference in version number, it's a difference in protocol specification and name. When we say 'Use SSL' a well intentioned reader may follow that guidance and implement SSLv3, or worse disable support for TLS. Words mean things.