SSL is on a Transport Layer or Application Layer

ErinkimaErinkima Banned Posts: 15 ■□□□□□□□□□
edited July 2019 in SSCP
Hi All,

SSL is on a Transport Layer or Application Layer?

TLS is on a Transport layer which replaced the SSL. It make sense that it is on a SSL Layer. But on the user end, when a person access, the https here could refer to application layer.

Can anyone advise?

Any good website on OSI model for CISSP preparation


  • TheProfezzorTheProfezzor Member Posts: 204 ■■■□□□□□□□
    The following lie on the transport layer:

    - TCP
    - UDP
    - SSL
    - TLS
    - SPX

    When you access the website using your explorer, HTTP is at work on application layer. SSL is being used to encapsulate the HTTP traffic, at the transport layer. SSL at the transport layer encrypts the HTTP traffic coming from the application layer.
    OSCP: Loading . . .
  • JDMurrayJDMurray Certification Invigilator Surf City, USAAdmin Posts: 11,530 Admin
    Just to note, you need to always specify if the context is the OSI model or the TCP/IP model.

    In the TCP/IP model, all encryption and session management is in the Application Layer, and SSL uses TCP for Transport Layer services, so SSL is in the Application layer in the TCP/IP model.

    In the OSI model it's less defined because encryption is in Layer 6 and session control is in Layer 5. HTTPS (layer 7) uses SSL and SSL (Layers 5/6) uses TCP (Layer 4). SSL negotiation actually starts in Layer 5 and the encrypted tunneling kicks in after the SSL handshake is successful, so I would call SSL an OSI Layer 5 protocol.
  • EasyPeezyEasyPeezy Member Posts: 111 ■■■□□□□□□□
    It is usually written TSL/SSL... Secure sockets live in the application layer and the TSL being the Transport live in the transport layer.
  • jonwinterburnjonwinterburn Senior Member Member Posts: 161 ■■■■□□□□□□
    New to these forums (long time lurker) and currently studying for SSCP. Actually been studying CISSP on and off for 18 months, but decided to take the SSCP route first. It's more applicable to my job, and it'll prepare me for CISSP.

    @JDMurray - I'm a little confused by your reply above. Having spent the last 3 days studying Crypto, I thought I'd nailed SSL/TLS. However, you say it's a layer 5/6 (OSI) protocol. I understood it to be layer 4/5 protocol, with the emphasis (from exam perspective) of layer 4, as per Shon's description in her AIO CISSP:

    "SSL is made up of two protocols—one works in the lower portion of the session layer and the other works in the transport layer. For purposes of the CISSP exam, SSL resides in the transport layer."

    Secondly, the acronym TLS would indicate that it operates primarily at layer 4.

    I suppose the $64m question is: is it likely that a question will come up which requires a specific answer to which layer SSL resides in?


  • JDMurrayJDMurray Certification Invigilator Surf City, USAAdmin Posts: 11,530 Admin
    My previous comment was only about SSL and not TLS. However, SSL and TLS are basically the same thing. TLS might have been called SSL 4.0 had it not changed to make it backward-incompatible with SSL, so the name had to be changed as well. This means that TLS and SSL must be in the same layer(s).

    When I look at an SSL or TLS connection in a protocol analyzer, I see it riding on top of TCP. If TLS (or SSL) was its own transport protocol, there would be no TCP there, as only one transport protocol can be in use by a connection. One could say that a "transport layer security" mechanism does not need to reside directly in the transport layer, but instead can reside above it to encrypt the payload being transported. This means that a standard transport mechanism (TCP) can still be used and be more secure without needing to make changes to the Transport Layer. That sounds like a win-win to me.
  • teancum144teancum144 Member Posts: 229 ■■■□□□□□□□
    According to the AIO, 6th edition (p. 531), SSL and TLS work at the transport layer of the OSI model.

    According to CISSP for Dummies (p. 259), "SSL operates at the Transport Layer (Layer 4) of the OSI model..."
    If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post. :D
  • SuperISSOSuperISSO Member Posts: 47 ■■□□□□□□□□
    Thanks for clearing this up. I kept reading different resources and choose transport layer. Then, I took an online course that stated its on the presentation layer. I was confused until reading your response.
Sign In or Register to comment.