How Does SSL/TLS Work?
The technical process behind secure encrypted connections
SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that provide secure communication over computer networks. While we often say "SSL," modern websites actually use TLS, which is more secure and efficient.
The TLS Handshake Process
When you visit an HTTPS website, your browser and the web server perform a "TLS handshake" to establish a secure connection. This happens in milliseconds and involves several steps:
- Client Hello: Your browser sends a message to the server indicating it wants to establish a secure connection. This includes the TLS version and cipher suites (encryption algorithms) it supports.
- Server Hello: The server responds with its chosen TLS version and cipher suite, plus its SSL/TLS certificate containing its public key.
- Certificate Verification: Your browser verifies the certificate is valid, not expired, issued by a trusted Certificate Authority (CA), and matches the domain you're visiting.
- Key Exchange: The browser and server use asymmetric encryption to securely exchange a "session key" that will be used for symmetric encryption during the session.
- Secure Connection Established: Both parties confirm the handshake is complete. All subsequent data is encrypted using the session key.
Public Key vs. Symmetric Encryption
TLS uses two types of encryption:
Asymmetric Encryption (Public Key Cryptography)
Used during the handshake. The server has a public key (shared in the certificate) and a private key (kept secret). Data encrypted with the public key can only be decrypted with the private key. This is secure but computationally expensive.
Symmetric Encryption (Session Key)
Used for the actual data transfer after the handshake. Both browser and server share the same secret key. This is much faster than asymmetric encryption, making it ideal for encrypting large amounts of data during your browsing session.
What Gets Encrypted?
Once a TLS connection is established, everything transmitted between your browser and the server is encrypted:
- URLs and page content
- Form data (usernames, passwords, credit card numbers)
- Cookies and session tokens
- HTTP headers
This means that even if someone intercepts the data (like on public Wi-Fi), they can't read or modify it.
Certificate Authorities and Trust
Your browser trusts an SSL/TLS certificate because it's signed by a Certificate Authority (CA) — an organization your browser already trusts. Browsers come pre-installed with a list of trusted CAs. When a CA issues a certificate, they digitally sign it with their own private key. Your browser can verify this signature using the CA's public key, confirming the certificate is legitimate and hasn't been tampered with.
SSL vs. TLS: What's the Difference?
SSL (Secure Sockets Layer) was the original protocol, but it had security vulnerabilities. TLS (Transport Layer Security) was introduced as a more secure replacement. The latest versions are TLS 1.2 and TLS 1.3, with TLS 1.3 being significantly faster and more secure. Despite this, the term "SSL certificate" is still commonly used, even though we're actually using TLS.
Tip: Use our free SSL certificate checker to see which TLS version and cipher suites a website supports.