1. Library
  2. Ssl and Tls
  3. Basics

What Is SSL/TLS?

Updated 10 hours ago

The Internet is a network of strangers. When you type your credit card number into a website, that data crosses dozens of networks owned by people you've never met, routed through machines you've never seen, to reach a server operated by a company you're trusting with your money.

TLS is how that trust becomes possible.

The Problem TLS Solves

Without TLS, Internet communication is like sending postcards. Anyone handling the postcard can read it. Anyone can write a new postcard pretending to be you. And you have no way to verify that the response you receive actually came from who you think it came from.

TLS solves all three problems:

Encryption turns your postcard into a locked box. Only you and the recipient have keys. Everyone else handling the box sees only metal.

Authentication proves the recipient is who they claim to be. When a server says "I'm your bank," TLS provides cryptographic proof—not just a claim, but a verifiable certificate signed by trusted authorities.

Integrity ensures nothing changed in transit. If someone tampers with your message, the math breaks and the tampering is detected.

The Handshake

When you connect to an HTTPS website, your browser and the server perform a handshake. This happens in milliseconds, invisibly:

  1. Your browser says "I want a secure connection"
  2. The server presents its certificate—a cryptographic identity card
  3. Your browser checks: Is this certificate valid? Was it issued by a trusted authority? Does it match this website?
  4. If everything checks out, they agree on encryption keys
  5. All subsequent traffic is encrypted

This handshake is why you can type your password into a website and trust that only that website receives it—even though your data traveled through infrastructure owned by your ISP, backbone providers, and who knows who else.

SSL Is Dead. Long Live TLS.

SSL (Secure Sockets Layer) was the original protocol, created by Netscape in the 1990s. It had good intentions and bad implementations. Security researchers found serious vulnerabilities, and SSL was replaced by TLS (Transport Layer Security) starting in 1999.

Every version of SSL is now considered broken and dangerous. SSL 2.0 and SSL 3.0 should never be used. TLS 1.0 and 1.1 are also deprecated. Modern systems use TLS 1.2 or TLS 1.3.

Yet we still call them "SSL certificates." The terminology fossilized while the technology evolved—like calling your car a horseless carriage. When someone says "SSL," they almost always mean TLS.

HTTPS: The Visible Face of TLS

HTTPS is just HTTP wrapped in TLS. The "S" stands for "Secure." When you see the padlock icon in your browser, that's TLS working.

HTTPS went from optional to expected to mandatory. Modern browsers mark plain HTTP as "Not Secure." Many browser features—geolocation, camera access, service workers—require HTTPS. Search engines rank HTTPS sites higher.

Let's Encrypt, launched in 2016, made certificates free. HTTPS adoption jumped from around 40% of web traffic to over 90%. The encrypted web became the default web.

Beyond the Browser

TLS secures more than websites:

  • Email: SMTP, IMAP, and POP3 use TLS to protect messages in transit
  • VPNs: Many tunnel your traffic through TLS connections
  • Messaging: WhatsApp, Signal, and others use TLS as part of their security
  • APIs: Every time your phone talks to a server, TLS likely protects that conversation

Any application sending sensitive data over the Internet benefits from TLS. It has become invisible infrastructure—like electricity, you only notice it when it's missing.

The Trust Chain

TLS relies on Certificate Authorities (CAs)—organizations trusted to verify identities and issue certificates. Your browser ships with a list of trusted CAs. When a website presents a certificate, your browser asks: Did a trusted CA vouch for this?

This chain of trust lets you connect to millions of websites without personally verifying each one. You trust the CAs, the CAs verify the websites, and the math ensures nobody can forge the proof.

TLS 1.3: Faster and Stronger

TLS 1.3, finalized in 2018, is the current state of the art. It removed old, vulnerable cryptographic options—not just deprecated them, but made them impossible to use. The handshake is faster, completing in fewer round trips. Privacy improved: more of the handshake itself is now encrypted.

Early TLS had noticeable overhead. Some sites only used HTTPS for login pages to save resources. Modern TLS with hardware acceleration has negligible performance cost. The security benefits are now free.

Frequently Asked Questions About SSL/TLS

Was this page helpful?

😔
🤨
😃