Tools Learn Login Sign up
Home / Learn / SSL/TLS Basics

Understanding SSL/TLS: The Foundation of Secure Web Communication

Every time you see a padlock icon in your browser's address bar, SSL/TLS is working behind the scenes to keep your data safe. Let's break down how this essential security technology works.

What is SSL/TLS?

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that provide secure communication over the internet. TLS is actually the successor to SSL, but many people still use "SSL" as a general term for both.

Quick History: SSL was developed by Netscape in the 1990s. TLS 1.0 was introduced in 1999 as an upgrade. Today, TLS 1.3 (released in 2018) is the current standard, with TLS 1.2 still widely supported.

How Does TLS Work?

When you visit a secure website (HTTPS), your browser and the server perform a "TLS handshake" to establish a secure connection. Here's what happens:

Your Browser Web Server 1 · ClientHello TLS versions + cipher suites 2 · ServerHello + Certificate chosen cipher + public key 3 · Verifies certificate checks CA chain & validity 4 · Key exchange (ECDHE) both derive the same session key 5 · Encrypted application data
The TLS handshake: browser and server agree on keys before any real data is sent.
1

Client Hello

Your browser sends a message to the server with the TLS versions and cipher suites it supports.

2

Server Hello

The server responds with its certificate and the cipher suite it picked.

3

Certificate Verification

Your browser verifies the server's certificate is valid, unexpired, and chains to a trusted CA.

4

Key Agreement

Client and server exchange key material (e.g. via ECDHE) and independently derive shared session keys.

5

Secure Connection

All subsequent data is encrypted with the agreed session keys.

SSL Certificates Explained

An SSL certificate is a digital document that does four key jobs:

Proves identity

Confirms a site actually controls the domain you're visiting.

Carries the public key

Holds the public key your browser uses to set up encryption.

Issued by a CA

Signed by a Certificate Authority your browser already trusts.

Publicly auditable

Logged to Certificate Transparency (CT) logs, so issuance can be checked.

Certificates also expire — and the maximum lifespan is shrinking fast under CA/Browser Forum Ballot SC-081:

Certificate Chain of Trust

SSL certificates are part of a "chain of trust" — each link signs the one below it, back up to a root your browser already trusts:

Root CA
The ultimate trust anchor, pre-installed in browsers & operating systems
Intermediate CA
Issues certificates on behalf of the root, keeping the root key offline
Your certificate
The end-entity cert your website actually presents to visitors

Types of Encryption

TLS uses two types of encryption working together — one to set up the connection, one to run it:

Asymmetric (public key)

Uses a pair of keys. Data encrypted with the public key can only be decrypted with the private key.

  • Used during the handshake
  • Slower, but no shared secret needed up front
  • e.g. RSA, ECDHE
Symmetric (shared key)

Uses a single shared key for both encryption and decryption — much faster.

  • Used for the actual data transfer
  • Fast enough for high-volume traffic
  • e.g. AES-GCM, ChaCha20
Modern Standard: TLS 1.3 uses AEAD (Authenticated Encryption with Associated Data) ciphers like AES-GCM and ChaCha20-Poly1305, which provide both confidentiality and integrity in a single operation.

TLS Versions Comparison

Version Status Recommendation
SSL 2.0 / 3.0 Deprecated Never use - severe vulnerabilities
TLS 1.0 Deprecated Disable - vulnerable to BEAST
TLS 1.1 Deprecated Disable - no longer considered secure
TLS 1.2 Active Acceptable - configure strong ciphers
TLS 1.3 Current Recommended - fastest and most secure

Why SSL/TLS Matters

Without SSL/TLS, anyone between you and the server could:

Eavesdrop

Read sensitive data like passwords and credit-card numbers in transit.

Modify data

Silently alter the communications between you and the server.

Impersonate

Pretend to be a legitimate website to phish your visitors.

Important: Even with HTTPS, you should still verify you're on the correct domain. Attackers can obtain valid SSL certificates for lookalike domains (typosquatting).

Common Terms Glossary

  • HTTPS: HTTP Secure - HTTP over TLS/SSL
  • CA: Certificate Authority - organization that issues certificates
  • CSR: Certificate Signing Request - file you send to a CA to get a certificate
  • PEM: Privacy Enhanced Mail - common certificate file format
  • HSTS: HTTP Strict Transport Security - forces HTTPS connections
  • SNI: Server Name Indication - allows multiple certificates on one IP
Generate a CSR Right Now
Need a Certificate Signing Request? Our free CSR Generator creates RSA or ECDSA keys and CSRs instantly in your browser.
Open CSR Generator →

Next Steps

Now that you understand the basics, learn more about:

Report a bug

We're new and growing — your feedback helps us improve.

Click to upload, or paste (Ctrl+V) an image