What Is SSL/TLS? Secure Web Connections Explained
SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that provide encrypted, authenticated communication over the internet. When you see the padlock in a browser address bar, the connection is protected by TLS. SSL is technically deprecated, but the term is still used colloquially.
The TLS Handshake
The TLS handshake happens before any HTTP data is exchanged. The client sends supported cipher suites and a random number. The server responds with its certificate and chosen cipher. Both sides run a key agreement protocol (Diffie-Hellman) to derive a shared session key. All subsequent traffic is symmetrically encrypted with this key and authenticated with an HMAC or AEAD tag.
TLS Certificates and Certificate Authorities
A TLS certificate binds a domain name to a public key and is signed by a Certificate Authority (CA) that browsers trust. Let's Encrypt issues free Domain Validation (DV) certificates. Extended Validation (EV) certificates require more rigorous identity checks. Certificate Transparency logs allow anyone to audit all issued certificates, preventing secret mis-issuance.
TLS 1.3 vs Older Versions
TLS 1.3 (2018) removes obsolete cipher suites (RC4, MD5, SHA-1), requires forward secrecy, and reduces the handshake to 1 round-trip (down from 2 in TLS 1.2). TLS 1.0 and 1.1 are deprecated. TLS 1.2 is still widely supported but TLS 1.3 should be preferred for all new deployments.