OpenSSL & Cert7 min read

What is SSL/TLS? How HTTPS Actually Works

A clear, complete explanation of SSL and TLS — what they are, how the TLS handshake works, what certificates do, and why HTTPS protects your data in transit. No cryptography degree required.

SSL, TLS, and HTTPS — What's the Difference?

You've probably seen the padlock icon in your browser's address bar and heard that a site "has SSL." But what does that actually mean, and how does it protect you? SSL, TLS, and HTTPS are closely related — and often confused — terms that together describe how secure connections work on the internet.

Here's the short version: SSL (Secure Sockets Layer) is the original protocol, now deprecated. TLS (Transport Layer Security) is its modern replacement. HTTPS is simply HTTP running over TLS. When people say "SSL certificate," they almost always mean a TLS certificate — the names stuck even as the technology moved on.

What Problem Does TLS Solve?

Without TLS, data sent between your browser and a web server travels as plain text. Anyone on the same network — a coffee shop Wi-Fi, an ISP, a router in between — can read it. This includes passwords, credit card numbers, and session cookies.

TLS solves three distinct problems:

  • Confidentiality — encrypts data so only the intended recipient can read it
  • Integrity — detects if data was tampered with in transit
  • Authentication — proves the server is actually who it claims to be (via certificates)

How the TLS Handshake Works

Before any application data is exchanged, the browser and server perform a TLS handshake — a negotiation that establishes a secure channel. Here's what happens, simplified:

Step 1: Client Hello

Your browser sends a message listing the TLS versions and cipher suites it supports, plus a random number (the "client random").

Step 2: Server Hello + Certificate

The server picks a TLS version and cipher suite, sends its own random number, and presents its SSL/TLS certificate. The certificate contains the server's public key and is signed by a trusted Certificate Authority (CA) like Let's Encrypt, DigiCert, or Sectigo.

Step 3: Certificate Verification

Your browser checks the certificate against its built-in list of trusted CAs. It verifies: (a) the certificate is signed by a trusted CA, (b) it hasn't expired, and (c) the domain name matches. If any check fails, you see a browser security warning.

Step 4: Key Exchange

The browser and server exchange enough information to independently compute a shared session key. In TLS 1.3, this uses Diffie-Hellman key exchange, meaning the session key is never actually transmitted — both sides derive it mathematically.

Step 5: Encrypted Communication Begins

Both sides confirm the handshake succeeded, then switch to symmetric encryption (typically AES) using the shared session key. Symmetric encryption is fast — asymmetric encryption (RSA) is used only during the handshake.

Why symmetric after the handshake? Asymmetric encryption (public/private keys) is mathematically expensive. Symmetric encryption is thousands of times faster. TLS uses the best of both: asymmetric crypto to securely agree on a key, symmetric crypto to do the actual bulk encryption.

What Does a TLS Certificate Actually Contain?

A TLS certificate (X.509 format) includes:

  • Subject — the domain name(s) the certificate covers (CN and SANs)
  • Issuer — the Certificate Authority that signed it
  • Validity period — Not Before and Not After dates
  • Public key — used during the handshake key exchange
  • Signature — the CA's digital signature proving the certificate is genuine
  • Serial number and fingerprint — for identification and revocation

TLS Versions: Which Should You Use?

VersionStatusNotes
SSL 2.0Broken ❌Deprecated 1996, multiple critical vulnerabilities
SSL 3.0Broken ❌POODLE attack (2014), deprecated 2015
TLS 1.0Deprecated ⚠️PCI DSS banned since 2018
TLS 1.1Deprecated ⚠️Removed from major browsers in 2020
TLS 1.2Acceptable ✓Widely supported, still considered secure with proper configuration
TLS 1.3Recommended ✅Faster handshake, stronger security, forward secrecy by default

What is Forward Secrecy?

Forward secrecy (also called Perfect Forward Secrecy, PFS) means that if an attacker records your encrypted traffic today and later obtains the server's private key, they still cannot decrypt the old traffic. Each session uses a unique ephemeral key that is discarded after use.

TLS 1.3 requires forward secrecy. TLS 1.2 supports it optionally via ECDHE cipher suites. This is one reason TLS 1.3 is strongly preferred.

How Certificates Are Validated

Certificate Authorities issue three types of certificates with different validation levels:

  • DV (Domain Validated) — CA verifies you control the domain. Fast and free (Let's Encrypt). Shows the padlock.
  • OV (Organization Validated) — CA verifies your organization exists. Takes days. Shows company name in certificate details.
  • EV (Extended Validation) — Strictest checks. Previously showed a green bar; modern browsers removed the visual distinction but EV info is still in the cert.

For most sites: DV certificates from Let's Encrypt are free, auto-renewing, and completely sufficient. The padlock looks identical to OV or EV certificates to end users.

HTTPS vs HTTP: What's Actually Different

HTTP transfers data as plain text on port 80. HTTPS wraps HTTP inside TLS on port 443. From the application layer's perspective, HTTPS is invisible — your browser and server just send HTTP requests and responses, but the TLS layer underneath handles encryption, integrity checks, and authentication transparently.

Common SSL/TLS Errors and What They Mean

  • ERR_CERT_AUTHORITY_INVALID — certificate signed by an untrusted CA (common with self-signed certs in development)
  • ERR_CERT_DATE_INVALID — certificate has expired or isn't valid yet
  • ERR_SSL_PROTOCOL_ERROR — TLS version mismatch or misconfigured server
  • NET::ERR_CERT_COMMON_NAME_INVALID — certificate domain doesn't match the URL
  • Mixed Content Warning — page loaded over HTTPS but contains HTTP resources (images, scripts)

Summary

TLS is the foundation of secure communication on the web. It provides encryption (so data can't be read in transit), integrity (so data can't be tampered with), and authentication (so you know you're talking to the right server). HTTPS is simply HTTP running over TLS. Use TLS 1.2 or 1.3, get a free certificate from Let's Encrypt, and let Cloudflare or your web server handle the rest.

N

Nattapon Tonapan

Developer & creator of FreeUtil. Building free tools for developers and Thai users.

About the author →

RELATED ARTICLES

OpenSSL & Cert7 min read

How HTTPS Works: The TLS Handshake Explained Step by Step

OpenSSL & Cert7 min read

SSL Certificate Types Explained: PEM, DER, PKCS12, and More

OpenSSL & Cert8 min read

How to Create a Self-signed SSL Certificate for Local Development

← Back to all articles