browserutils
← All terms

// glossary

What is SSL/TLS?

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that encrypt communication between clients and servers, forming the foundation of HTTPS.

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that encrypt communication between clients and servers, forming the foundation of HTTPS. SSL is the predecessor — all SSL versions are deprecated and insecure. TLS (currently version 1.3) is the modern standard, but “SSL” persists as the colloquial term.

How TLS works

A TLS connection starts with a handshake:

  1. Client Hello: The client sends supported TLS versions and cipher suites.
  2. Server Hello: The server picks a cipher suite and sends its certificate.
  3. Certificate verification: The client validates the server’s certificate against trusted Certificate Authorities (CAs).
  4. Key exchange: Both sides derive shared session keys using asymmetric cryptography (typically ECDHE).
  5. Encrypted communication: All subsequent data is encrypted with symmetric encryption (typically AES-GCM) using the session keys.

TLS 1.3 simplified this to a single round-trip (1-RTT) or even zero round-trips (0-RTT for resumed connections), significantly reducing latency compared to TLS 1.2’s two round-trips.

Certificates

A TLS certificate binds a domain name to a public key, signed by a Certificate Authority. Certificates contain:

  • Subject (domain name or wildcard like *.example.com)
  • Issuer (the CA that signed it)
  • Public key
  • Validity period
  • Signature algorithm (typically SHA-256 with RSA or ECDSA)

Let’s Encrypt made free, automated certificates standard. There’s no reason for any public-facing site not to use HTTPS in 2026.

TLS versions

  • SSL 3.0: Broken (POODLE attack). Disabled everywhere.
  • TLS 1.0/1.1: Deprecated since 2020. Browsers no longer support them.
  • TLS 1.2: Still widely used. Secure when configured properly.
  • TLS 1.3: Current standard. Faster, simpler, removes legacy insecure options. Supports only strong cipher suites by design.

Why TLS matters

Without TLS, all HTTP traffic is plaintext. Anyone on the same network (coffee shop Wi-Fi, ISPs, routers along the path) can read and modify the data. TLS provides three guarantees:

  • Confidentiality: Data is encrypted. Eavesdroppers see ciphertext.
  • Integrity: Tampered data is detected and rejected.
  • Authentication: The client verifies it’s talking to the real server, not an impersonator.

Common issues

  • Mixed content: Loading HTTP resources on an HTTPS page triggers browser warnings.
  • Certificate expiration: Certificates have limited validity (90 days for Let’s Encrypt). Automate renewal.
  • Cipher suite misconfiguration: Enabling weak ciphers (RC4, 3DES) undermines security.

Inspect certificate details with the SSL Certificate Decoder and check your server’s security headers with the Security Headers Checker.

#Related Tools

SSL Certificate Decoder
Decode PEM certificates and show details
Security Headers Checker
Check and analyze HTTP security headers
RSA Key Generator
Generate RSA public/private key pairs

#Related Terms

What is SHA-256?
SHA-256 is a cryptographic hash function from the SHA-2 family that produces a fixed 256-bit (32-byte) digest from any input, widely used for data integrity verification and digital signatures.
What is CORS?
CORS (Cross-Origin Resource Sharing) is an HTTP-header-based mechanism that allows a server to indicate which origins other than its own are permitted to load its resources.
What is a Content Security Policy (CSP)?
A Content Security Policy (CSP) is an HTTP response header that lets website owners control which resources the browser is allowed to load, mitigating cross-site scripting and data injection attacks.
What is DNS?
DNS (Domain Name System) is the hierarchical naming system that translates human-readable domain names like example.com into IP addresses that computers use to route network traffic.
What are HTTP Status Codes?
HTTP status codes are three-digit numbers returned by a server in response to a client's request, indicating whether the request succeeded, failed, or requires further action.

#Learn More

Glossary
What is CORS?
Glossary
What is CSP?
Glossary
What is Nginx?