# What is SSL/TLS?

> SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that encrypt communication between clients and servers, forming the foundation of HTTPS.

- URL: https://www.browserutils.dev/glossary/ssl-tls
- Published: 2026-03-21
- Updated: 2026-03-16

---

**SSL/TLS (Secure Sockets Layer and Transport Layer Security)** are cryptographic protocols that encrypt communication between clients and servers, forming the foundation of HTTPS. SSL is the predecessor and all SSL versions are deprecated and insecure; TLS, currently at version 1.3 (RFC 8446), is the modern standard. The term "SSL" persists colloquially even though every modern connection uses TLS.

## How TLS works

A TLS connection starts with a handshake:

1. **Client Hello**: The client sends supported TLS versions and cipher suites.
2. **Server Hello**: The server picks a cipher suite and sends its certificate.
3. **Certificate verification**: The client validates the server's certificate against trusted Certificate Authorities (CAs).
4. **Key exchange**: Both sides derive shared session keys using asymmetric cryptography (typically ECDHE).
5. **Encrypted communication**: All subsequent data is encrypted with symmetric encryption (typically AES-GCM) using the session keys.

TLS 1.3 simplified this to a single round-trip (1-RTT) or even zero round-trips (0-RTT for resumed connections), significantly reducing latency compared to TLS 1.2's two round-trips.

## Certificates

A TLS certificate binds a domain name to a public key, signed by a Certificate Authority. Certificates contain:

- Subject (domain name or wildcard like `*.example.com`)
- Issuer (the CA that signed it)
- Public key
- Validity period
- Signature algorithm (typically SHA-256 with RSA or ECDSA)

Let's Encrypt made free, automated certificates standard. There's no reason for any public-facing site not to use HTTPS in 2026.

## TLS versions

- **SSL 3.0**: Broken (POODLE attack). Disabled everywhere.
- **TLS 1.0/1.1**: Deprecated since 2020. Browsers no longer support them.
- **TLS 1.2**: Still widely used. Secure when configured properly.
- **TLS 1.3**: Current standard. Faster, simpler, removes legacy insecure options. Supports only strong cipher suites by design.

## Why TLS matters

Without TLS, all HTTP traffic is plaintext. Anyone on the same network (coffee shop Wi-Fi, ISPs, routers along the path) can read and modify the data. TLS provides three guarantees:

- **Confidentiality**: Data is encrypted. Eavesdroppers see ciphertext.
- **Integrity**: Tampered data is detected and rejected.
- **Authentication**: The client verifies it's talking to the real server, not an impersonator.

## Common issues

- **Mixed content**: Loading HTTP resources on an HTTPS page triggers browser warnings.
- **Certificate expiration**: Certificates have limited validity (90 days for Let's Encrypt). Automate renewal.
- **Cipher suite misconfiguration**: Enabling weak ciphers (RC4, 3DES) undermines security.

Inspect certificate details with the [SSL Certificate Decoder](/tools/ssl-certificate-decoder) and check your server's security headers with the [Security Headers Checker](/tools/security-headers-checker).