HTTPS, SSL, and TLS Explained: How Websites Stay Secure
The padlock in your browser hides a fascinating security system. This guide explains how HTTPS, SSL certificates, and TLS encryption protect your data online.
The padlock in your browser represents a complex security system that protects millions of web transactions every second. Understanding how HTTPS, SSL, and TLS work explains why the padlock matters โ and when it doesn't.
HTTP vs HTTPS
HTTP (HyperText Transfer Protocol) sends data in plain text. Anyone between you and the server โ your ISP, a coffee shop WiFi router, a state-level interceptor โ can read it. HTTPS adds encryption using TLS (Transport Layer Security), making the data unreadable to anyone who intercepts it.
SSL vs TLS
SSL (Secure Sockets Layer) was the original protocol, developed by Netscape in 1995. TLS (Transport Layer Security) is its successor โ more secure, more efficient. SSLv3 was deprecated in 2015; TLSv1.0 and 1.1 in 2020. All modern sites use TLS 1.2 or 1.3. When people say "SSL certificate," they technically mean a TLS certificate โ the terms are used interchangeably in practice.
How the TLS Handshake Works
- Browser connects to server and says "hello," listing supported TLS versions and cipher suites
- Server picks the best cipher, sends its SSL certificate (containing its public key)
- Browser verifies the certificate against trusted Certificate Authorities (CAs)
- Both parties use asymmetric encryption to agree on a shared symmetric session key
- All further communication is encrypted with this session key
What HTTPS Protects (and What It Doesn't)
- Protects: Data in transit between browser and server. ISPs and interceptors can't read the content.
- Doesn't protect: Data at rest on the server. A hacked server exposes HTTPS data.
- Doesn't prove: That the website is trustworthy or legitimate โ phishing sites use HTTPS too.