What Is TLS/SSL

TLS (Transport Layer Security) is a protocol that encrypts communication over the Internet. SSL (Secure Sockets Layer) is its predecessor and is now deprecated due to vulnerabilities, but the terms "SSL" and "SSL/TLS" are still commonly used by convention.

The lock icon and HTTPS prefix displayed in your browser's address bar indicate that TLS is protecting the communication. Without TLS, data such as passwords and credit card numbers would travel across the network in plaintext, making them vulnerable to interception.

How TLS Works - The Handshake

TLS communication begins with a procedure called the "handshake."

Client Hello: The client sends the server a list of supported TLS versions and cipher suites.
Server Hello: The server selects a cipher suite and sends its digital certificate (containing the public key) to the client.
Key Exchange: Using public key cryptography, both parties securely generate a shared session key. In TLS 1.3, ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) is mandatory.
Encrypted Communication: All subsequent data is encrypted with the shared session key using a symmetric cipher such as AES.

TLS 1.3 reduced the handshake from 2-RTT to 1-RTT, significantly improving connection speed. It also supports 0-RTT reconnection, which allows previously connected servers to resume communication with virtually zero latency.

What Changed in TLS 1.3

TLS 1.3 (RFC 8446, finalized in 2018) was not a minor update but a fundamental redesign of the protocol.

Insecure algorithms such as RC4, 3DES, and CBC mode were removed. Only AEAD (Authenticated Encryption with Associated Data) ciphers are allowed.

Static RSA key exchange was abolished. Ephemeral key exchange (ECDHE) is now required, ensuring that even if the server's private key is compromised, past communications cannot be decrypted.

In TLS 1.2, the server certificate was sent in plaintext. In TLS 1.3, the certificate is encrypted, preventing eavesdroppers from identifying the destination server.

Many legacy features were removed, reducing the attack surface. The specification itself became simpler, making implementation errors less likely.

Certificate Types and How to Choose

DV (Domain Validation): Verifies only domain ownership. Available for free via Let's Encrypt. Suitable for personal sites and blogs. Issued within minutes.
OV (Organization Validation): Also verifies the organization's existence. Common for corporate websites. Issuance takes several days and requires submission of registration documents.
EV (Extended Validation): The most rigorous verification, including legal existence and physical address. Previously displayed a green address bar, but major browsers have discontinued this visual distinction. The practical advantage over DV has diminished.

Encryption strength does not depend on the certificate type. DV, OV, and EV all use the same TLS encryption. The difference lies solely in the level of identity verification for the domain operator.

Let's Encrypt and Automated Certificate Management

Let's Encrypt launched its official service in 2016 as a free certificate authority, enabling automated certificate issuance and renewal through the ACME (Automatic Certificate Management Environment) protocol. Today, approximately 30% of TLS certificates on the Web are issued by Let's Encrypt.

With the ACME protocol, domain ownership is verified automatically (via HTTP-01 or DNS-01 challenges), and certificates are issued within seconds. Since certificates are valid for 90 days, automated renewal using tools like certbot is essential.

The widespread adoption of Let's Encrypt has dramatically lowered the barrier to HTTPS adoption. However, since DV certificates only verify domain ownership, they cannot prevent phishing sites from obtaining certificates. The lock icon alone should not be taken as proof that a site is trustworthy.

How to Verify TLS Configuration

You can verify whether a server's TLS configuration is secure using the following tools.

SSL Labs (ssllabs.com): A free online test provided by Qualys. It grades configurations from A+ to F and comprehensively checks supported protocols, cipher suites, certificate chains, and known vulnerabilities (BEAST, POODLE, Heartbleed, etc.).
testssl.sh: An open-source command-line tool. Useful for testing internal servers that are not publicly accessible. Runs on Linux/macOS.
Browser Developer Tools: In Chrome, click the lock icon → "Connection is secure" → "Certificate is valid" to view the TLS version, cipher suite, and certificate details.

It is recommended to run SSL Labs after any server configuration change and to verify that the grade is A or higher.

To learn more about this topic, see How HTTPS and TLS Work: The Encryption Behind Secure Communication.

Common Misconceptions

SSL and TLS are different technologies: TLS is the successor protocol to SSL. TLS 1.0 was developed after SSL 3.0, and today TLS 1.2/1.3 are in use. The term "SSL certificate" is a legacy convention; in reality, they are TLS certificates.
HTTPS means absolutely secure: HTTPS guarantees encryption of the communication channel, but whether the destination site itself is safe is a separate matter. Phishing sites also use HTTPS, so you should not trust a site based solely on the lock icon.

TLS 1.2 vs. TLS 1.3 Comparison

TLS 1.2

Finalized in 2008. 2-RTT handshake. Supports many cipher suites (some with low security). Forward secrecy is optional.

TLS 1.3

Finalized in 2018. 1-RTT handshake. Restricted to secure cipher suites only. Forward secrecy is mandatory. Supports 0-RTT reconnection.

TLS/SSL