You visit a website, and a small padlock icon appears next to the URL, which starts with https://
. You see it everyday, and you've probably been told that this means the site is "secure," but what does that really mean? What’s happening behind the scenes to protect your information?
That security is thanks to an evolution of technologies: SSL, its successor TLS, and the protocol that uses them, HTTPS. While the acronyms might sound intimidating, the concepts are straightforward. This article will demystify what they are, how they work together, and why they are essential for anyone running a website or just browsing the internet. Let's dive in.
What is encryption?
Before we can talk about SSL or TLS, we need to understand the core concept they rely on: encryption.
Imagine you want to send a secret note to a friend. You wouldn't write it in plain English for anyone to read. Instead, you might use a secret code. You'd "encrypt" the message, and your friend, who knows the code, could "decrypt" it back into a readable format.
It's a process of scrambling data using complex mathematical algorithms so that it becomes unreadable nonsense to anyone who intercepts it. Only the person or computer with the correct "key" can unscramble (decrypt) the data back to its original form. This is the fundamental principle that keeps your passwords, credit card numbers, and private messages safe online.
SSL and its successor, TLS
So, how do two computers on the internet, say, your browser and a web server agree on a secret code without an eavesdropper listening in? This is where SSL and TLS come in. They are protocols, or sets of rules, for establishing these secure, encrypted connections.
What is SSL (Secure Sockets Layer)?
SSL was the original encryption protocol developed by Netscape back in the 1990s. It was a groundbreaking technology that made e-commerce possible by creating a secure way to transmit sensitive information over the public internet.
However, just like old software, SSL has aged. Over the years, security researchers discovered significant vulnerabilities in all versions of the SSL protocol. Because of these flaws, SSL is now considered deprecated and insecure. No modern, secure website should be using it.
What is TLS (Transport Layer Security)?
TLS is the direct successor to SSL. When the Internet Engineering Task Force (IETF) took over development of the protocol, they renamed it to TLS to signify a clean break from the less-secure past. The first version of TLS was released in 1999, and it has been continuously updated since, with TLS 1.3 being the current standard.
TLS does the same job as SSL: it authenticates the server and creates an encrypted connection, but it does so using stronger, more modern encryption algorithms.
Even though virtually all "secure" connections today use TLS, the term "SSL" has stuck around. People often say "SSL certificate" or "SSL security" out of habit, but in reality, they are almost always referring to technology powered by TLS.
How the SSL/TLS handshake works
To create a secure connection, your browser and the web server perform a sequence of steps called a "handshake." It happens in milliseconds, but here’s a simplified breakdown of what goes on:
- Browser hello: Your browser sends a "hello" message to the server, saying it wants to establish a secure connection and listing which TLS versions and encryption methods it supports.
- Server responds: The server sends back its SSL/TLS certificate. This certificate acts like a digital ID card, proving the server is who it claims to be. The server also chooses the strongest encryption method that both it and the browser support.
- Verification: Your browser checks the certificate to make sure it's valid and was issued by a trusted Certificate Authority (CA).
- Key exchange: Once the browser trusts the server's identity, they securely exchange a unique "session key." This key will be used to encrypt all the data for the rest of the session.
- Secure communication begins: With the handshake complete, all data sent between your browser and the server is now encrypted with the session key.
Putting it all together: What is HTTPS?
Now we know what TLS is. So, what is HTTPS?
The "S" in HTTPS stands for "Secure." It's simply the standard Hypertext Transfer Protocol (HTTP) layered on top of an SSL/TLS connection.
- HTTP is the protocol used to fetch resources like HTML documents. It's the language browsers and servers use to communicate.
- TLS is the protocol that creates the secure, private channel for that communication.
Essentially, HTTPS = HTTP + TLS.
When you use a website with HTTPS, you're protected from "man-in-the-middle" attacks, where an attacker secretly intercepts and reads or alters your communication with the website. It guarantees both the confidentiality (no one can read the data) and integrity (no one can change the data) of your connection.
How SSL/TLS certificates verify identity
The SSL/TLS certificate is the linchpin of this entire system. It serves two critical functions:
- Authentication: It proves that the server you're connected to is legitimately owned by the domain you see in your address bar. This prevents attackers from impersonating a legitimate site, like your bank.
- Encryption: It contains the public key that the browser uses during the handshake to securely create the session key.
These certificates are issued by trusted third parties called Certificate Authorities (CAs). Before issuing a certificate, a CA verifies that the applicant actually owns and controls the domain. This trust model is why your browser can automatically verify a site's identity.
Conclusion
While SSL laid the groundwork, TLS is the current standard that provides the encryption, and HTTPS is the application of that encryption to web traffic. Together, they create the secure (and necessary) web experience we rely on every day.
If you're interested in learning how to create a free Let's Encrypt TLS certificate for your website, we have a step-by-step guide on using the Certbot tool on Linux right here.
Thanks for reading! Here at xTom, we provide reliable infrastructure, anywhere from dedicated servers to IP transit, or scalable KVM VPS, and beyond. We'd love to host you next! Don't be afraid to reach out with any questions.
Frequently asked questions about SSL, TLS, and HTTPS
What is the main difference between SSL and TLS?
TLS (Transport Layer Security) is the modern, more secure successor to SSL (Secure Sockets Layer). While they perform the same function, SSL has known vulnerabilities and is now considered outdated. All modern secure connections use TLS, even if they are sometimes referred to as "SSL" out of habit.
Do I still need an "SSL certificate" if I use TLS?
Yes. The term "SSL certificate" has stuck around as an industry standard name, but these digital certificates are used for both SSL and TLS protocols. When you get an "SSL certificate" today, you will be using it to enable TLS on your server.
Is HTTPS enough to make me anonymous online?
No. HTTPS encrypts the data between you and the website, so your ISP or someone on your local network can't see what you're doing on that site. However, the website itself still sees your IP address, and your ISP can still see which websites you are connecting to (just not the specific content). For anonymity, you would need to use tools like a VPN or the Tor browser.
Why do browsers show a "Not Secure" warning?
Browsers show this warning when a website is loaded over HTTP instead of HTTPS. This means any data you send to or receive from the site—including passwords or credit card information—is unencrypted and can be intercepted by third parties.
How do I get HTTPS on my website?
To enable HTTPS, you need to obtain an SSL/TLS certificate and install it on your web server. You can get free certificates from non-profit CAs like Let's Encrypt or purchase certificates with additional validation features from commercial CAs. After installation, you must configure your server to force all traffic over HTTPS.