TLS/SSL Explained
How TLS secures internet communication through certificates, handshakes, and encryption.
What Is TLS/SSL?
TLS (Transport Layer Security) is the protocol that secures internet communications. It's the successor to SSL (Secure Sockets Layer). When you see the padlock icon in your browser, TLS is protecting your connection.
Despite SSL being deprecated since 2015, people still use "SSL" informally. In practice, all modern secure connections use TLS 1.2 or TLS 1.3.
The TLS Handshake
Before encrypted communication begins, the client and server perform a handshake to establish the encryption parameters.
TLS 1.2 Handshake (2 round trips)
- Client Hello — Client sends supported cipher suites and a random number
- Server Hello — Server chooses a cipher suite, sends its certificate
- Key Exchange — Client and server exchange key material
- Finished — Both sides confirm the handshake
TLS 1.3 Handshake (1 round trip)
TLS 1.3 reduces the handshake to a single round trip by combining steps, significantly reducing connection latency.
Certificates
A TLS certificate proves the server's identity. It contains:
- Subject — The domain name the certificate is issued for
- Issuer — The Certificate Authority (CA) that vouches for the server
- Public key — Used during the key exchange
- Validity period — Start and expiration dates
- SANs — Subject Alternative Names (additional domains covered)
Certificates form a chain of trust: your browser trusts root CAs, which sign intermediate CAs, which sign server certificates.
Cipher Suites
A cipher suite specifies the algorithms used for each aspect of the secure connection:
# Generate an Ed25519 key (recommended)
ssh-keygen -t ed25519 -C "[email protected]"
# Or RSA with 4096 bits
ssh-keygen -t rsa -b 4096 -C "[email protected]"
Modern recommended cipher suites use: - AES-256-GCM or ChaCha20-Poly1305 for encryption - ECDHE for key exchange (forward secrecy) - SHA-384 or SHA-256 for hashing
TLS Version Comparison
| Version | Year | Status | Round Trips |
|---|---|---|---|
| SSL 3.0 | 1996 | Deprecated | 2 |
| TLS 1.0 | 1999 | Deprecated | 2 |
| TLS 1.1 | 2006 | Deprecated | 2 |
| TLS 1.2 | 2008 | Active | 2 |
| TLS 1.3 | 2018 | Recommended | 1 |
Forward Secrecy
Perfect Forward Secrecy (PFS) ensures that even if the server's private key is compromised in the future, past encrypted sessions remain secure. TLS 1.3 mandates forward secrecy; TLS 1.2 supports it with ECDHE key exchange.