SSL/TLS

The Lockbox and the Key

Imagine you need to send a highly confidential letter to a friend across the country. If you just write it on a postcard and hand it to the post office, anyone who handles it along the way, the mail carrier, the sorting facility workers, can read your secrets. This is exactly how the internet works by default (HTTP). Data is sent in "plaintext," meaning anyone sitting on the same Wi-Fi network at Starbucks can intercept and read your passwords.

To fix this, you decide to put your letter inside a sturdy steel lockbox. You snap an open padlock onto the box, give it to the mail carrier, and send it off. Only your friend has the key to open that specific padlock. Even if the mail carrier tries to look inside, they can't.

This is the essence of SSL/TLS. It's the technology that puts the internet inside a lockbox, changing http:// to https:// and adding that little padlock icon in your browser's address bar.

SSL vs. TLS: What's the difference?

Let's clear up the terminology right away.

• SSL (Secure Sockets Layer) was the original protocol developed by Netscape in the 1990s.
• TLS (Transport Layer Security) is the modern, more secure successor to SSL.

Technically, we all use TLS today. SSL is dead and completely deprecated because of massive security flaws. However, the tech industry is stubborn, and the term "SSL" stuck around. When someone says "SSL certificate," they almost always mean "TLS certificate."

The Core Goals of TLS

When you connect to a website like your bank, TLS guarantees three things:

1. Encryption: Your data is scrambled. Hackers cannot read your password or credit card number as it travels across the internet.
2. Authentication: You are actually talking to your bank, not an imposter.
3. Integrity: No one tampered with the data in transit. If an attacker tries to change your "Transfer $10" request to "Transfer $10,000," the connection will immediately fail.

How the Magic Happens: The TLS Handshake

The hardest part of encryption is figuring out how two complete strangers (your browser and the bank's server) can securely agree on a secret code word while hackers are listening to their conversation.

They do this using a brilliant piece of mathematics called the TLS Handshake, which relies on Public Key Infrastructure (Asymmetric Encryption).

Here is the simplified human translation of what happens in milliseconds when you visit https://amazon.com:

1. The "Hello"

• Browser: "Hi Amazon! I'd like to talk securely. Here are the encryption methods I understand."
• Server: "Hi! Let's use TLS 1.3 with AES-256 encryption. Oh, and here is my ID card (the TLS Certificate) to prove I am the real Amazon."

2. The Verification

• Browser: (Looks at the certificate). "Let's see... this ID card was signed by DigiCert, a trusted authority. The expiration date is valid. Okay, I believe you are the real Amazon."

3. The Secret Key Exchange

• Browser: "Okay Amazon, I'm going to generate a super-secret random string called a Session Key. I'm going to encrypt this Session Key using the public padlock (Public Key) you gave me on your ID card. Here you go!"
• Server: (Uses its deeply hidden Private Key to unlock the padlock). "Got it! I have the Session Key."

4. The Secure Conversation

• Both: "Awesome. From now on, we will encrypt all our traffic using this Session Key. Anyone listening will just hear garbage noise."

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.

Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

algobase.dev

TLS handshake: the CA pre-signs the server certificate offline. The browser connects, verifies the certificate against its built-in CA trust list, generates a session key encrypted with the server's public key, and sends it. The server decrypts it with its private key. Both sides now share a symmetric session key for all subsequent encrypted traffic.

1 / 10.5×1×2×3×Playground

TLS handshake: the CA pre-signs the certificate, the browser verifies it, and both sides derive a shared session key using asymmetric encryption

Asymmetric vs. Symmetric Encryption

Notice the clever trick in step 3.

The handshake uses Asymmetric Encryption (a Public Key to lock, a Private Key to unlock). It is highly secure, but it requires massive amounts of math and is very slow. You don't want to use it for streaming a 4K Netflix movie.

So, the handshake is only used to secretly pass a lightweight Session Key back and forth. Once both sides have the Session Key, they switch to Symmetric Encryption (the same key locks and unlocks) for the rest of the connection. Symmetric encryption is incredibly fast.

TLS gives us the best of both worlds: the security of Asymmetric encryption to say hello, and the speed of Symmetric encryption to transfer data.

Certificates and Let's Encrypt

To prove identity, websites need a Certificate signed by a Certificate Authority (CA), a trusted third party like DigiCert or GoDaddy. Your browser has a hardcoded list of CAs it trusts. If a website's certificate isn't signed by one of them, the browser throws a massive, scary red warning screen.

In the past, these certificates cost hundreds of dollars a year. Today, a non-profit called Let's Encrypt provides free, automated certificates, democratizing HTTPS and pushing the web toward 100% encryption.

Summary

• TLS (formerly known as SSL) provides Encryption, Authentication, and Integrity for internet traffic.
• Without TLS, data is sent in plaintext and can be intercepted by anyone on the network.
• The TLS Handshake uses slow, secure Asymmetric Encryption to secretly exchange a fast Symmetric Session Key.
• Certificates act as a website's ID card, signed by a trusted Certificate Authority to prevent imposters from faking websites.