SSL, TLS, HTTPS Explained

Aditya KhadangaAditya Khadanga
4 min read

Table of contents

1. SSL (Secure Sockets Layer): The Predecessor

What it is

SSL was the original cryptographic protocol designed to provide secure communication over a computer network. It establishes an encrypted link between a web server and a browser (or between two servers).

How it works (in simplified terms)

  • A browser requests a secure connection from a website.

  • The website's server sends its SSL certificate to the browser. This certificate contains the server's public key and identifying information.

  • The browser verifies the certificate's authenticity (usually by checking with a Certificate Authority).

  • If the certificate is valid, the browser generates a symmetric key (a secret key used for encrypting and decrypting data) and encrypts it using the server's public key.

  • The encrypted symmetric key is sent back to the server.

  • The server decrypts the symmetric key using its private key.

  • Now, both the browser and the server have the same symmetric key. All subsequent data exchanged between them is encrypted and decrypted using this shared secret key. This ensures confidentiality and integrity of the data.

    Status

    SSL is now considered largely obsolete and insecure due to various vulnerabilities discovered over time. While you might still encounter the term, modern systems almost exclusively use its successor, TLS.

2. TLS (Transport Layer Security): The Successor

What it is

  • TLS is the updated and more secure version of SSL. It's essentially SSL 3.1 and subsequent versions (TLS 1.0, 1.1, 1.2, 1.3).

  • How it works: TLS works on the same fundamental principles as SSL, but it incorporates numerous security enhancements and fixes for the vulnerabilities found in SSL. These improvements include:

    • Stronger encryption algorithms: TLS supports more robust and modern cryptographic algorithms.

    • Improved handshake process: The initial negotiation between the client and server to establish a secure connection is more secure.

    • Better message authentication: TLS provides stronger mechanisms to ensure the integrity of the data and prevent tampering.

    • More secure key exchange methods: TLS offers more secure ways for the client and server to agree on the shared secret key.

Relationship to SSL

Think of TLS as the evolution of SSL. It addresses the weaknesses of SSL and provides a more secure foundation for encrypted communication. When people talk about "SSL certificates" today, they almost always mean TLS certificates.

In essence, TLS is the current standard for securing network communication at the transport layer.

3. HTTPS (Hypertext Transfer Protocol Secure): The Application

What it is

HTTPS is the secure version of the standard HTTP protocol, which is used for transferring data on the World Wide Web.

How it works

  • HTTPS doesn't encrypt the entire internet; instead, it secures the communication between a web browser and a web server by using TLS (or, less commonly now, SSL) underneath.

  • The "S" in HTTPS: The "S" signifies that the HTTP communication is taking place over a secure TLS/SSL connection.

    What it provides

    • Encryption: All data exchanged between the browser and the server (including URLs, form data, cookies, and the content of the web pages) is encrypted, preventing eavesdropping by third parties.

    • Data Integrity: HTTPS helps ensure that the data transmitted hasn't been tampered with in transit.

    • Authentication (via the TLS/SSL certificate): While not absolute proof of identity, the TLS/SSL certificate helps users verify that they are connecting to the intended website and not a malicious imposter. The certificate contains information about the website's owner and is typically issued by a trusted Certificate Authority (CA).

How to identify HTTPS: You can recognize an HTTPS connection by:

  • The https:// prefix in the website's URL in your browser's address bar.

  • The padlock icon (usually green or grey) displayed in the browser's address bar. Clicking on the padlock often shows details about the website's TLS/SSL certificate.

    Images

    then click on connection is secure

    then click on the certificate is valid

    if you go little down you can see the validity period, SHA 256 fingerprints.

Analogy:

Imagine you're sending a letter:

  • HTTP: Sending a postcard – anyone can read it.

  • SSL/TLS: Putting the postcard in a sealed envelope – the contents are protected during transit. TLS is like a more tamper-proof and secure envelope.

  • HTTPS: Using the postal service (HTTP) but ensuring every letter (data exchange) is put in a secure, tamper-proof envelope (TLS/SSL).

Key Takeaways:

  • SSL is the outdated predecessor to TLS.

  • TLS is the current standard protocol for establishing secure, encrypted connections.

  • HTTPS is the secure version of HTTP that uses TLS (or historically SSL) to encrypt the communication between a web browser and a web server.

When you browse a website with https://, you are benefiting from the security provided by TLS (or in very rare cases, an older SSL implementation). This ensures your communication with the website is private and protected.

1
Subscribe to my newsletter

Read articles from Aditya Khadanga directly inside your inbox. Subscribe to the newsletter, and don't miss out.

https explainedWeb Securityinternet securityOnline securitysecurity protocols encryptiondata encryptionnetwork security#cybersecurityaditya khadangaSSLTLShttpsSSL Certificate#SSL/TLS Handshake

Written by

Aditya Khadanga
Aditya Khadanga

A DevOps practitioner dedicated to sharing practical knowledge. Expect in-depth tutorials and clear explanations of DevOps concepts, from fundamentals to advanced techniques. Join me on this journey of continuous learning and improvement!