šŸ” How SSL Works?

Nishank KoulNishank Koul
4 min read

In the vast landscape of the internet, where data flows at the speed of light, security is no longer optional; it's essential. Every time you see that comforting padlock icon in your browser's address bar, it's thanks to a technology called SSL (Secure Sockets Layer) or its modern successor, TLS (Transport Layer Security).

But how exactly does SSL work? Let’s dive in.

🧩 What is SSL?

SSL (Secure Sockets Layer) is a cryptographic protocol designed to secure communication between a web browser (client) and a server. Although SSL 3.0 is deprecated and replaced by TLS, the term "SSL" is still commonly used.

The core goals of SSL are:

  • Encryption: Prevents data from being read by unauthorized parties.

  • Authentication: Ensures the server (and optionally the client) is who it claims to be.

  • Data Integrity: Ensures that the data hasn't been altered during transmission.

🌐 Real-World Analogy

Imagine sending a sealed, locked box through a courier. You give the recipient a key beforehand. Even if someone intercepts the box mid-transit, they can’t open it. That’s essentially what SSL does—except digitally.

šŸ”„ Step-by-Step: How SSL/TLS Works

1. Client Hello

The SSL handshake starts when the client (usually your browser) connects to a secure server (like https://example.com) and says:

"Hi! I support these encryption protocols and ciphers. Here's a random number, and here's my SSL version."

This is known as the ClientHello message.


2. Server Hello

The server replies with a ServerHello, saying:

"Cool. Let’s use this cipher suite. Here's my random number, and here’s my digital certificate (SSL certificate)."

The certificate contains:

  • The server’s public key

  • Domain name

  • Issuer (Certificate Authority, like Let’s Encrypt)

  • Expiration date

  • Digital signature by the CA


3. Certificate Verification

The client verifies:

  • If the certificate is issued by a trusted Certificate Authority (CA)

  • If the domain name matches

  • If the certificate is still valid and not revoked

If it checks out, the handshake continues. If not, the browser will warn the user.


4. Key Exchange & Session Key Generation

Now the client generates a pre-master key (a random number), encrypts it using the server’s public key, and sends it to the server.

The server decrypts this using its private key, and both sides independently compute the same session key using the pre-master key and the earlier random numbers.

This session key is used for symmetric encryption for the rest of the session (faster than asymmetric).


5. Secure Session Established

From now on:

  • Data is encrypted using the session key.

  • Both the server and client can encrypt and decrypt the data.

  • Integrity checks (like MACs) ensure the data hasn’t been tampered with.

Congratulations! You're now securely connected over HTTPS.

Understanding SSL — Secure Socket Layer | by Karthikeyan Nagaraj | InfoSec  Write-ups

šŸ” Behind the Scenes: Algorithms Involved

  • Asymmetric Encryption (e.g., RSA, ECC): Used during handshake to exchange keys.

  • Symmetric Encryption (e.g., AES): Used after handshake for fast, secure communication.

  • Hashing (e.g., SHA-256): Used to verify data integrity.

🧾 What is an SSL Certificate?

An SSL Certificate is issued by a trusted third party called a Certificate Authority (CA). It’s like a passport for your website, verifying your identity and enabling encrypted connections.

There are different types:

  • DV (Domain Validation) – basic, cheap, fast

  • OV (Organization Validation) – includes business info

  • EV (Extended Validation) – highest trust, green address bar

āœ… How to Know If SSL is Working

When SSL is correctly set up:

  • You’ll see https:// in the browser address bar.

  • A padlock icon will appear.

  • You can click it to view the certificate details.

āš ļø What Happens Without SSL?

Without SSL:

  • Data (like passwords, credit cards) is sent in plain text.

  • Hackers can intercept or tamper with your data using man-in-the-middle (MITM) attacks.

  • Your website is marked ā€œNot Secureā€ by modern browsers.

🧠 Final Thoughts

SSL/TLS is the foundation of modern internet security. Whether you're browsing memes, banking online, or managing cloud infrastructure, this protocol ensures your data stays safe and private.

So the next time you see that padlock in the corner of your screen, remember—the web is whispering, not shouting. All thanks to SSL.

11
Subscribe to my newsletter

Read articles from Nishank Koul directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Nishank Koul
Nishank Koul