š How SSL Works?


In the vast landscape of the internet, where data flows at the speed of light, security is no longer optional; it's essential. Every time you see that comforting padlock icon in your browser's address bar, it's thanks to a technology called SSL (Secure Sockets Layer) or its modern successor, TLS (Transport Layer Security).
But how exactly does SSL work? Letās dive in.
š§© What is SSL?
SSL (Secure Sockets Layer) is a cryptographic protocol designed to secure communication between a web browser (client) and a server. Although SSL 3.0 is deprecated and replaced by TLS, the term "SSL" is still commonly used.
The core goals of SSL are:
Encryption: Prevents data from being read by unauthorized parties.
Authentication: Ensures the server (and optionally the client) is who it claims to be.
Data Integrity: Ensures that the data hasn't been altered during transmission.
š Real-World Analogy
Imagine sending a sealed, locked box through a courier. You give the recipient a key beforehand. Even if someone intercepts the box mid-transit, they canāt open it. Thatās essentially what SSL doesāexcept digitally.
š Step-by-Step: How SSL/TLS Works
1. Client Hello
The SSL handshake starts when the client (usually your browser) connects to a secure server (like https://example.com
) and says:
"Hi! I support these encryption protocols and ciphers. Here's a random number, and here's my SSL version."
This is known as the ClientHello message.
2. Server Hello
The server replies with a ServerHello, saying:
"Cool. Letās use this cipher suite. Here's my random number, and hereās my digital certificate (SSL certificate)."
The certificate contains:
The serverās public key
Domain name
Issuer (Certificate Authority, like Letās Encrypt)
Expiration date
Digital signature by the CA
3. Certificate Verification
The client verifies:
If the certificate is issued by a trusted Certificate Authority (CA)
If the domain name matches
If the certificate is still valid and not revoked
If it checks out, the handshake continues. If not, the browser will warn the user.
4. Key Exchange & Session Key Generation
Now the client generates a pre-master key (a random number), encrypts it using the serverās public key, and sends it to the server.
The server decrypts this using its private key, and both sides independently compute the same session key using the pre-master key and the earlier random numbers.
This session key is used for symmetric encryption for the rest of the session (faster than asymmetric).
5. Secure Session Established
From now on:
Data is encrypted using the session key.
Both the server and client can encrypt and decrypt the data.
Integrity checks (like MACs) ensure the data hasnāt been tampered with.
Congratulations! You're now securely connected over HTTPS.
š Behind the Scenes: Algorithms Involved
Asymmetric Encryption (e.g., RSA, ECC): Used during handshake to exchange keys.
Symmetric Encryption (e.g., AES): Used after handshake for fast, secure communication.
Hashing (e.g., SHA-256): Used to verify data integrity.
š§¾ What is an SSL Certificate?
An SSL Certificate is issued by a trusted third party called a Certificate Authority (CA). Itās like a passport for your website, verifying your identity and enabling encrypted connections.
There are different types:
DV (Domain Validation) ā basic, cheap, fast
OV (Organization Validation) ā includes business info
EV (Extended Validation) ā highest trust, green address bar
ā How to Know If SSL is Working
When SSL is correctly set up:
Youāll see
https://
in the browser address bar.A padlock icon will appear.
You can click it to view the certificate details.
ā ļø What Happens Without SSL?
Without SSL:
Data (like passwords, credit cards) is sent in plain text.
Hackers can intercept or tamper with your data using man-in-the-middle (MITM) attacks.
Your website is marked āNot Secureā by modern browsers.
š§ Final Thoughts
SSL/TLS is the foundation of modern internet security. Whether you're browsing memes, banking online, or managing cloud infrastructure, this protocol ensures your data stays safe and private.
So the next time you see that padlock in the corner of your screen, rememberāthe web is whispering, not shouting. All thanks to SSL.
Subscribe to my newsletter
Read articles from Nishank Koul directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
