Ever noticed that little lock icon 🔒 next to a website URL or the difference between http:// and https://?Those extra letters and that lock mean your connection is protected by a security layer known as TLS (previously called SSL).
But what exactly does TLS do? And how does it make your data safe while you browse, log in, or shop online?
Let's find out 👇
Fig 1: An image of lock icon depicting secure web connection
When Data Travels Without TLS — The Insecure Web
Let’s start
with a world without security layers.
When an
application uses the HTTP protocol, it sends and receives data as
plain text what we call HTTP requests and responses.
Every time
you submit a form or log in, that information (like your username and password)
gets converted into a stream of bits and bytes so it can
travel through the wired/wireless network as signals.
Fig 2: Transfer of data over insecure web connection
Now imagine
if someone manages to capture those signals.
They could easily reconstruct your data back into readable text your name,
password, or even credit card details.
That’s a
serious confidentiality breach, exactly what we discussed in the
CIA Triad post.
👉 And that’s why we need encryption.
What is Encryption?
Encryption is
like locking your message in a coded box before sending it.
Even if someone intercepts it, all they’ll see is gibberish.
It’s the
process of turning plain text into cipher text using
a special key a secret value that decides how data is scrambled.
But that
leads us to a few big questions:
- Which key do we use?
- How do we share it securely?
- And how do we make sure only the
right person can unlock it?
To answer
that, we need to understand two types of encryption.
⚙️ Symmetric Encryption
In symmetric
encryption, the same key is used to both encrypt and decrypt
data.
It’s fast and simple but there’s one big risk: if someone steals that key, they
can read everything.
Popular
symmetric algorithms: AES, DES, 3DES
🧩 Asymmetric Encryption
Asymmetric
encryption uses two keys — a public key and
a private key.
- You share your public key with
everyone.
- You keep your private key secret.
- Anything encrypted with one key
can only be decrypted with the other.
Popular asymmetric algorithms: RSA, ECC
🔐 How TLS Uses Encryption to Secure HTTP
TLS
(Transport Layer Security) combines the best of both encryption types to make
the web safe.
It’s the technology that upgrades HTTP into HTTPS — where the
“S” stands for Secure.
Here’s what
happens behind the scenes when you open an HTTPS website:
🔗 How TLS Communication establish
When your
browser connects to a website over HTTPS, this happens:
- Server Sends the TLS Certificate
→ The website presents its certificate to the browser. - Browser Verifies the Certificate
→ It checks if the certificate: - Was issued by a trusted Certificate
Authority (CA)
- Hasn’t expired
- Matches the domain you’re
visiting
- Secure Connection Established
→ Once verified, the browser and server exchange encryption keys and set up a secure TLS session.
From that
moment, all data like your passwords or form inputs is encrypted before
leaving your device.
🔐 What is a TLS Certificate?
A TLS
certificate (sometimes still called an SSL certificate) is
a digital identity card for a website.
It’s issued by a trusted Certificate Authority (CA) and helps
your browser confirm that the site you’re visiting is authentic and secure.
Think of it
as a digital passport that proves:
“Yes, this
website is really who it claims to be — and you can safely send your data to
it.”
🧩 What Does a TLS Certificate Contain?
A TLS
certificate includes several key details:
|
Field |
Description |
|
Domain
Name |
The exact
website address it’s issued for (e.g., www.hercybertalks.blogspot.com) |
|
Organization
Details |
The name,
location, and sometimes registration info of the website owner (for verified
orgs) |
|
Public
Key |
Used by
browsers to establish encrypted communication |
|
Issuer
(CA) |
The
Certificate Authority that issued and digitally signed the certificate |
|
Validity
Period |
Start and
expiry date (usually 90 days to 1 year) |
|
Signature |
A digital
signature by the CA to verify authenticity |
Fig 3: Visual Representation of a SSL/TLS Certificate
🧾 Types of TLS Certificates
|
Type |
Description |
|
Domain
Validated (DV) |
Verifies
only domain ownership; quick and free (e.g., Let’s Encrypt) |
|
Organization
Validated (OV) |
Verifies
the organization’s identity; adds more trust |
|
Extended
Validation (EV) |
Highest
level; displays company name in the address bar (used by banks, major
websites) |
🚨 What Happens if There’s No Valid TLS Certificate?
If a site’s
certificate is expired, self-signed, or untrusted, browsers show a warning
like:
⚠️ “Your
connection is not private.”
It’s the
browser’s way of saying:
“I can’t verify this website’s identity proceed only if you’re sure.”
🤝 The TLS Handshake: How a Secure Connection is Born
Now that we
know what TLS and certificates are, let’s see how your browser and a
website actually “agree” on a secure connection before sending any
data.
This process
is called the TLS Handshake — and it’s basically the moment
when your browser (the client) and the website’s server say:
“Hey, let’s
talk securely. Here’s how we’ll do it.”
Let’s break
it down step-by-step in simple terms 👇
🧱 Step 1: Setting up the TCP Connection
Before TLS
even begins, a basic connection must be made using the TCP three-way
handshake — the foundation of most web communication.
- Client → Server: Sends a SYN (synchronize)
packet saying “Hey, I’d like to connect.”
- Server → Client: Replies with SYN-ACK (synchronize
+ acknowledge) saying “Got it, I’m ready.”
- Client → Server: Sends ACK (acknowledge)
to confirm.
Now that both
sides can talk, the real TLS magic begins ✨
🔒 Step 2: The “ClientHello” – Hello,
Let’s Be Secure
Your browser
starts by sending a ClientHello message, which includes:
- Supported encryption
algorithms (also known as cipher suites)
- A random byte string (used
later to generate encryption keys)
- The TLS version it
supports
Think of this
like your browser saying:
“Hi, here’s
what I know. Let’s pick the best secure language to talk in.”
🖐️ Step 3: The “ServerHello” – I’ll Take
This Cipher, Please
The server
replies with a ServerHello message containing:
- The chosen cipher suite (from
the client’s list)
- Another random byte
string
- The server’s digital
certificate (the one we discussed earlier — proving its
identity!)
- Optionally, a request for
a client certificate (in case mutual authentication is needed)
This is the
server’s way of saying:
“Nice to meet
you! Here’s how we’ll secure our chat, and here’s proof that I’m legit.”
🧾 Step 4: Certificate Verification and
Key Exchange
Now your
browser plays detective 🕵️♀️
It verifies the server’s TLS certificate using the Chain
of Trust (Root CA → Intermediate CA →
Server).
If everything checks out, the browser continues.
Then comes
the ClientKeyExchange message — this includes a random
byte string used to create the session’s secret encryption key.
If the server
had asked for a client certificate, the browser sends that too.
Finally, the
client says:
“All set!
From now on, let’s talk secretly.”
This is done
through a ChangeCipherSpec message — it means “I’m switching
to encrypted mode.”
💬 Step 5: The Server Confirms
The server
replies with its own ChangeCipherSpec message, confirming:
“Got it, I’m
also switching to encrypted communication.”
From this
point forward, both client and server exchange encrypted data — all requests
and responses are now protected using symmetric encryption with the
key they just agreed upon.
🌐 Step 6: Secure Communication
Now the
session is live!
Everything — from your login credentials to your personal data — is encrypted
before leaving your device.
Even if someone intercepts it, all they’ll see is gibberish 🔐
💡 Fun fact:
This entire
handshake — all these packets, keys, and verifications — usually happens
in milliseconds before your page even loads!
🏢
Certificate Authorities (CAs) and the Chain of Trust
TLS
certificates are issued by Certificate Authorities such as Let’s
Encrypt, DigiCert, or GlobalSign.
Your browser
already “trusts” these CAs and keeps a list of their root certificates.
So when a site presents a certificate signed by one of them, your browser says:
🧠 “Okay, I trust this site — because I trust the CA that
vouches for it.”
That’s what
we call the Chain of Trust:
🏁 Wrapping Up
TLS (and SSL, its older version) quietly protects almost everything we do online from logging into social media to making bank transfers.
It ensures that your data is encrypted, your website is verified, and your connection is trusted through the Chain of Trust.
So next time you see that 🔒 lock icon, you’ll know there’s a whole security system working behind the scenes — CAs, certificates, and cryptography — keeping your data safe from prying eyes.
✨ Keep learning, keep exploring, and keep reading on security.
.webp)
.webp)