Skip to main content

SSL/TLS - How HTTPS Encrypts Your Connection

About 2 min read

SSL/TLS (Secure Sockets Layer / Transport Layer Security) is a protocol that encrypts communication over the internet. It encrypts data between web browsers and servers, preventing eavesdropping and tampering by third parties. Today, TLS, the successor to SSL, is the mainstream, but the two are conventionally referred to together as SSL/TLS. The "S" in HTTPS refers to this technology.

Historical Background

SSL was developed by Netscape Communications in 1994. After SSL 2.0 (1995) and SSL 3.0 (1996), the IETF standardized TLS 1.0 in 1999. Serious vulnerabilities such as the POODLE attack were discovered in SSL 3.0, and its use is now prohibited. TLS 1.2 (2008) was the mainstream for a long time, but TLS 1.3 was finalized in 2018, achieving both faster handshakes and stronger security. When Google announced in 2014 that it would include HTTPS as a ranking factor, the move to HTTPS for websites accelerated rapidly, and as of 2025 more than 95% of web traffic is encrypted with HTTPS. Major browsers have completely ended support for TLS 1.0 and 1.1, and migration to TLS 1.3 has become the standard.

How SSL/TLS Works

In the TLS handshake, the server first presents a digital certificate to prove its identity. Next, the client and server securely exchange a shared cryptographic key and encrypt all subsequent communication with symmetric cryptography. In TLS 1.3, the handshake is simplified to 1-RTT (one round trip), improving both connection speed and security.SSL/TLS protocol books on Amazon will help you learn the technical details.

Real-World Use Cases

"The SSL Labs scan results turned up three servers that still have TLS 1.0 and 1.1 enabled. We plan to standardize on TLS 1.2 or higher this month and review the cipher suites as well."

TLS Handshake Flow

ClientHello
ServerHello + certificate
Key exchange
Encrypted communication begins

Practical Considerations

SSL/TLS protects the communication path when passwords are transmitted. When entering a password in a login form, always confirm that the connection is HTTPS. A common pitfall in practice is overlooking the expiration of certificates. The spread of Let's Encrypt has made it possible to obtain certificates for free, but if you neglect to set up automatic renewal, the site can suddenly be shown as "not secure." In addition, servers that leave old TLS versions (1.0, 1.1) enabled carry a risk of vulnerabilities. No matter how strong a password you set, there is a risk of interception over unencrypted communication, so it is important to develop the habit of confirming that the lock icon appears in the browser address bar.web security books (Amazon) are also a helpful reference.

Related Terms

Was this article helpful?

XHatena