Security & TLS

SSL / TLS

Encryption protocol securing the connection between browser and server. SSL is obsolete; TLS is its successor.

SSL or TLS?

In everyday language we say "SSL" — in reality, what is used today is TLS (Transport Layer Security). SSL was the predecessor (SSL 2.0 in 1995, SSL 3.0 in 1996) and is now deprecated and vulnerable. When someone says "SSL certificate", they usually mean "TLS certificate".

  • SSL 2.0 / 3.0 — deprecated, vulnerable (POODLE, DROWN)
  • TLS 1.0 / 1.1 — deprecated since 2020
  • TLS 1.2 — still widely used, secure
  • TLS 1.3 — faster & more secure, the recommended choice today

What TLS Does

  1. Confidentiality: encrypts traffic so that nobody along the path can read it.
  2. Integrity: ensures that data has not been tampered with.
  3. Authentication: through the certificate, the browser knows it is actually talking to example.com and not to someone impersonating it.

How the TLS Handshake Works (simplified)

  1. The client sends a ClientHello with the TLS versions and cipher suites it supports.
  2. The server selects a version + cipher and sends its certificate.
  3. The client verifies the certificate (valid, issued by a trusted CA, hostname matches).
  4. They agree on a shared key (mainly via ECDHE, to achieve forward secrecy).
  5. From that point on, all traffic is encrypted with a symmetric algorithm (AES-GCM, ChaCha20-Poly1305).

What a Certificate Contains

  • Subject (CN, SAN) — the domains it is valid for
  • Issuer — the Certificate Authority (Let's Encrypt, DigiCert, GoDaddy, Sectigo...)
  • ValiditynotBefore and notAfter dates
  • Public Key — typically RSA 2048+ bit or ECDSA P-256
  • Signature — the CA's signature that certifies authenticity

Certificates & the Chain of Trust

Your certificate is signed by an intermediate CA, which in turn is signed by a root CA. Root CAs are pre-installed in browsers/OS. When the intermediates are missing from the chain served by the server, most browsers will download them automatically — but some older or SMTP/IMAP clients will fail.

Recommended settings: TLS 1.2 and 1.3 only, modern cipher suites (ECDHE, AES-GCM/ChaCha20), HSTS enabled, OCSP stapling, and a certificate from Let's Encrypt (free) or ZeroSSL.

Related tools

SSL Checker SSL certificate & chain check

Related terms

HSTS — HTTP Strict Transport Security CAA Record

Related guides

How to Check an SSL Certificate What Are HTTP Security Headers and How to Configure Them Redirects — 301, 302 and Redirect Chains
All terms