What is SSL/TLS?

If you have spent any time on the Internet, especially in the web hosting industry, you have probably heard about SSL and TLS. In this tutorial, we will explain what each of those abbreviations means, their purpose, and their vital importance for online security.

This post includes:

• What are SSL and TLS?
• Are SSL and TLS the Same?
• How Does SSL/TLS Work?

What are SSL and TLS?

Both SSL and TLS are security protocols used to ensure Internet communications are protected, private, and authenticated. Such protocols are vital in our modern world because malicious parties could intercept such communications and steal their data without them. Thankfully, some smart folks back in 1995 figured out a method to secure the online connection two devices establish when communicating with each other. Then, another bunch of smart people made it even better in 1999, creating the Transport Layer Security protocol.

By 1999, SSL was severely outdated, and the company in charge of maintaining it was no longer involved, so another company took over. They renamed it TLS to signify this change in ownership, and the protocol has been a crucial part of the Internet since then.

What SSL/TLS does is it encrypts data transmitted over the Internet. In the past, before these protocols existed, data was sent between machines in plaintext. Anyone who intercepted that connection could read and steal the data without issues. As you can imagine, that is unacceptable. It was unacceptable even back then, which is why the two protocols were invented.

Are SSL and TLS the Same?

As you read above, SSL is the predecessor of TLS, and back in 1999, the two were not that much different. However, since then, TLS has undergone a lot of changes. Like any software, TLS is constantly evolving. Its vulnerabilities are being patched, and new features are being added. Currently, we are on TLS version 1.3.

However, you have probably encountered SSL more often instead of the newer TLS. That is completely understandable because SSL and TLS are used interchangeably in many cases. SSL is simply more recognizable as a term. However, nowadays, whenever we talk about SSL, we are most likely referring to the latest version of TLS instead.

SSL is a name that has stuck around for decades. It is familiar to people, and while its true meaning is for severely deprecated software, it is still the preferred abbreviation. Everyone will assume you mean TLS 1.3 when talking about SSL unless you explicitly specify otherwise.

How Does SSL/TLS Work?

You must have an SSL certificate to reap the benefits of SSL/TLS (or just SSL, to use the more recognizable term). We are certain you are at least vaguely familiar with that term because it is one of the most vital elements of website security.

Such a certificate enables your website to use the HTTPS protocol, which encrypts the connection between a web browser and a server. To open your website, a browser has to connect to your website’s hosting server and maintain that connection for as long as you are on the website. While that connection is open, data is transmitted back and forth between the two, and HTTPS ensures that it is always encrypted. Therefore, it is not in plaintext, making it easily readable by malicious parties who might intercept it.

An SSL certificate installed on your website’s hosting server allows the connection between your site and the browser opening it to be encrypted. We have said the word “encrypted” a few times now, so it is time to explain what it does. Let us compare it to the other word we have used: plaintext.

• Plaintext - This is exactly as the name suggests: simple, plain text that is perfectly readable by a human being, with no encryption applied to it. Anyone who intercepts communication in plaintext can understand what it says without any special tools;
• Encrypted - When encryption is applied to plaintext data, it becomes what is known as “ciphertext.” In this state, the data will appear as a garbled mess of symbols that is unreadable by a human being without the correct “key.”

Now that we know what an SSL certificate does – it encrypts the data being transmitted – let us find out exactly how it does that. It is actually very simple to explain. Of course, you must first obtain an SSL certificate for your website, and you can check out our tutorial on how to do that if you are using our services. Once you have the certificate – meaning the website is HTTPS-enabled – this is what happens when a browser tries to connect to it.

• Step 1 - Since most websites are forced to use HTTPS, the secure protocol is automatically triggered when you type in a website’s name. Even if you do not include “https://” in front of it, the website’s server will still provide a secure connection if available. So, when you go to a website, your browser is shown that there is HTTPS availability, so it requests a secure connection;
• Step 2 - The server sends its SSL certificate, which includes the website’s public key for the encryption, as well as all pertinent details about the certificate: the domain it is issued for, the issuing Certificate Authority, and its expiration date;
• Step 3 - The client (browser) verifies the validity of the server’s SSL certificate. It checks its expiration date and determines if it matches the domain the server claims it has been issued for. It also ensures a trusted Certificate Authority has signed it. If any of these checks fails, you will see a message in your browser alerting you that the website is not safe;
• Step 4 - Once the SSL certificate has been verified and the website has been deemed safe for the user, the browser sends a randomly generated string of bytes (premaster secret) to the server. It is encrypted with the public key from the certificate. That can only be decrypted by the certificate’s private key, which the server has;
• Step 5 - Finally, when the premaster secret is decrypted, the client and server create identical session keys that encrypt and decrypt all data transmitted between them.

An SSL certificate ensures that the communication between your browser and the website’s server is encrypted through this process of authentication and encryption. That means any data that moves between your browser and the server will appear as incoherent strings of letters, numbers, and symbols to anyone who intercepts it. Without the keys we mentioned earlier, that data is useless.

You can imagine how crucial encryption is for websites that handle personal information like names, addresses, credit cards, etc. Without an SSL certificate, that data—yes, the names, addresses, credit card numbers, and so on—would be transmitted in plaintext, making it effortless for any hacker to read it once intercepted. Situations like those are why Google made SSL certificates a ranking requirement in SEO. Moreover, almost all browsers nowadays will show a “Not Secure” warning if you try to visit a website without a certificate.

Online security is vital today, and SSL/TLS plays a crucial role. Without them, data would be too easy to intercept while traveling between client and server.

Related articles

• Why the SSL Certificate Green Bar No Longer Exists
• How to Get Free SSL Certificate from FastComet for Your Website
• Do You Need a Dedicated IP for SSL