When you open a website an notice a padlock next to its address, it's more than a comfort symbol – it's a guarantee that your data is encrypted, authenticated, and protected.
This invisible shield is made possibly by SSL/TLS, the protocol that secure the modern web.
Let's dive deep into how SSL/TLS works, why it's crucial, and what actually happens when you visit a secure website.
Current Flow of HTTP
What Is HTTP?
HTTP (Hyper Text Transfer Protocol) is the foundation of data communication on the web.
It defines how a browser (client) and a web server communicate – sending requests and receiving responses.
Example Flow: HTTP Request-Response
Let's say you visit:
https://example.comHere's what happens step-by-step:
1 DNS Resolution
- Browser asks DNS: “What is the IP of example.com?”
- DNS replies: “It's
93.194.200.77”
2 TCP Connection
- Browser opens a TCP connection to the server's IP at port
80(default HTTP port).
3 HTTP Request Sent
Browser sends a plaintext message:
GET /login HTTP/1.1
Host: example.com
User-Agent: Chrome
Cookie: session=123abc
Everything here – including cookies, headers, and possibly passwords in POST data – is sent in plain text.
4 Server Response
Server replies:
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 5423
followed by the webpage content (HTML, CSS, JS, etc.)
5 Browser Renders Page
- The connection may stay open (persistent TCP) for more requests.
Problem: It's All Plain Text
HTTP by itself does not encrypt anything.
That means anyone between you and the server (like ISPs, public Wi-Fi routers, or attackers) can:
- Read everything (passwords, cookies, tokens)
- Modify data in transit (inject malware or fake content)
- Impersonate the server (man-in-the-middle attacks)
So, while HTTP defines how to communicate, it doesn't ensure secure communication.
The 3 Main Security Problems with HTTP
| Problem | Description | Example |
|---|---|---|
| 1. No Encryption | Data is readable in transit | Passwords or credit card numbers visible |
| 2. No Integrity | Data can be changed before reaching destination | Hacker injects malicious script |
| 3. No Authentication | No guarantee you’re talking to the real server | Fake “login.google.com” site |
The Need for SSL/TLS
To fix these vulnerabilities, the web needed a security layer – something that could:
- Encrypt communication
- Verify identity of servers
- Prevent tampering
That's where SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) come in.
SSL/TLS doesn't replace HTTP. It just wraps around it to make it secure.
That's why you see:
HTTPS = HTTP + SSL/TLSWhat Is Encryption?
Encryption is the process of converting readable data (plaintext) into unreadable data (ciphertext) so that only authorized parties can read it.
When you encrypt something, you lock it using a key – and only someone with the right key can unlock (decrypt) it.
Encryption is the science of making data useless to everyone except the intended recipient.
Simple Analogy
Imagine you write a letter and put it inside a locked box. You send that box to your friend – but only your friend has the key to open it.
Even if someone intercepts the box in transit, they can't read the letter without the key.
That's encryption in a nutshell.
Core Terms
| Term | Meaning |
|---|---|
| Plaintext | Original readable data (e.g., “hello world”) |
| Ciphertext | Encrypted, unreadable version of data |
| Encryption | Process of turning plaintext → ciphertext |
| Decryption | Process of turning ciphertext → plaintext |
| Key | Secret value used to encrypt and decrypt data |
| Algorithm (Cipher) | The mathematical formula that performs encryption |
Types of Encryption
There are two main types of encryption based on how keys are used.
1 Symmetric Encryption
- Uses the same key for both encryption and decryption.
- Fast and efficient.
- But the key must be shared securely between sender and receiver.
Example:
| Sender | Receiver |
|---|---|
| Encrypts data with 🔑 | Decrypts data with the same 🔑 |
Real-world example:
When you use TLS (after handshake) – all actual data is encrypted symmetrically using a session key.
2 Asymmetric Encryption
- Uses two different keys:
- A public key (shared with everyone)
- A private key (kept secret)
- When one key encrypts, only the other can decrypt.
Example:
| Step | Action |
|---|---|
| 1️⃣ | Server gives you its public key |
| 2️⃣ | You encrypt your message with that public key |
| 3️⃣ | Only the server (with its private key) can decrypt it |
Real-world example:
Used during SSL/TLS handshake to securely exchange the symmetric session key.
What Is SSL/TLS?
SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that ensure secure communication between two systems – typically a browser (client) and a web server.
- SSL was the original version developed by Netscape in the 1990s.
- TLS is its improved, more secure version that replaced SSL (though the term “SSL” is still used informally).
Together, they provide three pillars of security.
| Goal | Meaning |
|---|---|
| 🔏 Encryption | Data transferred between client and server is unreadable to others. |
| 🧾 Integrity | Data cannot be altered during transmission. |
| 🧠 Authentication | Confirms the identity of the server (and sometimes the client). |
How SSL/TLS Works – The Handshake Process
When you connect to secure website (say https://example.com), your browser and the server perform a process called a TLS Handshake to establish trust and generate encryption keys.
Let's understand this step by step:
Step 1: Client Hello
Your browser sends a Client Hello message to the server, containing:
- The supported TLS version (e.g., TLS 1.2, 1.3)
- A list of cipher suites (encryption algorithms)
- A random number (used later for key generation)
“Hey server, I would like to talk securely. Here's what I can do.”
Step 2: Server Hello
The server responds with:
- Its chosen TLS version and cipher suite
- Its own random number
- Its digital certificate (issued by a trusted Certificate Authority)
The certificate includes:
- The domain name
- The server's public key
- The CA's signature
“Sure! Let's use this encryption method, and here's my identity proof.”
Step 3: Certificate Verification
Your browser now validates the certificate:
- Is it signed by a trusted by a trusted CA?
- Is it valid (not expired or revoked)?
- Does the domain match the certificate?
If everything checks out, the handshake continues.
If not, you see the dreaded:
“Your connection is not provide.”
Step 4: Key Exchange
Now, both the client and the server need to agree on a shared session key for encrypting data.
Two methods are commonly used:
A. RSA Key Exchange (Older TLS versions)
- The browser generates a pre-master secret, encrypts it using the server's public key, and sends it.
- The server decrypts it using its private key.
- Both sides then derive the same session key.
B. Diffie-Hellman (Modern TLS 1.3)
- Both sides exchange ephemeral public keys.
- Using the Diffie-Hellman algorithm, they each compute the same session key, independently.
- The session key is never transmitted – ensuring perfect secrecy.
Step 5: Session Established
Using the exchanged data, both the client and server derive identical session keys.
These keys are symmetric – used for both encryption and decryption – because symmetric encryption is much faster.
From this point, all data is securely encrypted.
Step 6: Encrypted Communication Begins
Now, every request and response (like HTTP GET or POST) is:
- Encrypted using the session key.
- Authenticated to ensure integrity.
The browser shows a padlock symbol – indicating a successful secure connection.
Leave a comment
Your email address will not be published. Required fields are marked *