Episode 1 — Fundamentals / 1.4 — Understanding HTTP and HTTPS

1.4.e — What Is SSL/TLS Encryption?

In one sentence: TLS (Transport Layer Security) is the cryptographic protocol that encrypts HTTPS traffic; SSL (Secure Sockets Layer) is the older predecessor name — today you should say TLS, even though people still say “SSL certificate.”

Navigation: ← 1.4.d — How HTTPS Secures · 1.4.f — Proxies →

1. SSL vs TLS — Naming vs Reality

NameWhat it is
SSL 2 / SSL 3Legacy protocols — disabled everywhere reputable (broken)
TLS 1.0 / 1.1Deprecated on the modern web
TLS 1.2Still supported widely; baseline for many systems
TLS 1.3Current best practice — simpler handshake, fewer weak options, better performance

“SSL certificate” is marketing language. Technically it is an X.509 certificate used for TLS.

2. What TLS Actually Does (Under the Hood — Still Beginner-Friendly)

TLS combines several cryptographic ideas:

  1. Asymmetric cryptography (public/private keys) — used during the handshake to authenticate and establish secrets.
  2. Symmetric cryptography (shared session keys) — used to encrypt bulk data fast after the handshake.
  3. Authenticated encryption (AEAD) — confidentiality + integrity together (modern ciphersuites).

You don’t need to implement these yourself — libraries (OpenSSL, BoringSSL, etc.) and servers handle them — but you should know what problem each piece solves.

3. Cipher Suites (What “Strong TLS” Means)

A ciphersuite names the algorithms used for key exchange, authentication, encryption, and hashing/MAC. Modern stacks prefer:

  • ECDHE for ephemeral key exchange (forward secrecy in many configurations)
  • AES-GCM or ChaCha20-Poly1305 for AEAD encryption

Old suites with RC4, MD5, SHA1 for encryption, or RSA key transport without forward secrecy are considered weak today.

4. Certificates and Public Key Infrastructure (PKI)

X.509 certificate (simplified)

Contains:

  • Subject / SANs — which hostnames it is valid for
  • Public key of the server
  • Issuer — which CA signed it
  • Validity dates
  • Signature from the issuer

Chain of trust

SERVER CERT  ──signed by──►  INTERMEDIATE CA  ──signed by──►  ROOT CA
                                                              (in OS/browser trust store)

Browsers ship trust anchors. Your site’s cert is typically not a root cert — it’s issued by an intermediate.

5. TLS 1.3 Improvements (Interview-Friendly)

  • Fewer round trips in many cases vs TLS 1.2
  • Removes a bunch of obsolete/unsafe algorithms
  • Encrypts more of the handshake sooner
  • Better performance on mobile networks

6. Common Misconceptions

MisconceptionReality
“SSL encrypts the URL”The path is inside the encrypted tunnel after TLS starts; observers may still see metadata like IPs; SNI historically leaked hostnames during handshake
“HTTPS means the site is trustworthy”It means the connection is authenticated to a name — not that the business is honest
“TLS fixes XSS”XSS is an application bug; TLS doesn’t stop malicious scripts from your domain

7. Key Takeaways

  1. Say TLS, not SSL — SSL is legacy.
  2. TLS provides encryption + integrity + authentication for HTTPS.
  3. Certificates + PKI are how clients trust which server key belongs to which domain.
  4. TLS 1.3 is the modern default you want in production.

Explain-It Challenge

  1. Why do we still hear “SSL certificate” if SSL is deprecated?
  2. What is forward secrecy in one sentence (high level)?
  3. What is the difference between encryption and authentication in TLS?

Navigation: ← 1.4.d — How HTTPS Secures · 1.4.f — Proxies →