Table of Contents
What Are SSL and TLS?
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that encrypt communication between your browser and the websites you visit. When you see "HTTPS" in your browser's address bar along with a padlock icon, TLS is actively encrypting the data flowing between your device and the web server.
Although people still commonly use the term "SSL," modern websites actually use TLS, which is the successor to SSL. SSL was developed by Netscape in the 1990s and went through versions 1.0, 2.0, and 3.0, all of which are now deprecated due to security vulnerabilities. TLS picked up where SSL left off and has evolved through versions 1.0, 1.1, 1.2, and the current standard, TLS 1.3, which was finalized in 2018.
The encryption provided by TLS serves three critical security functions. First, it ensures confidentiality by encrypting data so that interceptors cannot read it. Second, it ensures integrity by detecting any tampering with data during transmission. Third, it provides authentication by verifying that you are actually communicating with the intended server and not an impersonator.
How the TLS Handshake Works
Every secure connection begins with a TLS handshake, a rapid exchange between your browser and the server that establishes the encrypted session. Understanding this process helps you appreciate the security guarantees HTTPS provides.
Step 1: Client Hello
Your browser initiates the connection by sending a "Client Hello" message to the server. This message includes the TLS versions your browser supports, a list of cipher suites it can use, and a random number that will be used later in generating encryption keys.
Step 2: Server Hello
The server responds with its own "Server Hello," selecting the strongest TLS version and cipher suite that both parties support. It also sends its digital certificate, which contains the server's public key and is signed by a trusted Certificate Authority.
Step 3: Certificate Verification
Your browser verifies the server's certificate by checking that it was issued by a trusted Certificate Authority, that it has not expired, that it has not been revoked, and that it matches the domain name you are visiting. This verification is what prevents man-in-the-middle attacks, where an attacker tries to impersonate a legitimate website.
Step 4: Key Exchange
Using the server's public key from the certificate, your browser and the server negotiate a shared session key through a process called key exchange. In TLS 1.3, this typically uses Ephemeral Diffie-Hellman, which generates unique keys for each session and provides forward secrecy, meaning that even if the server's private key is compromised in the future, past sessions cannot be decrypted.
Step 5: Encrypted Communication
With the shared session key established, all subsequent communication between your browser and the server is encrypted using fast symmetric encryption. The entire handshake process takes only milliseconds, invisible to the user.
Understanding Certificate Types
Domain Validated (DV) Certificates
DV certificates verify only that the requester controls the domain name. The Certificate Authority confirms domain ownership through email verification, DNS record checks, or HTTP challenges. DV certificates are the most common type and are issued within minutes, often for free through services like Let's Encrypt.
A DV certificate means the connection is encrypted, but it does not verify the identity of the organization behind the website. A phishing site can obtain a DV certificate for a lookalike domain just as easily as a legitimate business.
Organization Validated (OV) Certificates
OV certificates require the Certificate Authority to verify the legal identity of the organization requesting the certificate. This includes checking business registration documents and confirming the organization's physical address and phone number. OV certificates provide a higher level of trust because they confirm that a verified organization operates the website.
Extended Validation (EV) Certificates
EV certificates involve the most rigorous verification process. The Certificate Authority verifies legal existence, physical presence, operational status, and the identity of the individuals requesting the certificate. Historically, EV certificates displayed the organization's name in green in the browser address bar, though most modern browsers have moved away from this visual distinction.
How to Verify a Website's Certificate
Clicking the padlock icon in your browser's address bar reveals details about the site's TLS certificate. Check the certificate issuer to ensure it is a reputable Certificate Authority. Verify that the certificate has not expired. Confirm that the domain name on the certificate matches the website you intended to visit.
Be particularly cautious when certificate warnings appear. Modern browsers display clear warnings when a certificate is invalid, expired, or mismatched. Never ignore these warnings, especially when conducting sensitive activities like banking, shopping, or entering passwords. A certificate error could indicate a man-in-the-middle attack or a compromised website.
Common TLS Errors and What They Mean
ERR_CERT_DATE_INVALID means the certificate has expired or your device's clock is incorrect. Check your system date and time first, and if it is correct, the website's certificate has genuinely expired.
ERR_CERT_AUTHORITY_INVALID indicates the certificate was not issued by a trusted Certificate Authority. This can indicate a self-signed certificate, which is common on development servers but should never appear on a legitimate public website.
ERR_CERT_COMMON_NAME_INVALID means the domain you are visiting does not match the domain on the certificate. This could indicate you are on a phishing site or that the website is misconfigured.
Always use encrypted connections when handling sensitive data. Our text encryption tool provides additional encryption for sensitive text, and our password generator ensures your credentials are strong enough to withstand attacks even if intercepted. TLS protects your data in transit, but comprehensive security requires strong encryption at every layer. For added protection, verify downloaded files with our hash generator to ensure nothing has been tampered with during transfer.
Share this article
Raimundo Coelho
Cybersecurity specialist and technology professor with over 20 years of experience in IT. Graduated from Universidade Estácio de Sá. Writing practical guides to help you protect your data and stay safe in the digital world.
