Software Engineering with MJ

Python
Golang
Infrastructure
Microservices
DevOps
Databases

How SSL Works: The Backbone of Secure Web Communication

ssl

Written by

Mojtaba Michael

in

Have you ever noticed the little padlock icon 🔒 in your browser’s address bar or the https:// in a website URL? That’s SSL at work. SSL, short for Secure Sockets Layer, is a technology that encrypts the connection between your browser and a web server, ensuring that sensitive information like passwords, credit card numbers, and personal data remain private.

In this article, we’ll explain how SSL works, why it’s essential, and the steps involved in establishing a secure connection.

What Is SSL?

SSL (now more accurately known as TLS, or Transport Layer Security) is a cryptographic protocol that secures communication over a computer network. Though SSL 2.0 and SSL 3.0 are deprecated, the term “SSL” is still widely used to refer to TLS versions 1.2 and 1.3, which are secure and modern.

SSL is the foundation of HTTPS, which stands for HTTP Secure — a combination of HTTP + SSL/TLS.

Why Is SSL Important?

SSL provides three key pillars of secure communication:

  1. Encryption: Prevents third parties (like hackers or ISPs) from seeing your data.
  2. Authentication: Verifies that the website you’re talking to is legitimate.
  3. Data Integrity: Ensures that data is not altered during transmission.

How SSL Works: Step-by-Step Breakdown

Let’s break down the SSL handshake — the process that happens behind the scenes every time you visit an HTTPS website.

Step 1: Browser Requests a Secure Connection

When a user types https://example.com into their browser:

  • The browser (client) sends a ClientHello message to the server.
  • This includes:
    • Supported TLS versions (e.g., TLS 1.2, TLS 1.3)
    • A list of cipher suites (encryption algorithms)
    • A randomly generated number (used later for encryption)

Step 2: Server Responds with Certificate

The server replies with a ServerHello message, which includes:

  • The SSL certificate
  • The chosen TLS version and cipher suite
  • A server-generated random number
  • Optional: a Server Key Exchange (in older TLS versions)

🔐 SSL Certificate Includes:

  • Domain name
  • Public key
  • Issuer (Certificate Authority)
  • Expiry date
  • Digital signature

The browser uses this certificate to verify the identity of the server.

Step 3: Certificate Validation

Before continuing:

  • The browser checks the certificate’s validity, domain match, expiry, and trust chain.
  • If any part fails (e.g., expired certificate, unknown issuer), the browser displays a security warning.

If all checks pass, the handshake continues.

Step 4: Key Exchange and Session Key Generation

Depending on the version of TLS:

TLS 1.2:

  • The client generates a pre-master key, encrypts it with the server’s public key, and sends it.
  • The server uses its private key to decrypt it.
  • Both sides generate the same symmetric session key from the pre-master key + random numbers.

TLS 1.3:

  • More efficient: uses Ephemeral Diffie-Hellman (ECDHE) for forward secrecy.
  • Both client and server generate shared secrets without exposing keys.

Step 5: Secure Session Established

Now both the browser and server have the same symmetric session key, which they use to:

  • Encrypt and decrypt all data
  • Ensure integrity with Message Authentication Codes (MACs)

This switch to symmetric encryption (like AES) happens because it’s faster than public-key cryptography.

Bonus: What Happens After the Handshake?

Once the secure session is established:

  • All communication (login forms, payments, etc.) is encrypted.
  • The padlock icon appears in your browser.
  • If HSTS is configured, future visits will always use HTTPS.

Modern Enhancements to SSL/TLS

  • TLS 1.3: Simplifies the handshake, eliminates outdated algorithms, improves performance and security.
  • HTTP/3 + QUIC: Developed by Google, these run over UDP and integrate encryption into the transport layer.
  • OCSP Stapling: Reduces certificate validation time.
  • Let’s Encrypt: Provides free, automated SSL certificates.

Common SSL Terms Explained

TermMeaning
CA (Certificate Authority)Trusted organization that issues SSL certificates (e.g., DigiCert, Let’s Encrypt)
CSR (Certificate Signing Request)A file you generate to request a certificate
Private KeySecret key stored on the server; used to decrypt messages
Public KeyShared with clients to encrypt messages
HTTPSHTTP over SSL/TLS
Forward SecrecyEnsures that session keys are not compromised even if the private key is

What Happens If SSL Is Missing?

Without SSL:

  • Your data is sent in plain text.
  • Attackers can intercept or modify data via Man-in-the-Middle (MITM) attacks.
  • Browsers will mark the site as “Not Secure”.
  • SEO rankings and user trust can drop.

Conclusion

SSL/TLS is a critical part of today’s internet, ensuring that our communication remains private and secure. From the initial handshake to encrypted data exchange, it protects billions of users and websites every day.

Whether you’re a user or a site owner, understanding how SSL works helps you appreciate the invisible shield keeping your data safe.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts