How SSL and TLS work: the encryption behind HTTPS

Most people know the padlock in the browser means "secure," but few know what's happening behind it. That security is SSL/TLS — the cryptographic protocols that encrypt traffic between your browser and a website so no one in the middle can read or tamper with it. It's worth understanding, because the same mechanism underpins safe logins, payments, and any private exchange online.

A little history

SSL (Secure Sockets Layer) emerged from Netscape in the mid-1990s to let data travel safely between users and websites. TLS (Transport Layer Security) arrived in 1999 as its successor and improvement, and it's what everything uses today — all the old SSL versions are obsolete. People still say "SSL" out of habit, but in practice they mean TLS. Think of TLS as the current name for the same idea.

What a certificate actually is

An SSL/TLS certificate is a piece of digital identity. It lets a system prove who it is and agree on how to encrypt the connection. Certificates work within a public-key infrastructure (PKI): a trusted third party — a certificate authority — vouches for the certificate, so your browser can trust that the site presenting it is genuinely who it claims to be. In short, the certificate is a website's verifiable proof of identity, and the basis for trusting the connection.

The handshake, step by step

Establishing a secure channel happens in a few quick stages, every time you connect:

1. Initialisation. Your browser sends a "hello," listing the TLS version and encryption methods it supports.
2. Server response. The server replies with its certificate and chosen parameters, proving its identity and picking the algorithms to use.
3. Authentication and key exchange. Your browser verifies the certificate (does it match the site, is it signed by a trusted authority?), then creates a "pre-master" secret, encrypts it with the server's public key, and sends it back. The server decrypts it with its private key. Now both sides share a secret.
4. Secure data transfer. Using that shared secret, both sides encrypt and decrypt everything for the rest of the session. When the session ends, the keys are destroyed.

Verify the certificate, agree a secret, then talk privately — that's the whole dance.

Two kinds of encryption, working together

This is the clever part. TLS uses a hybrid of two encryption types:

• Asymmetric encryption during the handshake. The browser uses the server's public key to protect the pre-master secret. Asymmetric crypto is secure for exchanging that initial secret but slow for bulk data.
• Symmetric encryption afterwards. Once both sides share a session key, they switch to symmetric encryption, which is fast — ideal for encrypting the actual traffic.

The hybrid gets the best of both: the security of asymmetric for the key exchange, the speed of symmetric for the data. Every modern browser and HTTPS site uses this pattern.

How to tell a site is using it

Two everyday signals: the padlock icon, and https:// with the "s" on the end. Both mean the traffic between your browser and that server is encrypted, so a third party intercepting it gets unreadable noise instead of your data. If a site is still on plain http://, assume anything you send can be read in transit.

Getting a certificate, briefly

Any site owner can enable HTTPS. You generate a signing request containing your public key and domain, send it to a certificate authority to verify your identity, and install the issued certificate on your server. Certificates come in tiers, from basic domain validation to extended validation for higher trust, and keeping them current is what keeps the connection secure.

Where proxies and VPNs sit alongside

TLS protects the channel to a given site. Other tools complement it at the network level. A VPN encrypts all your traffic in a tunnel and hides your IP. A proxy routes your traffic through an intermediary, presenting its address instead of yours — useful for privacy, geo-access and keeping activity separate. Used together with HTTPS, these layer up: TLS secures each site connection, while a clean proxy or VPN governs how your traffic reaches the wider internet. For a stable, controlled origin in that role, a dedicated static IPv4 or ISP proxy gives a predictable address with HTTP and SOCKS5 on one port.

The takeaway: SSL/TLS is the quiet machinery that makes the web trustworthy — a quick handshake to verify identity and agree a secret, then fast encrypted conversation. The padlock isn't decoration; it's that whole process, running every time you load a secure page.