Every time you visit a website with https:// in the address bar, your connection is protected by SSL/TLS. You might see a padlock icon in your browser — that’s TLS at work. But what is it actually doing?
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that encrypt data sent between your browser and a web server. SSL is the older name — it’s largely been replaced by TLS — but “SSL” is still commonly used to refer to both.
What TLS Actually Does
When you connect to an HTTPS site, TLS does three things:
- Authentication: Verifies the server is actually who it claims to be (via an SSL certificate issued by a trusted Certificate Authority)
- Encryption: Scrambles all data in transit so no one in the middle can read it
- Integrity: Ensures data hasn’t been tampered with in transit
The TLS Handshake Explained Simply
Before any data is exchanged, your browser and the server perform a “handshake”:
- Your browser says hello and lists which encryption methods it supports
- The server picks one and sends its SSL certificate
- Your browser verifies the certificate is valid and trusted
- Both sides generate a shared secret key for this session
- All further communication is encrypted with that key
This entire process takes milliseconds and happens automatically.
SSL vs TLS: What’s the Difference?
SSL 1.0, 2.0, and 3.0 are all deprecated and insecure. TLS 1.2 and TLS 1.3 are the current standards. TLS 1.3 is faster (fewer round trips in the handshake) and more secure. When people say “SSL certificate” today, they usually mean a TLS certificate — the naming is historical.
What Does the Padlock Icon Mean?
The padlock means the connection between your browser and the server is encrypted. It does not mean the website itself is safe or trustworthy — phishing sites can and do use HTTPS. Always check the domain name, not just the padlock.
HTTP vs HTTPS
HTTP (without S) sends all data in plain text. Anyone on the same network — a hacker on public Wi-Fi, your ISP, or a government monitor — can read exactly what you’re sending and receiving. HTTPS encrypts all of that. Never enter a password or payment details on an HTTP site.