What Is SSL/TLS? Complete Guide to Website Encryption

Every padlock icon in your browser's address bar depends on this protocol. Here's how SSL/TLS actually secures the connection between you and a website.

📅 Published July 2026· ⏳ 10 min read· ✍️ ToolsNovaHub Editorial Team
SSL (Secure Sockets Layer) and its modern successor TLS (Transport Layer Security) are the cryptographic protocols behind HTTPS. They encrypt traffic between a browser and a server, verify the server's identity through a certificate, and ensure the data hasn't been tampered with in transit. Despite the name SSL still being used colloquially, every modern secure connection actually runs on TLS.

What Is SSL/TLS?

SSL/TLS is a cryptographic protocol that sits between the application layer (HTTP) and the transport layer (TCP), encrypting everything that passes through. When you see https:// and a padlock icon, your browser has completed a TLS handshake with the server and established an encrypted channel.

It accomplishes three things simultaneously: encryption (nobody snooping on the network can read the data), authentication (the server proves its identity via a certificate signed by a trusted Certificate Authority), and integrity (any tampering with data in transit is detectable).

SSL vs TLS: What's the Difference?

VersionReleasedStatus
SSL 2.0 / 3.01995 / 1996Deprecated — insecure, disabled everywhere
TLS 1.0 / 1.11999 / 2006Deprecated — no longer supported by major browsers
TLS 1.22008Still widely used, considered secure with proper config
TLS 1.32018Current standard — faster handshake, stronger defaults

"SSL" survives purely as a colloquial term — every certificate you buy today, every "SSL checker" tool including ours, is actually validating TLS. The industry never fully renamed the vocabulary even after retiring the actual SSL protocol versions.

How the TLS Handshake Works

1

Client Hello

Your browser sends a list of supported TLS versions and cipher suites to the server.

2

Server Hello + Certificate

The server picks a cipher suite and sends back its certificate, which contains its public key.

3

Certificate Validation

Your browser checks the certificate chain up to a trusted root CA, confirms it hasn't expired or been revoked, and that the domain matches.

4

Key Exchange

Client and server derive a shared symmetric session key using the server's public key, without ever transmitting the actual secret.

5

Encrypted Session Begins

All further data is encrypted with the fast symmetric session key — asymmetric crypto is only used briefly during the handshake since it's computationally expensive.

Certificate Types: DV, OV, EV

TypeVerification LevelIssue SpeedTypical Use
Domain Validated (DV)Confirms domain control onlyMinutes (automated)Most websites, blogs, personal sites
Organization Validated (OV)Verifies the organization is real1–3 daysBusiness websites wanting extra vetting
Extended Validation (EV)Rigorous legal + operational vettingSeveral daysBanks, large e-commerce (diminishing use)

Modern browsers display DV, OV, and EV certificates identically in the address bar — the visual "green bar" EV used to get has been removed from Chrome and Firefox, so the practical visitor-facing difference today is minimal.

Why It Matters

  • SEO: Google has used HTTPS as a ranking signal since 2014.
  • Browser warnings: Chrome and Firefox actively flag any HTTP site as "Not Secure," which damages trust and conversion rates.
  • Data protection: Without TLS, anything submitted through a form — passwords, card numbers, personal data — travels in plain text.
  • Compliance: PCI-DSS and many data protection regulations effectively mandate TLS for any site handling sensitive data.

How to Check a Site's Certificate

Use our SSL Certificate Checker to see any domain's certificate issuance history pulled live from public Certificate Transparency logs — issuer, validity dates, days remaining, and every Subject Alternative Name (SAN) the certificate covers, without needing command-line tools.

FAQs

Is SSL still used today, or only TLS? +
The actual SSL protocol (versions 2.0/3.0) was deprecated years ago for security flaws. What's used today is TLS, but the industry still colloquially calls it 'SSL' out of habit — SSL certificate, SSL checker, and so on all really refer to TLS.
What is the difference between SSL and TLS? +
TLS is the modern, secure successor to SSL. SSL 2.0/3.0 are both deprecated due to known vulnerabilities; TLS 1.2 and 1.3 are the current standards in active use.
What is a TLS handshake? +
The negotiation process where a client and server agree on encryption parameters, the server proves its identity via certificate, and both sides derive a shared session key — all before any actual data is exchanged.
What is the difference between DV, OV, and EV certificates? +
DV only confirms domain control, issued in minutes. OV additionally verifies the requesting organization is real. EV requires the most rigorous vetting. All three display identically in modern browsers.
Do I need a paid SSL certificate? +
No. Let's Encrypt provides free, automated, browser-trusted DV certificates that are functionally equivalent for encryption purposes. Paid certificates mainly add OV/EV vetting, warranty coverage, or longer validity periods.
How long does an SSL/TLS certificate last? +
Most publicly trusted certificates today are valid for 90 days (Let's Encrypt) to 398 days (most commercial CAs) — the industry has been steadily shortening maximum lifetimes to reduce risk from compromised keys.
What happens when an SSL certificate expires? +
Browsers block the site with a prominent security warning and refuse to load it by default until the visitor manually bypasses the warning — which most won't.
Can I use the same SSL certificate for multiple domains? +
Yes, if it's a multi-domain (SAN) or wildcard certificate. A wildcard like *.example.com covers the base domain plus all first-level subdomains under one certificate.
Is HTTPS the same as SSL? +
HTTPS is HTTP running over an SSL/TLS-encrypted connection. SSL/TLS provides the encryption layer; HTTPS is the resulting protocol name used in URLs.
How do I check what certificate a website is using? +
Click the padlock icon in your browser's address bar for basic details, or use a dedicated tool like our SSL Certificate Checker for full issuance history from Certificate Transparency logs.
What is a Certificate Authority (CA)? +
An organization trusted by browsers and operating systems to verify domain ownership (and sometimes organizational identity) before issuing a certificate. Examples include Let's Encrypt, DigiCert, and Sectigo.
Does HTTPS protect against all attacks? +
No. It protects data in transit from interception and tampering, and verifies server identity, but it doesn't protect against vulnerabilities in the website's own code, weak passwords, or phishing that tricks users directly.
Why do browsers show 'Not Secure' for HTTP sites? +
Since 2018, Chrome and Firefox actively flag any page served over plain HTTP as insecure, particularly for forms and login pages, to push the entire web toward encrypted-by-default.
What is Certificate Transparency? +
A public framework (RFC 9162) requiring CAs to log every issued certificate to append-only, auditable logs, letting anyone — including domain owners — verify what certificates have been issued for a domain.
Can I have SSL on a subdomain without covering the whole domain? +
Yes. A certificate can be issued for a specific subdomain alone (e.g. shop.example.com) without securing the root domain or other subdomains, unless a wildcard or multi-SAN certificate is used instead.
Explore All ToolsNovaHub Tools
🏠 Go to Homepage

🔗 More Guides