What Is SSL/TLS? Complete Guide to Website Encryption
Every padlock icon in your browser's address bar depends on this protocol. Here's how SSL/TLS actually secures the connection between you and a website.
What Is SSL/TLS?
SSL/TLS is a cryptographic protocol that sits between the application layer (HTTP) and the transport layer (TCP), encrypting everything that passes through. When you see https:// and a padlock icon, your browser has completed a TLS handshake with the server and established an encrypted channel.
It accomplishes three things simultaneously: encryption (nobody snooping on the network can read the data), authentication (the server proves its identity via a certificate signed by a trusted Certificate Authority), and integrity (any tampering with data in transit is detectable).
SSL vs TLS: What's the Difference?
| Version | Released | Status |
|---|---|---|
| SSL 2.0 / 3.0 | 1995 / 1996 | Deprecated — insecure, disabled everywhere |
| TLS 1.0 / 1.1 | 1999 / 2006 | Deprecated — no longer supported by major browsers |
| TLS 1.2 | 2008 | Still widely used, considered secure with proper config |
| TLS 1.3 | 2018 | Current standard — faster handshake, stronger defaults |
"SSL" survives purely as a colloquial term — every certificate you buy today, every "SSL checker" tool including ours, is actually validating TLS. The industry never fully renamed the vocabulary even after retiring the actual SSL protocol versions.
How the TLS Handshake Works
Client Hello
Your browser sends a list of supported TLS versions and cipher suites to the server.
Server Hello + Certificate
The server picks a cipher suite and sends back its certificate, which contains its public key.
Certificate Validation
Your browser checks the certificate chain up to a trusted root CA, confirms it hasn't expired or been revoked, and that the domain matches.
Key Exchange
Client and server derive a shared symmetric session key using the server's public key, without ever transmitting the actual secret.
Encrypted Session Begins
All further data is encrypted with the fast symmetric session key — asymmetric crypto is only used briefly during the handshake since it's computationally expensive.
Certificate Types: DV, OV, EV
| Type | Verification Level | Issue Speed | Typical Use |
|---|---|---|---|
| Domain Validated (DV) | Confirms domain control only | Minutes (automated) | Most websites, blogs, personal sites |
| Organization Validated (OV) | Verifies the organization is real | 1–3 days | Business websites wanting extra vetting |
| Extended Validation (EV) | Rigorous legal + operational vetting | Several days | Banks, large e-commerce (diminishing use) |
Modern browsers display DV, OV, and EV certificates identically in the address bar — the visual "green bar" EV used to get has been removed from Chrome and Firefox, so the practical visitor-facing difference today is minimal.
Why It Matters
- SEO: Google has used HTTPS as a ranking signal since 2014.
- Browser warnings: Chrome and Firefox actively flag any HTTP site as "Not Secure," which damages trust and conversion rates.
- Data protection: Without TLS, anything submitted through a form — passwords, card numbers, personal data — travels in plain text.
- Compliance: PCI-DSS and many data protection regulations effectively mandate TLS for any site handling sensitive data.
How to Check a Site's Certificate
Use our SSL Certificate Checker to see any domain's certificate issuance history pulled live from public Certificate Transparency logs — issuer, validity dates, days remaining, and every Subject Alternative Name (SAN) the certificate covers, without needing command-line tools.