What is SSL/TLS — Simple Explanation with Examples

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that provide secure, encrypted communication over a network, protecting data from eavesdropping and tampering.

In this guide, you’ll understand how SSL/TLS works, why every website needs it, and how to inspect certificates in practice. By the end, you’ll be able to explain the TLS handshake, check certificate validity, and configure HTTPS for your own applications.

Why SSL/TLS Exists — The Problem It Solves

The internet was designed for open communication. Data sent over HTTP travels in plaintext — anyone on the same network can read it. This is fine for public content but dangerous for sensitive data:

• Login credentials can be stolen over public Wi-Fi.
• Credit card numbers can be intercepted during checkout.
• Attackers can inject malicious code into pages (man-in-the-middle attacks).

SSL/TLS solves this by encrypting data in transit so only the intended recipient can read it.

The Man-in-the-Middle Problem

Without TLS, an attacker on a coffee shop Wi-Fi network can intercept every HTTP request between your laptop and a website. They see passwords, session cookies, and personal data in plain text. With TLS, the attacker sees only encrypted gibberish — mathematically impossible to decrypt without the private key.

The Analogy — Sealed Envelope

Imagine sending a postcard through the mail. Anyone who handles it — postal workers, sorting machines, curious neighbors — can read what you wrote. That’s HTTP.

Now imagine putting that message inside a sealed, tamper-proof envelope with a lock that only the recipient can open. That’s TLS.

Before sending, you also check the recipient’s ID (the certificate) to make sure you’re mailing to the right person, not an impostor. That’s the TLS handshake with certificate validation.

SSL vs TLS — What’s the Difference?

Key point: “SSL” is the old name. Everyone still says “SSL certificate,” but they mean TLS. Always use TLS 1.2 or 1.3.

How the TLS Handshake Works

When you visit https://example.com, your browser and the server perform a TLS handshake — a cryptographic negotiation that happens in milliseconds.

Client                          Server
  │                                │
  │  ── ClientHello ──────────►    │  (supported TLS versions, ciphers)
  │                                │
  │  ◄── ServerHello ──────────    │  (chosen TLS version, cipher)
  │  ◄── Certificate ──────────    │  (server's public key + CA signature)
  │  ◄── ServerHelloDone ──────    │
  │                                │
  │  ── ClientKeyExchange ────►    │  (encrypted pre-master secret)
  │  ── ChangeCipherSpec ─────►    │
  │  ── Finished ─────────────►    │
  │                                │
  │  ◄── ChangeCipherSpec ──────   │
  │  ◄── Finished ──────────────   │
  │                                │
  │  ══════ Encrypted Data ══════► │  (secure communication starts)

In TLS 1.3, this is reduced to a single round trip (1-RTT), and with session resumption, it can be 0-RTT.

Certificates — The Trust Foundation

A TLS certificate is a digital ID that proves a server’s identity. It contains:

• Domain name (CN/SAN)
• Public key
• Issuer (Certificate Authority)
• Validity period
• Digital signature from the CA

Certificate Authority (CA)

CAs are trusted organizations that verify domain ownership and issue certificates. Popular CAs: Let’s Encrypt, DigiCert, Sectigo, GlobalSign.

Self-Signed Certificates

For development and internal use, you can create a self-signed certificate. Browsers will show a warning because there’s no trusted CA backing it.

# Generate a self-signed certificate (dev use only)
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \
  -days 365 -nodes -subj "/CN=localhost"

# Output files: key.pem (private key), cert.pem (certificate)

How HTTPS Uses TLS

HTTPS (Hypertext Transfer Protocol Secure) is HTTP over TLS. It uses port 443 by default (vs port 80 for HTTP).

# Check if a server supports TLS
curl -v https://example.com

# View certificate details
openssl s_client -connect example.com:443 -showcerts

# Check certificate expiration
echo | openssl s_client -connect example.com:443 2>/dev/null | \
  openssl x509 -noout -dates
# Output:
# notBefore=Jan 1 00:00:00 2025 GMT
# notAfter=Jan 1 00:00:00 2026 GMT

Common OpenSSL Commands

# Generate CSR (Certificate Signing Request)
openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

# View certificate details
openssl x509 -in cert.pem -text -noout

# Convert PEM to PFX (for Windows servers)
openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem

# Test TLS connection
openssl s_client -connect google.com:443 -tls1_3

Common Use Cases

1. E-commerce websites

Every checkout page must use HTTPS. PCI DSS compliance requires TLS 1.2+ for payment transactions.

2. Email encryption

SMTP over TLS (port 587) encrypts email transmission between mail servers and clients.

3. APIs and web services

REST APIs that handle authentication or sensitive data require TLS. OAuth 2.0 mandates TLS for token endpoints.

4. Internal corporate applications

Companies use internal PKI with self-signed or internal CA certificates to encrypt traffic between internal services.

5. IoT devices

Smart home devices and industrial sensors use TLS to secure telemetry data and prevent unauthorized control.

Code Examples

Python — Making HTTPS Requests

import requests

response = requests.get('https://api.github.com')
print(response.status_code)
print(response.json()['current_user_url'])

# Verify certificate (default: True)
response = requests.get('https://self-signed.local', verify=False)
# ⚠️ Never disable verification in production

Expected output:

200
https://api.github.com/user

Node.js — Simple HTTPS Server

const https = require('https');
const fs = require('fs');

const options = {
  key: fs.readFileSync('key.pem'),
  cert: fs.readFileSync('cert.pem')
};

https.createServer(options, (req, res) => {
  res.writeHead(200);
  res.end('Hello, secure world!\n');
}).listen(443);

Expected output: curl https://localhost → Hello, secure world!

FAQ

Related Terms

HTTPS, PKI, Encryption Vs Hashing, Authentication Vs Authorization, OWASP