What Is SSL/TLS?
SSL and TLS Explained
SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that provide encrypted communication between a client (your browser) and a server (a website). When you see a padlock icon and https:// in your browser's address bar, TLS is protecting your connection.
Although "SSL" is the commonly used term, all modern implementations actually use TLS. SSL versions (1.0, 2.0, 3.0) are all deprecated due to security vulnerabilities. The current standard is TLS 1.3 (released in 2018), which offers improved speed and security over TLS 1.2.
How the TLS Handshake Works
When your browser connects to an HTTPS website, a TLS handshake occurs before any data is exchanged:
- Client Hello: Your browser sends supported TLS versions, cipher suites, and a random number to the server.
- Server Hello: The server responds with the chosen TLS version, cipher suite, its SSL certificate, and a random number.
- Certificate Verification: Your browser verifies the server's certificate against trusted Certificate Authorities (CAs).
- Key Exchange: Both sides use asymmetric encryption to securely agree on a shared session key.
- Encrypted Session: All subsequent communication is encrypted with the shared session key using symmetric encryption (much faster).
TLS 1.3 reduces this to a 1-RTT (one round-trip time) handshake, and even supports 0-RTT for returning visitors, significantly improving page load times.
Certificate Types
SSL/TLS certificates come in three validation levels, each requiring different amounts of verification:
| Type | Validation | Visual Indicator | Use Case | Cost |
|---|---|---|---|---|
| DV (Domain Validation) | Proves control of the domain only | Padlock icon | Blogs, personal sites | Free – $50/yr |
| OV (Organization Validation) | Verifies the organization's identity | Padlock + org info in cert details | Business websites | $50 – $200/yr |
| EV (Extended Validation) | Rigorous identity verification | Padlock + org name in cert details | Banks, e-commerce, government | $100 – $500/yr |
Additionally, certificates can cover different scopes:
- Single domain: Covers one domain (e.g.,
example.com) - Wildcard: Covers a domain and all its subdomains (e.g.,
*.example.com) - Multi-domain (SAN): Covers multiple specified domains in one certificate
The Certificate Chain of Trust
SSL certificates rely on a chain of trust that connects your website's certificate back to a trusted root Certificate Authority (CA):
- Root CA certificate: Pre-installed in your browser/OS trust store. These are the ultimate trust anchors (e.g., DigiCert, Let's Encrypt's ISRG Root).
- Intermediate CA certificate: Issued by the root CA. Intermediate CAs sign end-entity certificates on behalf of the root.
- End-entity (leaf) certificate: Your website's certificate, signed by the intermediate CA.
Your browser verifies the entire chain - if any link is missing, expired, or untrusted, you will see a security warning.
Let's Encrypt and Free SSL
Let's Encrypt is a free, automated, open Certificate Authority launched in 2016. It changed HTTPS adoption by making SSL/TLS certificates available at no cost:
- Issues DV certificates for free
- Certificates are valid for 90 days (auto-renewal is standard)
- Uses the ACME protocol for automated issuance and renewal
- Tools like
certbotmake setup easy:sudo certbot --nginx -d example.com - Trusted by all major browsers and operating systems
Checking SSL Certificates
You can inspect SSL certificates in several ways:
- Browser: Click the padlock icon in the address bar → "Certificate" or "Connection is secure" → view certificate details.
- Our tool: Use our SSL Certificate Checker to inspect any domain's certificate, expiration date, and chain.
- Command line:
openssl s_client -connect example.com:443 -servername example.com - Curl:
curl -vI https://example.comshows certificate details in verbose mode.
certbot) and monitor your certificates' expiration dates.