TLS and HTTPS

Every time your browser shows a little padlock, an extraordinary piece of cryptographic choreography has just happened — in well under a tenth of a second, over a network run by strangers, with an adversary potentially reading every byte. Two computers that have never met, sharing no secret in advance, have agreed on a key that only they know, verified that the server really is the bank it claims to be, and switched on encryption for everything that follows. The protocol that pulls this off is TLS — Transport Layer Security — and HTTPS is just HTTP running inside a TLS tunnel.

This page is about what TLS actually promises, where it sits in the stack, and — the heart of it — the step-by-step handshake by which two strangers bootstrap a private, authenticated channel. We will focus on TLS 1.3 (the current version, 2018), which is both simpler and faster than everything before it.

What TLS adds, and where it sits

A raw TCP connection is a bare byte pipe: anyone who can see the wire can read it, change it, or impersonate either end. TLS wraps that pipe and adds three guarantees — the trio worth memorising:

In the layer stack, TLS slots in between TCP and the application. TCP delivers an ordered, reliable byte stream; TLS sits on top of that stream and encrypts it; the application (HTTP, SMTP, IMAP, …) runs on top of TLS, blissfully unaware. When HTTP runs over this TLS layer, we call it HTTPS, and it lives on port 443 instead of HTTP's port 80. Nothing about HTTP itself changes — the same GETs and POSTs flow — they just travel inside the encrypted tunnel.

LayerRole
Application (HTTP)Requests and responses — unaware it is protected
TLSEncrypts, authenticates, integrity-protects the byte stream
TCPReliable, ordered byte delivery
IPBest-effort packet routing

Why hybrid crypto: asymmetric to agree, symmetric to bulk

You already know two kinds of encryption: symmetric and asymmetric. TLS uses both, and the reason is the whole trick of practical cryptography.

So TLS does the sensible thing: use the slow asymmetric maths once, at the start, only to agree a symmetric key; then use the fast symmetric cipher for all the actual data. This is hybrid encryption, and it is the pattern behind essentially every secure channel on the Internet. The handshake's entire job is to get both ends holding the same symmetric key, with confidence in who they are talking to — after that, bulk data flies under cheap symmetric encryption.

The TLS 1.3 handshake, step by step

Here is the choreography. In TLS 1.3 it fits in a single round trip (1-RTT): the client speaks, the server answers, and by the time the client sends its first real request the channel is already secure. Follow the timeline.

Note the elegant division of labour: Diffie–Hellman gives the shared secret, the certificate + signature give the identity, and the two are independent — which is exactly what makes forward secrecy (below) possible.

Certificates and the chain of trust

The handshake proves the server owns a private key. But how do you know that key belongs to bank.com and not an attacker who generated a key and claims to be bank.com? That is the job of a certificate and the Certificate Authority (CA) system.

A certificate is a small signed document saying "the public key K belongs to bank.com," stamped with the digital signature of a Certificate Authority. Your browser (or operating system) ships with a built-in list of a few dozen trusted root CAs. The trust flows in a chain:

If every signature in the chain checks out and terminates at a trusted root, the certificate is accepted. If any link fails — an unknown issuer, an expired certificate, a name that doesn't match the site — the browser throws the big red warning. This is a public-key infrastructure (PKI): trust in millions of servers reduced to trust in a handful of roots.

The single most dangerous misconception about HTTPS: people read the padlock as "this site is safe / legitimate / not a scam." It means no such thing. All the padlock certifies is that the connection is encrypted and that you are really talking to whoever owns the domain name in the address bar — and that anyone can get a valid certificate for a domain they control, including criminals, in minutes, for free.

A phishing site at secure-paypa1-login.com can have a perfectly valid certificate and a gleaming padlock. The padlock confirms you have a private, tamper-proof line to that server — it says nothing about whether the server is honest, the company reputable, or the page not a scam. In fact the majority of phishing sites now use HTTPS precisely because users have been taught "padlock = safe." The correct reading is: the padlock protects the channel, not you from the site. Always check the actual domain name, not the lock. See phishing and social engineering.

Forward secrecy: the reason for ephemeral keys

Look again at the handshake: the shared key came from ephemeral Diffie–Hellman — fresh random values x and y generated for this one session and thrown away afterwards. That word "ephemeral" buys a powerful property: forward secrecy.

This defeats the "store now, decrypt later" attack: a well-resourced adversary who quietly records everything today, hoping to steal the key next year, gets nothing but noise, because the keys that mattered never existed on disk and were destroyed the moment each session ended. Forward secrecy is why TLS 1.3 mandates ephemeral key exchange for every connection.

What changed in TLS 1.3

TLS 1.3 was a deliberate simplification and hardening of the sprawling 1.2 protocol. The headline changes:

In the old RSA-key-transport mode, the client picked the session secret and sent it encrypted with the server's long-term RSA public key. The only way to decrypt that — ever — is the server's long-term private key. So an adversary who records the traffic today and steals that one private key years later can decrypt every recorded session that ever used it. There is a single point of catastrophic failure that reaches backward in time.

Ephemeral Diffie–Hellman severs that link. The session secret is never transmitted at all — each side contributes a throwaway value and they derive the shared key independently, then discard the throwaway values. The long-term private key is used only to sign (prove identity), never to encrypt the session key. Stealing it later lets you impersonate the server going forward, but it unlocks none of the recorded past. Forward secrecy falls out automatically — which is exactly why TLS 1.3 made ephemeral DH the only option.