Every time your browser shows a little padlock, an extraordinary piece of cryptographic choreography has just happened — in well under a tenth of a second, over a network run by strangers, with an adversary potentially reading every byte. Two computers that have never met, sharing no secret in advance, have agreed on a key that only they know, verified that the server really is the bank it claims to be, and switched on encryption for everything that follows. The protocol that pulls this off is TLS — Transport Layer Security — and HTTPS is just HTTP running inside a TLS tunnel.
This page is about what TLS actually promises, where it sits in the stack, and — the heart of it — the step-by-step handshake by which two strangers bootstrap a private, authenticated channel. We will focus on TLS 1.3 (the current version, 2018), which is both simpler and faster than everything before it.
A raw
In the layer stack, TLS slots in between TCP and the application. TCP delivers an
ordered, reliable byte stream; TLS sits on top of that stream and encrypts it; the application (HTTP,
SMTP, IMAP, …) runs on top of TLS, blissfully unaware. When HTTP runs over this TLS layer, we call it
HTTPS, and it lives on port 443 instead of HTTP's port 80. Nothing about HTTP itself
changes — the same GETs and POSTs flow — they just travel inside the encrypted
tunnel.
| Layer | Role |
|---|---|
| Application (HTTP) | Requests and responses — unaware it is protected |
| TLS | Encrypts, authenticates, integrity-protects the byte stream |
| TCP | Reliable, ordered byte delivery |
| IP | Best-effort packet routing |
You already know two kinds of encryption:
So TLS does the sensible thing: use the slow asymmetric maths once, at the start, only to agree a symmetric key; then use the fast symmetric cipher for all the actual data. This is hybrid encryption, and it is the pattern behind essentially every secure channel on the Internet. The handshake's entire job is to get both ends holding the same symmetric key, with confidence in who they are talking to — after that, bulk data flies under cheap symmetric encryption.
Here is the choreography. In TLS 1.3 it fits in a single round trip (1-RTT): the client speaks, the server answers, and by the time the client sends its first real request the channel is already secure. Follow the timeline.
Note the elegant division of labour: Diffie–Hellman gives the shared secret, the certificate + signature give the identity, and the two are independent — which is exactly what makes forward secrecy (below) possible.
The handshake proves the server owns a private key. But how do you know that key belongs to bank.com and not an attacker who generated a key and claims to be bank.com? That is the job of a certificate and the Certificate Authority (CA) system.
A certificate is a small signed document saying "the public key
If every signature in the chain checks out and terminates at a trusted root, the certificate is
accepted. If any link fails — an unknown issuer, an expired certificate, a name that doesn't
match the site — the browser throws the big red warning. This is a
The single most dangerous misconception about HTTPS: people read the padlock as "this site is safe / legitimate / not a scam." It means no such thing. All the padlock certifies is that the connection is encrypted and that you are really talking to whoever owns the domain name in the address bar — and that anyone can get a valid certificate for a domain they control, including criminals, in minutes, for free.
A phishing site at secure-paypa1-login.com can have a perfectly valid certificate and a
gleaming padlock. The padlock confirms you have a private, tamper-proof line to that server — it says
nothing about whether the server is honest, the company reputable, or the page not a
scam. In fact the majority of phishing sites now use HTTPS precisely because users have been
taught "padlock = safe." The correct reading is: the padlock protects the
channel, not you from the site. Always check the actual domain name, not
the lock. See
Look again at the handshake: the shared key came from ephemeral Diffie–Hellman — fresh random
values
This defeats the "store now, decrypt later" attack: a well-resourced adversary who quietly records everything today, hoping to steal the key next year, gets nothing but noise, because the keys that mattered never existed on disk and were destroyed the moment each session ended. Forward secrecy is why TLS 1.3 mandates ephemeral key exchange for every connection.
TLS 1.3 was a deliberate simplification and hardening of the sprawling 1.2 protocol. The headline changes:
In the old RSA-key-transport mode, the client picked the session secret and sent it encrypted with the server's long-term RSA public key. The only way to decrypt that — ever — is the server's long-term private key. So an adversary who records the traffic today and steals that one private key years later can decrypt every recorded session that ever used it. There is a single point of catastrophic failure that reaches backward in time.
Ephemeral Diffie–Hellman severs that link. The session secret is never transmitted at all — each side contributes a throwaway value and they derive the shared key independently, then discard the throwaway values. The long-term private key is used only to sign (prove identity), never to encrypt the session key. Stealing it later lets you impersonate the server going forward, but it unlocks none of the recorded past. Forward secrecy falls out automatically — which is exactly why TLS 1.3 made ephemeral DH the only option.