Skip to main content

What is SSL/TLS?

The encryption technology behind the padlock symbol in your browser — the foundation of every secure communication on the web.

SSL or TLS?

SSL (Secure Sockets Layer) is the original name; TLS (Transport Layer Security) is its successor and has been around since 1999. Out of habit, both terms are used interchangeably — when someone talks about an "SSL certificate" today, they almost always mean a TLS certificate. The actual SSL versions (1.0, 2.0, 3.0) have been deprecated as insecure for years; the same applies to TLS 1.0 and 1.1. Today, at least TLS 1.2 is required, and new servers should speak TLS 1.3.

What does SSL/TLS do?

Three jobs at once:

  • Encryption: Nobody between the browser and server can read the contents.
  • Authentication: The browser can verify that it's really talking to example.com — and not to an attacker.
  • Integrity: Nobody can modify data in transit without it being noticed.

What is an SSL certificate?

A digital certificate is an electronic signature from a Certificate Authority (CA, e.g. Let's Encrypt, DigiCert, Sectigo). It confirms: "Yes, public key X really belongs to domain Y." The certificate contains the public key, the subject (domain name), the issuer (CA), the validity period, and the SAN list (alternative domain names). The private key stays secret on your server.

Browsers ship with a hard-coded list of trusted CAs. If your certificate is signed by one of those CAs, the browser accepts it without warning. Self-signed certificates only work in special cases (internal tools, your own CA).

The TLS handshake

When the connection is established, browser and server agree on parameters in several steps:

  1. Client Hello: The browser sends a list of TLS versions and cipher suites it supports.
  2. Server Hello: The server picks the best common version + cipher suite and sends back its certificate.
  3. Validation: The browser checks the certificate (valid? correct domain? CA trusted? not revoked?).
  4. Key exchange: Both sides generate a shared session key, which is then used for the actual encryption.

TLS 1.3 reduced the handshake to a single round trip (previously two), making it considerably faster. It also drops insecure cipher suites and old key-exchange mechanisms.

What should you watch out for?

  • Remaining validity: Let's Encrypt certificates last 90 days; commercial ones usually 1 year. Automatic renewal (e.g. via Certbot) prevents outages.
  • TLS version: Only allow TLS 1.2 and 1.3. Disable TLS 1.0/1.1 and SSLv3.
  • Cipher suite: Modern ciphers with forward secrecy, such as ECDHE-RSA-AES256-GCM-SHA384.
  • SAN list: All relevant subdomains must be included — otherwise the browser will warn.
  • OCSP stapling: The server delivers the CA's "certificate not revoked" confirmation along with the response, instead of forcing the browser to ask separately.

Common browser warnings

  • NET::ERR_CERT_DATE_INVALID: Certificate is expired or not yet valid.
  • NET::ERR_CERT_COMMON_NAME_INVALID: Domain in the certificate doesn't match the address you visited.
  • NET::ERR_CERT_AUTHORITY_INVALID: Issuer is not in the trusted CA list (typical for self-signed or expired intermediate certificates).
  • NET::ERR_SSL_OBSOLETE_VERSION: Server only supports TLS 1.0/1.1.

Check it yourself: SSL-Check

SSL/TLS-Zertifikat, Restlaufzeit, Cipher. Enter a domain and see in seconds how your SSL is doing.

Also in the glossary

DMARC erklärt

DMARC

HSTS erklärt

HSTS

SPF erklärt

SPF

CSP erklärt

CSP

DKIM erklärt

DKIM

X-Frame-Options erklärt

X-FRAME-OPTIONS

Subresource Integrity erklärt

SUBRESOURCE-INTEGRITY

CORS erklärt

CORS

Cookie-Flags erklärt

COOKIE-FLAGS

DNSSEC erklärt

DNSSEC

CAA-Record erklärt

CAA-RECORD

Referrer-Policy erklärt

REFERRER-POLICY

Permissions-Policy erklärt

PERMISSIONS-POLICY

MIME-Sniffing & X-Content-Type-Options erklärt

MIME-SNIFFING