Skip to main content
Explainer · security

TLS / HTTPS, in plain English

The padlock icon means three things at once: there is an encrypted tunnel to the site, the site proved who it is, and any tampering will break the connection. Here is what is actually happening behind that icon.

The three jobs TLS does

Every secure HTTPS connection sits on top of the TLS protocol. TLS performs three functions, all at the same time, all during a brief negotiation at the start of the connection:

The TLS 1.3 handshake, step by step

TLS 1.3 (RFC 8446, finalized in 2018) is the version every modern browser and CDN now uses by default. Its biggest change over TLS 1.2: the handshake takes one round-trip instead of two, which alone takes about 50 ms off every cold connection across the Atlantic.

  1. ClientHello. Your browser sends the server: a list of TLS versions it supports, a list of cipher suites it can use, key-share values for the elliptic curves most likely to be picked (so the key exchange can happen in this round-trip), and — in the SNI extension — the hostname it wants to talk to. SNI exists because many servers host multiple TLS sites on the same IP and need to know which certificate to present.
  2. ServerHello + Certificate + Finished. The server picks one cipher suite, sends back its certificate chain, derives the same session keys from the client's key-share, and signs the handshake transcript to prove it owns the certificate's private key. All in one flight of packets.
  3. Client Finished. Your browser verifies the certificate chain back to a trusted root, verifies the server's signature, and sends a final "Finished" message (also encrypted). From this point on, every byte is encrypted application data — the actual HTTP request can ride on the same flight of packets if the browser is feeling ambitious.

With 0-RTT (zero round-trip) session resumption, repeat visits skip the handshake entirely: the browser sends the first HTTP request encrypted under keys derived from a previous session ticket, before the server has acknowledged anything. The trade-off is slightly weaker replay protection — 0-RTT data is only safe for idempotent requests like GET.

What an attacker on the wire can and cannot see

People often assume HTTPS hides everything. It doesn't. The TLS handshake leaves several pieces of metadata visible by design:

What an observer cannot see (assuming the cryptography holds): the URL path, the query string, the request headers, the request body, the response status, the response body, any cookies, any auth tokens. Everything inside the encrypted tunnel is opaque.

SNI, ECH, and the privacy frontier

SNI is the obvious leak. Encrypted Client Hello (ECH) — the successor to the earlier ESNI proposal — wraps the entire ClientHello (including SNI) in a second layer of encryption keyed to a public key the CDN publishes in DNS. The outer ClientHello says only "I'm talking to the Cloudflare front"; the inner ClientHello (which the CDN can decrypt) carries the real hostname.

Practical impact: an observer at your ISP sees that you connected to a Cloudflare IP and exchanged some HTTPS traffic, but they cannot tell which of the millions of sites behind that IP you reached. This defeats casual SNI-based censorship in countries that filter on hostname (Iran, Russia, China at varying levels of sophistication) and neutralizes a class of bulk site-fingerprinting tools at ISPs.

Cloudflare turned on ECH at scale in 2023, Firefox enabled it by default in 2024, and Chrome shipped experimental support through Origin Trials. As of 2026 it's the default for a significant fraction of the web, with the rest catching up.

Why the certificate authority system matters so much

The whole authentication story rests on Certificate Authorities. Your browser trusts a list of about 130 root CAs out of the box; any of them, if compromised, can issue a certificate that fraudulently identifies any domain. That happened in 2011 with DigiNotar (compromised, issued fake Google certs, the CA was removed from every browser within a month) and several times since at smaller scales. The infrastructure around the CAs is what keeps the system honest:

The cipher suite story

A cipher suite bundles together the choices the protocol makes: how to do key exchange, how to authenticate, how to encrypt. TLS 1.3 dramatically simplified this — there are only five standard suites, all using AEAD ciphers, all with forward secrecy:

Compare to TLS 1.2's 37+ suites, many of which had subtle vulnerabilities (BEAST, Lucky 13, FREAK, Logjam, etc.). TLS 1.3 removed the bad options entirely. Use the TLS / SSL checker to see which suite a given site negotiates.

Common confusions, cleared up

SSL vs. TLS

SSL 3.0 was definitively broken by POODLE in 2014. TLS 1.0 followed in 2020. Modern browsers won't negotiate anything below TLS 1.2; TLS 1.3 is the current state of the art. "SSL certificate" is a marketing artifact — what you're buying is a TLS certificate.

Port 80 vs. 443

Port 80 is plain HTTP. Port 443 is HTTPS (HTTP over TLS). Modern sites redirect 80 → 443 and add HSTS so the browser remembers to use 443 directly on future visits. New protocols like HTTP/3 ride on top of UDP/443 instead of TCP/443 but still terminate TLS the same way.

Free vs. paid certificates

Cryptographically identical. Paid CAs buy you organization-validated or extended validation (which browsers no longer display prominently), warranty terms enterprises need for compliance, and (sometimes) better support. For the vast majority of websites, free Let's Encrypt certificates renewed automatically by Caddy or Certbot are the correct choice. IPFerret runs on exactly that setup.

How to inspect a site's TLS yourself

Related reading