What Is SSL/TLS and How Does It Work?

Q: Is SSL the same as TLS?

SSL and TLS are closely related but not identical. TLS is the modern successor to SSL, and all SSL versions are now deprecated and insecure. When people say SSL today they almost always mean modern TLS, so the terms are used interchangeably in casual speech.

Q: What is the difference between TLS 1.2 and TLS 1.3?

TLS 1.2 is defined in RFC 5246 and remains widely supported and secure when configured well. TLS 1.3, defined in RFC 8446, is the current version with a faster handshake and a smaller set of secure options. TLS 1.3 removed many older, weaker features that existed in TLS 1.2.

Q: What is inside an SSL certificate?

An X.509 certificate, defined in RFC 5280, binds a domain name to a public key. It contains the subject domain, the public key, the issuing Certificate Authority, and validity dates. The certificate is signed by the CA so that browsers can verify it through a chain of trust.

Q: Does a valid SSL certificate mean a website is safe?

No. A valid certificate only proves the connection is encrypted and that you are talking to the domain named in the certificate. It does not prove the website is honest or legitimate, because a phishing site can also obtain a valid certificate. Always check the domain name itself, not just the padlock.

Q: How do I check an SSL certificate?

In any browser you can click the padlock in the address bar and view the certificate details to see the issuer, validity dates, and protocol version. You can also run the domain through an online SSL/TLS certificate checker for a quick read on expiry and protocol support. Checking the certificate is a good habit before entering a password or payment details.

~/sheets/what-is-ssl-tls.md

SSL/TLS in one sentence
SSL/TLS is the protocol that encrypts data as it travels between your browser and a web server, so that anyone sitting in between cannot read or tamper with it. It is the technology behind HTTPS. If you want the plain-English version of why the padlock appears and what it means for everyday browsing, read HTTPS Explained: Why That Padlock Matters. This page goes one layer deeper into how the protocol actually works.
SSL vs TLS: a naming history
SSL (Secure Sockets Layer) was the original protocol. SSL 2.0 and SSL 3.0 are both long deprecated and considered insecure. The protocol was renamed TLS (Transport Layer Security) when it was standardized, and it has evolved through several versions.
SSL 2.0 / 3.0 — deprecated and insecure; should never be used.
TLS 1.0 / 1.1 — also deprecated by the major browsers and standards bodies.
TLS 1.2 — defined in RFC 5246; still widely supported and considered secure when configured correctly.
TLS 1.3 — defined in RFC 8446; the current version, with a faster handshake and a smaller set of secure options.
In everyday speech people still say "SSL" when they almost always mean modern TLS. The terms are used interchangeably even though SSL itself is obsolete.
The TLS handshake
Before any real data is exchanged, the client and server perform a handshake. In simple terms, they agree on which protocol version and cipher to use, the server presents its certificate to prove its identity, and the two sides establish the shared keys used to encrypt the rest of the conversation. TLS 1.3 streamlined this handshake so connections start faster while removing older, weaker options.
X.509 certificates and the chain of trust
The server proves its identity with an X.509 certificate, the format defined in RFC 5280. A certificate binds a domain name to a public key and is signed by a Certificate Authority (CA). Your browser ships with a list of trusted root CAs, and it verifies the certificate by following the chain from the server certificate up through any intermediate certificates to a trusted root.
A certificate typically contains:
The subject — the domain name(s) the certificate is valid for.
The public key — used during the handshake to establish encryption.
The issuer — the CA that signed it.
Validity dates — a not-before and not-after date; an expired certificate triggers a browser warning.
Encryption in transit is not the same as a safe website
This is the most common misconception. A valid certificate proves that the connection is encrypted and that you are talking to the domain named in the certificate. It does not mean the website is honest, legitimate, or safe. A phishing or malware site can obtain a perfectly valid certificate, show a padlock, and still be malicious. SSL/TLS protects the data in transit; it says nothing about the trustworthiness of the content on the other end. The defenses against malicious content are different layers, such as HTTP security headers and careful checking of the domain name.
How to check a website's certificate
You can inspect a certificate in any browser by clicking the padlock icon in the address bar and viewing the certificate details, where you can see the issuer, the validity dates, and the protocol version. For a faster read on the issuer, expiry, and protocol support, you can run a domain through our free SSL/TLS certificate checker. Checking the certificate is a good habit before trusting a login or payment page, alongside confirming the domain name is exactly what you expect.
Frequently Asked Questions
Is SSL the same as TLS?
SSL and TLS are closely related but not identical. TLS is the modern successor to SSL, and all SSL versions are now deprecated and insecure. When people say SSL today they almost always mean modern TLS, so the terms are used interchangeably in casual speech.
What is the difference between TLS 1.2 and TLS 1.3?
TLS 1.2 is defined in RFC 5246 and remains widely supported and secure when configured well. TLS 1.3, defined in RFC 8446, is the current version with a faster handshake and a smaller set of secure options. TLS 1.3 removed many older, weaker features that existed in TLS 1.2.
What is inside an SSL certificate?
An X.509 certificate, defined in RFC 5280, binds a domain name to a public key. It contains the subject domain, the public key, the issuing Certificate Authority, and validity dates. The certificate is signed by the CA so that browsers can verify it through a chain of trust.
Does a valid SSL certificate mean a website is safe?
No. A valid certificate only proves the connection is encrypted and that you are talking to the domain named in the certificate. It does not prove the website is honest or legitimate, because a phishing site can also obtain a valid certificate. Always check the domain name itself, not just the padlock.
How do I check an SSL certificate?
In any browser you can click the padlock in the address bar and view the certificate details to see the issuer, validity dates, and protocol version. You can also run the domain through an online SSL/TLS certificate checker for a quick read on expiry and protocol support. Checking the certificate is a good habit before entering a password or payment details.
Last updated: April 2026