SSL / TLS
SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that encrypt communication between browser and server and verify website identity with certificates.
Every time you open a site with 'https://', TLS in the background ensures no one can read or tamper with your data. The lock icon in the browser is the visible sign of an encrypted connection. Without SSL/TLS, passwords, payment data and personal information would be visible in plain text on the network. Today HTTPS is not optional – browsers warn on unencrypted pages and Google uses it as a ranking factor.
What is SSL / TLS?
SSL and TLS are cryptographic protocols on the transport layer that establish an encrypted connection between a client (e.g. browser) and a server. SSL was developed by Netscape in the 1990s but has been considered insecure since SSL 3.0 (1996). TLS is the modern successor – TLS 1.3 (2018) offers better security and performance. An SSL/TLS certificate confirms a website's identity and is issued by a Certificate Authority (CA). The protocol combines asymmetric encryption (key exchange) with symmetric encryption (data transfer) and uses digital certificates to ensure the other party is who they claim to be.
How does SSL / TLS work?
When an HTTPS connection is set up, the TLS handshake runs. The browser contacts the server and receives its certificate. The browser checks the certificate against trusted CAs. Then browser and server agree on a session key via asymmetric encryption. From then on all traffic is encrypted with this symmetric key – faster than asymmetric. TLS 1.3 has reduced the handshake to one round trip, which significantly shortens connection setup.
Practical Examples
An online shop protects payment with TLS 1.3 so card and personal data are encrypted in transit.
A company site uses a free Let's Encrypt certificate for HTTPS and a secure connection for visitors.
A bank uses Extended Validation (EV) certificates that confirm the company's identity after thorough checks.
A web app enforces HTTPS via HSTS (HTTP Strict Transport Security) so browsers only load the site encrypted.
An API server uses mTLS (mutual TLS) where the client also authenticates with a certificate.
Typical Use Cases
Every site that handles user data (login, forms, payments) must use HTTPS with TLS
API communication between microservices is secured with TLS to protect internal traffic
Email servers use STARTTLS or implicit TLS to encrypt email in transit
VPNs use TLS as transport encryption for secure remote access
IoT devices use TLS for communication between sensors, gateways and cloud
Advantages and Disadvantages
Advantages
- Privacy: Encrypts all data between browser and server so third parties cannot read it
- Trust: The lock and HTTPS signal a secure, trustworthy site to visitors
- SEO: Google favours HTTPS over unencrypted in ranking
- GDPR: Encrypted transmission is a basic requirement of data protection regulation
- Free option: Let's Encrypt provides valid TLS certificates for free with automated renewal
Disadvantages
- Small performance cost from the TLS handshake – barely noticeable with TLS 1.3
- Certificate management: Certificates must be renewed (Let's Encrypt: every 90 days); automation is recommended
- False security: HTTPS protects transport but not against application vulnerabilities (XSS, SQL injection)
- Debugging: Encrypted traffic makes network troubleshooting harder
Frequently Asked Questions about SSL / TLS
What is the difference between SSL and TLS?
Is a free SSL certificate (Let's Encrypt) as secure?
Why do I need HTTPS if I do not collect user data?
Related Terms
Want to use SSL / TLS in your project?
We are happy to advise you on SSL / TLS and find the optimal solution for your requirements. Benefit from our experience across over 200 projects.