What is TLS and HTTPS?

The Protocol Powering Secure Internet

Transport Layer Security (TLS) is the cryptographic protocol that transforms plain HTTP into HTTPS, the secure version of the web. Every time you see a padlock icon in your browser's address bar, TLS is actively encrypting every single byte flowing between your device and the server. Without TLS, your passwords, credit card numbers, and private messages would travel across the internet as raw, readable text visible to anyone monitoring the network.

A TLS connection begins with a 'handshake', a precise sequence of cryptographic negotiations. The client sends a ClientHello message listing the cipher suites it supports. The server responds with a ServerHello, selecting the strongest mutually supported cipher suite and presenting its X.509 certificate. The client verifies the certificate chain against its trusted root Certificate Authorities, then both parties execute a key exchange (typically using X25519 or ECDHE) to derive a shared symmetric session key.

Once the handshake completes, all subsequent data is encrypted using the negotiated symmetric cipher (commonly AES-256-GCM or ChaCha20-Poly1305). The asymmetric cryptography used during the handshake is intentionally discarded. Symmetric encryption is orders of magnitude faster, handling bulk data transfer efficiently. Modern TLS 1.3 reduced the handshake to a single round-trip (1-RTT), and even supports 0-RTT resumption for returning clients.

Everyday Example

Imagine entering a bank. First, you verify the bank is legitimate by checking the sign, the license on the wall, and the security guard's badge (certificate verification). Then you and the teller agree on a secret codeword by whispering once (the handshake). From that point forward, every transaction is conducted using that codeword so that even if someone is eavesdropping on the lobby, they hear only gibberish.

The Deep Mathematics

TLS 1.3 mandates ephemeral Diffie-Hellman key exchange exclusively, enforcing Perfect Forward Secrecy. The client generates an ephemeral keypair (a, A = a·G) and the server generates (b, B = b·G) on curve X25519. Both independently compute the shared secret S = a·B = b·A = ab·G. This shared secret feeds into HKDF-Expand to derive distinct client_write_key, server_write_key, client_write_iv, and server_write_iv values, cryptographically isolating each direction of communication.