SSL, TLS, and HTTPS Explained: How the Web Keeps Your Data Private

That little padlock in your browser is doing a lot of work. Learn what SSL and TLS really are, how HTTPS encrypts the connection between a browser and a server, what certificates prove, and how the whole handshake fits together — explained from zero, vendor-neutral.

Published October 3, 202612 min readBy ACY Partner Indonesia
SSL, TLS, and HTTPS — encrypting the connection between a browser and a server
300 × 250Ad Space AvailablePlace your ad here

You’ve seen the padlock icon in the address bar a thousand times, and you’ve probably noticed that web addresses start with https:// instead of http://. Most people glance past it. But that tiny lock represents one of the most important pieces of plumbing on the internet — the thing that stops a stranger on your coffee-shop Wi-Fi from reading your password as it flies across the network.

The terms around it — SSL, TLS, HTTPS, certificates — get thrown around interchangeably and often confusingly. So let’s untangle them properly. By the end you’ll know exactly what’s happening when that padlock appears, why it matters for any website you put online, and where the common confusion comes from.

The problem: the internet is a public road

To understand why HTTPS exists, you have to picture what plain HTTP looks like. When your browser talks to a server over ordinary http://, the request and the response travel across the network as plain text — readable by anyone who can see the traffic.

And plenty of people can see the traffic. Your data doesn’t teleport from your laptop to the server. It hops through your Wi-Fi router, your internet provider, and a chain of network equipment in between. Any of those hops could, in principle, read what you sent.

   YOU                                          SERVER
  (browser)                                  (the website)
     │                                            │
     │   "login: john, password: hunter2"         │
     │ ─────── plain text, readable ────────────► │
     │                                            │
     ▼                                            │
  Wi-Fi router → ISP → other networks → ...
       👀 anyone here can read every word

With plain HTTP, that login above is genuinely sitting there in the open. Three things go wrong:

  • Eavesdropping — someone watching the connection can read everything: passwords, messages, card numbers.
  • Tampering — someone in the middle can quietly change the data, injecting ads or malicious code into a page before it reaches you.
  • Impersonation — you have no proof the server you’re talking to is really the one you wanted. A fake server could pretend to be your bank.

HTTPS exists to solve all three at once. It gives you privacy (nobody can read it), integrity (nobody can change it without you noticing), and authentication (you can verify who you’re really talking to).

So what are SSL and TLS?

Here’s the cleanest way to think about it: SSL and TLS are the lock; HTTPS is what you get when you put that lock on HTTP.

SSL (Secure Sockets Layer) was the original protocol for encrypting web traffic, created in the 1990s. Over the years it was found to have serious weaknesses, so it was replaced by TLS (Transport Layer Security) — a newer, safer protocol that does the same job but properly. SSL is, technically, dead and deprecated.

So why do people still say “SSL” everywhere? Pure habit. The name stuck. When someone says “SSL certificate” or “install SSL,” they almost always mean TLS under the hood. The modern, correct term is TLS, but the word “SSL” survives in everyday speech the way people still “dial” a phone number.

SSL is the old name, TLS is the real thing

If you take one fact from this article: the protocol that actually secures the web today is TLS. “SSL” is a legacy name people keep using out of habit. They almost never mean the literal, obsolete SSL protocol — they mean TLS. So “SSL certificate,” “SSL/TLS,” and “TLS certificate” all point at the same modern technology. Don’t let the mixed names trip you up.

And HTTPS? It’s not a separate protocol at all. HTTPS is simply HTTP running inside a TLS-encrypted connection. Same web requests and responses you already know — just wrapped in a secure tunnel so nobody in the middle can read or change them. The “S” stands for secure, and that security comes entirely from TLS.

   HTTP  =  your web request, in the open
   TLS   =  an encrypted tunnel
   HTTPS =  HTTP sent *through* the TLS tunnel

What TLS actually gives you

TLS delivers three guarantees, and it’s worth naming them clearly because each one defends against a different attack.

  • Encryption (privacy). Everything between your browser and the server is scrambled into unreadable nonsense. Even if someone captures the traffic, all they see is gibberish. Only the two ends hold the key to unscramble it.
  • Integrity (no tampering). TLS attaches a tamper-check to the data. If even a single byte is altered in transit, the other side detects it and rejects the message. Nobody can secretly inject or modify anything.
  • Authentication (proof of identity). Before encrypting, your browser verifies that the server really is who it claims to be — using a certificate. This is the part that stops an attacker from impersonating your bank.

That last point is the one people overlook, and it’s where certificates come in.

Certificates: proving who you are

Encryption alone isn’t enough. Imagine you set up a perfectly encrypted connection — but to an attacker pretending to be your bank. The encryption is flawless and completely useless, because you’re privately whispering your password to the wrong person.

A TLS certificate solves this. It’s a digital document that proves a server genuinely owns the domain it claims. When your browser connects to example.com, the server presents its certificate, which says, in effect, “I am the legitimate example.com, and here’s proof.”

But anyone can claim anything. What makes a certificate trustworthy is who signed it. Certificates are issued by a Certificate Authority (CA) — an organization your browser and operating system already trust. The CA’s job is to verify that whoever requests a certificate for example.com actually controls example.com before issuing it.

   CERTIFICATE AUTHORITY (trusted by your browser)
              │  vouches for ↓

        example.com's certificate
              │  presented to ↓

   Your browser: "A CA I trust signed this. OK, you're legit."

Your browser ships with a built-in list of trusted CAs. So the trust flows in a chain: you trust your browser → your browser trusts a list of CAs → a CA vouches for the website. That chain is what the padlock is quietly confirming every time it appears.

The padlock means encrypted, not 'safe'

A common misconception: the padlock proves a site is trustworthy or not a scam. It doesn’t. The padlock only confirms that the connection is encrypted and that the site holds a valid certificate for that domain. A scam site can absolutely get a free certificate and show a padlock. HTTPS protects the connection, not your judgment about who you’re connected to. Always read the domain name, not just the lock.

The TLS handshake, step by step

When you open an https:// page, a quick negotiation happens before any real data moves. It’s called the handshake, and it’s where the secure tunnel gets built. You never see it — it takes a fraction of a second — but here’s what’s going on under the hood.

  BROWSER                                          SERVER
     │                                                │
     │  1. "Hello. Here are the encryption            │
     │      methods I support."                       │
     │ ─────────────────────────────────────────────► │
     │                                                │
     │  2. "Hello. Let's use this method. Here is      │
     │      my certificate (proof of identity)."      │
     │ ◄───────────────────────────────────────────── │
     │                                                │
     │  3. Browser checks the certificate against     │
     │     its trusted CAs. ✓ valid.                  │
     │                                                │
     │  4. Both sides agree on a shared secret key     │
     │     (without ever sending it in the open).     │
     │ ◄──────────────────────────────────────────► │
     │                                                │
     │  5. From here on, everything is encrypted       │
     │     with that shared key.                       │
     │ ═══════════ secure tunnel open ═══════════════ │

Walking through it in plain words:

  1. Client hello. Your browser reaches out and lists the encryption methods (called cipher suites) and TLS versions it understands.
  2. Server hello + certificate. The server picks a method both sides support and sends back its certificate as proof of identity.
  3. Verification. Your browser checks the certificate: Is it signed by a CA I trust? Is it for the right domain? Has it expired? If anything fails, you get that scary warning page.
  4. Key agreement. This is the clever part. The two sides cooperate to establish a shared secret key for this session — using math that lets them agree on a key without ever transmitting the key itself across the network. An eavesdropper watching the whole exchange still can’t derive it.
  5. Encrypted session. With the shared key in place, all further communication — the actual web pages, your form submissions, everything — flows through the encrypted tunnel.

The beautiful trick in step 4 is why TLS works at all: two strangers who have never met can establish a private key over a completely public channel, in full view of an eavesdropper, and the eavesdropper still ends up locked out.

A small but important nuance: symmetric vs asymmetric

The handshake uses asymmetric cryptography (a public/private key pair, tied to the certificate) to safely agree on a session key. But asymmetric math is slow, so once that shared session key exists, the actual data is encrypted with fast symmetric cryptography (one shared key for both sides). In short: slow-but-clever crypto sets things up, fast crypto does the heavy lifting. You don’t need to manage any of this — TLS handles it — but knowing the two phases exist explains why the handshake is a one-time cost at the start of a connection, not on every request.

Where HTTPS fits in your stack

If you’ve followed how a web server answers requests, here’s the practical picture: TLS sits in front of your application. The encrypted tunnel is established at the connection level, the request is decrypted, and only then does your web server or app see the plain HTTP request and respond to it. On the way back, the response is re-encrypted before it leaves the machine.

This is one reason a reverse proxy is so commonly used: it’s a natural, single place to handle TLS for everything behind it. The proxy does the encryption and decryption (often called TLS termination), and the application servers behind it can speak plain HTTP on a trusted internal network. You set up the certificate once, in one spot, instead of in every service.

   Internet                Reverse proxy              App servers
  (HTTPS in) ───TLS───►  [ decrypts here ] ──plain HTTP──► [ your app ]

For static sites it’s even simpler — the same web server that serves your files also terminates TLS. Either way, the mental model is the same: encryption wraps the outside of the connection, your app logic lives on the inside.

Getting a certificate (the modern reality)

You might assume certificates are expensive or painful. They used to be. Today, getting a valid TLS certificate for a domain you control is usually free and automated. Non-profit certificate authorities issue certificates at no cost, and tooling can request, install, and automatically renew them for you so you never think about it.

The trade-off: free certificates are typically short-lived (they expire after a few months), which is why automation matters — you set up auto-renewal once and forget it. A certificate that silently expires is one of the most common causes of a sudden “your connection is not private” error on an otherwise healthy site.

Expired certificates take sites down

A certificate has an expiry date, and browsers refuse to trust an expired one — showing visitors a full-screen security warning that scares most of them away. Because expiry is silent until the day it happens, every team that runs an HTTPS site needs automatic renewal plus a calendar reminder or monitoring as a backstop. Treat “the certificate expired” as a real outage, because to your users, it is one.

There are also different types of certificates — covering a single domain, multiple domains, or a wildcard like *.example.com for all subdomains — and different validation levels. For most websites, the basic free, domain-validated certificate is exactly right. The fancier ones exist for specific business needs, not because the encryption itself is any stronger.

Why this matters for everything you build

HTTPS stopped being optional a long time ago. Browsers now mark plain http:// pages as “Not secure” right in the address bar. Search engines favor secure sites. Many modern browser features — from geolocation to service workers — simply refuse to run on an insecure connection. And users have been trained, rightly, to back away from sites without the padlock.

So if you put anything online — a blog, a portfolio, a real application — HTTPS is the baseline, not a bonus. The good news is that thanks to free certificates and automation, doing the right thing here is now easier than doing the wrong thing. There’s no longer a real excuse to ship plain HTTP.

Wrapping up

Here’s the whole picture in one place:

  • Plain HTTP sends data as readable text, exposing it to eavesdropping, tampering, and impersonation by anyone along the network path.
  • SSL is the old, deprecated name; TLS is the modern protocol that actually secures the web. When people say “SSL,” they almost always mean TLS.
  • HTTPS is just HTTP carried inside a TLS-encrypted tunnel — same web requests, now private and tamper-proof.
  • TLS provides three guarantees: encryption (privacy), integrity (no tampering), and authentication (proof of who you’re talking to).
  • A certificate, signed by a trusted Certificate Authority, proves a server owns its domain — that’s the identity half of HTTPS, and it’s why the padlock alone doesn’t mean a site is “safe,” only that the connection is encrypted.
  • The handshake negotiates a shared session key over a public channel without ever sending the key, then switches to fast encryption for the actual data.
  • Certificates today are usually free and auto-renewable — and letting one expire is a genuine outage.

Once a request makes it safely through TLS, it lands on something that turns it into a response. A useful next distinction is between the piece that handles the connection and serving — the web server — and the piece that runs your program’s actual logic: a web server versus an application server, and why most real setups use both.

Tags:serverweb-servershttpstlssecuritybeginner
728 × 90Ad Space AvailablePlace your ad here

Related Articles

See All Articles

You Might Also Like

SSL and encryption at rest — data protected in transit and on disk
Server / Server Security

SSL and Encryption at Rest: Protecting Data Both in Transit and on Disk

Encryption protects your data in two places: while it travels the network (in transit) and while it sits on disk (at rest). Learn the difference, why you need both, how TLS, full-disk encryption, and key management actually fit together, and the practical mistakes to avoid — explained from the.

Nov 9, 202613 min read
Securing ports and services — closing the doors on a server you don't use
Server / Server Security

Securing Ports and Services: Closing the Doors You Don't Use

Every open port on a server is a door someone could try to walk through. Learn what ports and services really are, why an exposed service is your biggest risk, and the simple discipline of closing everything you don't need — explained from the ground up.

Nov 8, 202611 min read
Principle of least privilege — granting only the minimum access each user and process needs
Server / Server Security

The Principle of Least Privilege: Give Everything Only the Access It Truly Needs

Least privilege is the quiet rule behind almost every solid security setup: every user, process, and key gets the minimum access required to do its job, and nothing more. Learn what it means, why it limits the blast radius of any breach, and how to apply it across users, services, files, and keys.

Nov 7, 202613 min read
Fail2ban and intrusion basics — watching logs and automatically banning repeated abusers
Server / Server Security

Fail2ban and Intrusion Basics: Automatically Banning the Bots Hammering Your Server

Attackers don't stop after one failed guess — they keep hammering, thousands of times a day. Learn how intrusion attempts actually look, what fail2ban does, how it watches your logs and bans abusers automatically, and how to set it up sensibly without locking yourself out — explained from zero.

Nov 6, 202613 min read
Keeping software updated — closing known security holes before attackers use them
Server / Server Security

Keeping Software Updated: The Boring Habit That Stops Most Server Breaches

Most servers don't get hacked through clever new attacks — they get hacked through old, known holes that a simple update would have closed. Learn why updates matter, what to update, how to do it safely without breaking things, and how to make it a habit instead of a panic.

Nov 5, 202610 min read
Firewall configuration — a default-deny rule set that opens only the ports you need
Server / Server Security

Firewall Configuration: Setting Up Default-Deny Rules Without Locking Yourself Out

Knowing what a firewall is and actually configuring one well are two different skills. Learn how to write a default-deny rule set, order rules correctly, allow your own access first, handle IPv6 and cloud security groups, and test before you commit — a practical, vendor-neutral guide from zero.

Nov 4, 202615 min read