My IP Help

SSL/TLS

Also known as: SSL, TLS, Transport Layer Security, Secure Sockets Layer

Cryptographic protocols that encrypt communication between a client and a server, providing confidentiality, integrity, and authentication on top of TCP.

Last updated:

What are SSL and TLS?

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that secure communication over a network. TLS is the current standard; SSL is the obsolete predecessor. Despite the name persisting in everyday language ("SSL certificate"), every modern deployment uses TLS — SSL 2.0 and SSL 3.0 are deprecated and insecure, and TLS 1.0 and 1.1 were retired in 2020.

TLS runs on top of TCP and provides three guarantees:

  • Confidentiality — an attacker observing the network cannot read the contents
  • Integrity — an attacker cannot modify data in flight without detection
  • Authentication — the client can verify it's really talking to the intended server, via the server's X.509 certificate

The TLS handshake

A TLS connection begins with a handshake that negotiates parameters and authenticates the server:

  1. ClientHello — client sends its supported versions, cipher suites, and a random nonce
  2. ServerHello — server picks a version and cipher suite, sends its random nonce
  3. Certificate — server sends its X.509 certificate chain
  4. Key exchange — client and server derive a shared secret (ECDHE is the modern choice)
  5. Finished — both sides confirm the handshake and switch to the encrypted channel

TLS 1.3 (2018) reduces this to a single round-trip, with a 0-RTT resumption mode for returning clients. The handshake happens over the same connection as the HTTP traffic — that's why HTTPS (TLS-wrapped HTTP) uses port 443.

What a TLS certificate does

A TLS certificate proves to the client that the server controls the domain it claims to serve. Certificates are issued by Certificate Authorities (CAs) — Let's Encrypt, DigiCert, Sectigo, Google Trust Services, and others — that the client's operating system has pre-trusted. When a CA signs a certificate, the client's TLS library can walk the chain of signatures back to a trusted root and confirm the identity.

Modern certificates are usually issued via ACME (Automated Certificate Management Environment) — the protocol Let's Encrypt pioneered — and rotate every 60-90 days automatically. Our SSL certificate checker inspects any site's certificate chain, expiry, cipher suites, and configuration.

Frequently Asked Questions

TLS is the modern, secure successor to SSL. The two share the same lineage — TLS 1.0 was originally a renamed SSL 3.1 — but every SSL version (1.0, 2.0, 3.0) is now obsolete and considered insecure. Despite the name persisting in everyday language ("SSL certificate", "OpenSSL"), every modern HTTPS deployment uses TLS 1.2 or TLS 1.3. Using actual SSL today would fail in every modern browser.
Domain-validated certificates are free from Let's Encrypt, ZeroSSL, Google Trust Services, and Buypass via the ACME protocol, with automatic 90-day renewal. Organization-validated and extended-validation certificates still cost money because they involve manual identity checks. Free certificates are technically and cryptographically identical to paid ones — the difference is the level of human verification done before issuance.
The padlock means your connection to that specific server is encrypted with TLS and the server's certificate is signed by a CA your browser trusts. It does not mean the site is safe, legitimate, or operated by the brand it appears to represent. A phishing site with a free Let's Encrypt certificate will display the same padlock as a major bank. Always verify the actual domain name in the address bar.
As of 2026 the maximum is 200 days for publicly trusted certificates, and the CA/Browser Forum has voted to lower this to 47 days by 2029. Let's Encrypt and Google Trust Services have already moved to short lifetimes (90 days and 90 days respectively). Short lifetimes reduce the impact of stolen private keys and incentivize automated renewal via ACME. Long lifetimes are a legacy of manual certificate management.
TLS 1.3 (RFC 8446, 2018) is the latest stable version. The main differences from TLS 1.2 are: a single round-trip handshake (or zero round-trip for resumed sessions), removal of weak cipher suites and legacy key-exchange modes (RSA, static DH, RC4, MD5, SHA-1), forward secrecy required by default, and encryption of most handshake metadata. TLS 1.3 is faster and more secure, and every major browser, server, and CDN supports it.
Back to glossary