SSL/TLS Handshake Deep Dive

TLS (Transport Layer Security) encrypts communication between your browser and a server. Without it, anyone on the same network could read passwords, tokens, and personal data in transit. TLS provides three guarantees:

• Confidentiality — data is encrypted so only the intended recipient can read it
• Integrity — data cannot be modified in transit without detection
• Authentication — the server proves its identity via a certificate

TLS 1.3 simplified the handshake to just one round trip:

1. Client Hello — the client sends supported cipher suites and a key share.
2. Server Hello — the server picks a cipher suite, sends its key share and certificate.
3. Finished — both sides derive the session keys and confirm the handshake.

TLS 1.2 required two round trips. The 1.3 handshake is faster and removes insecure options like RSA key exchange.

An SSL certificate contains the server's public key and is signed by a Certificate Authority (CA). Your browser trusts a set of root CAs. When it receives a certificate, it verifies the chain:

Server cert → Intermediate CA → Root CA

If the chain is valid and the certificate covers the requested domain, the connection proceeds. If not, you see a browser warning.

You can inspect any site's certificate from the command line: