SSL / HTTPS
Cryptographic protocols (TLS, formerly SSL) that encrypt traffic between a browser and a web server, and the HTTPS scheme that uses them.
Also known as: SSL, HTTPS, TLS, SSL certificate
SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that encrypt data sent between a browser and a web server. HTTPS (HyperText Transfer Protocol Secure) is the URL scheme that signals a website is using TLS to secure its traffic.
The terms “SSL” and “TLS” are often used interchangeably in everyday language, though SSL itself is now obsolete and modern systems use TLS. “SSL certificate” remains the common name for the digital certificate that enables HTTPS.
What HTTPS provides
HTTPS provides three guarantees on top of plain HTTP:
- Encryption. Data sent between browser and server cannot be read by intermediaries (Wi-Fi snoopers, ISPs, network operators)
- Integrity. Data cannot be modified in transit without detection
- Authentication. The browser can verify it is connected to the genuine server for the requested domain (not an impersonator)
How HTTPS works
A simplified handshake:
- The browser requests an HTTPS connection to the server
- The server sends its TLS certificate, which includes its public key and is signed by a trusted certificate authority (CA)
- The browser validates the certificate (checks the CA, expiration, and that the certificate matches the domain)
- The browser and server perform a key exchange to establish a shared symmetric encryption key
- All subsequent traffic is encrypted with that key
Modern TLS (1.3) completes the handshake in fewer round trips than older versions, reducing the performance overhead.
TLS certificates
A TLS certificate is a digital file that:
- Identifies the domain (or domains) the certificate covers
- Contains a public key
- Is signed by a certificate authority (CA) that browsers trust
Types of certificates
| Type | What it validates | Typical use |
|---|---|---|
| Domain Validated (DV) | That the requester controls the domain | Most websites; standard HTTPS |
| Organization Validated (OV) | Domain control + organization identity | Business sites where extra trust matters |
| Extended Validation (EV) | Strict identity verification | Banks, financial services (declining in browser display) |
| Wildcard | All subdomains of a domain (e.g., *.example.com) | Sites with many subdomains |
| Multi-domain (SAN) | Multiple specified domains | Sites covering several distinct domains |
Certificate authorities
Common certificate authorities include Let’s Encrypt (free, automated), DigiCert, Sectigo (formerly Comodo), GlobalSign, and Amazon Certificate Manager (free for AWS resources).
Let’s Encrypt has made free, automated certificates standard since 2016. Most modern hosting platforms include Let’s Encrypt SSL automatically.
Why HTTPS matters
- Security. Without HTTPS, anyone on the network path can read or modify traffic
- SEO. Google uses HTTPS as a (small) ranking signal and labels HTTP sites as “not secure” in Chrome
- Browser features. Many modern web APIs (geolocation, service workers, push notifications, secure cookies) require HTTPS
- User trust. Browsers display warnings on HTTP pages, especially those with form inputs
- Required by some integrations. Payment processors, single sign-on providers, and many APIs require HTTPS
Where HTTPS is configured
HTTPS is typically set up at one of these layers:
- Hosting platform. Most modern hosts (Cloudflare Pages, Netlify, Vercel, managed WordPress hosting) handle SSL automatically
- CDN. Cloudflare, Fastly, and similar CDNs terminate TLS at the edge
- Web server. Nginx, Apache, or Caddy can be configured directly
- Load balancer. AWS ELB, Google Cloud Load Balancer often handle TLS termination
In each case, the certificate is installed on the server or service that handles incoming connections.
Mixed content
A page served over HTTPS that loads resources (images, scripts, stylesheets) over plain HTTP is “mixed content.” Modern browsers block or warn about mixed content because it weakens the security guarantees of HTTPS. Resolving mixed content involves serving all subresources over HTTPS as well.
Certificate renewal
TLS certificates expire (typically 90 days for Let’s Encrypt, 1–2 years for paid certificates). Expired certificates cause browsers to display security warnings and block access on most modern browsers.
Most hosts and CDNs handle renewal automatically. Self-managed servers require automated renewal scripts (such as Certbot for Let’s Encrypt).
Common misconceptions
- “SSL is what we use today.” Strictly, modern systems use TLS. “SSL” persists as the common name in casual usage.
- “HTTPS guarantees a site is safe.” It guarantees encrypted, authenticated connection to the genuine server. The site itself can still be malicious; HTTPS does not vouch for content.
- “SSL certificates are expensive.” Free certificates from Let’s Encrypt are widely supported; paid certificates exist for specific use cases (organization validation, premium support, warranty).
- “HTTPS slows down sites.” Modern TLS adds minimal overhead; HTTPS is required for HTTP/2 and HTTP/3, which are significantly faster than HTTP/1.1.