What is SSL/TLS?
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that secure communication over networks. TLS is the modern successor to SSL, but "SSL" remains commonly used to refer to both. These protocols enable HTTPS, encrypting data between browsers and servers.
SSL vs TLS: A Brief History
| Version | Year | Status |
|---|---|---|
| SSL 1.0 | 1994 | Never released (flawed) |
| SSL 2.0 | 1995 | Deprecated (insecure) |
| SSL 3.0 | 1996 | Deprecated (POODLE vulnerability) |
| TLS 1.0 | 1999 | Deprecated |
| TLS 1.1 | 2006 | Deprecated |
| TLS 1.2 | 2008 | Current standard |
| TLS 1.3 | 2018 | Latest, recommended |
Modern systems should use TLS 1.2 or TLS 1.3 exclusively.
How TLS Works
The TLS Handshake
1. Client Hello: Browser sends supported TLS versions and cipher suites
2. Server Hello: Server selects TLS version and cipher suite
3. Certificate: Server sends its SSL certificate
4. Key Exchange: Secure key exchange (varies by cipher suite)
5. Finished: Encrypted session established
Client Server
|-- Client Hello -------------->|
|<-- Server Hello --------------|
|<-- Certificate ---------------|
|<-- Key Exchange --------------|
|-- Key Exchange -------------->|
|-- Finished ------------------>|
|<-- Finished ------------------|
|<======= Encrypted Session ===>|
TLS 1.3 reduces this to a single round-trip, improving performance.
SSL/TLS Certificates
What's in a Certificate?
- Subject: Domain name(s) the certificate covers
- Issuer: Certificate Authority (CA) that issued it
- Validity Period: Start and expiration dates
- Public Key: For establishing encrypted connections
- Signature: CA's cryptographic signature
Certificate Types
Domain Validated (DV): Proves domain ownership only- Issued in minutes
- Free (Let's Encrypt) or low cost
- Shows padlock, no organization info
- Requires business verification
- Shows organization name in certificate details
- Higher trust, moderate cost
- Rigorous identity verification
- Previously showed green bar (browsers removed this)
- Highest cost, highest trust
Certificate Coverage
Single Domain: Covers one domain (example.com) Wildcard: Covers all subdomains (*.example.com) Multi-Domain (SAN): Covers multiple specific domainsImplementing SSL/TLS
Free Certificates with Let's Encrypt
# Using Certbot
sudo certbot --nginx -d example.com -d www.example.com
# Auto-renewal
sudo certbot renew --dry-run
Cloud Provider Certificates
Most cloud platforms offer free, auto-renewing certificates:
- Cloudflare: Automatic for proxied domains
- AWS: Certificate Manager (ACM)
- Google Cloud: Managed SSL certificates
Certificate Verification
Browsers verify certificates by:
1. Checking the certificate chain to a trusted root CA
2. Verifying the certificate hasn't expired
3. Confirming the domain matches
4. Checking revocation status (CRL/OCSP)
SSL/TLS Best Practices
Server Configuration
Use TLS 1.2+: Disable SSL 3.0, TLS 1.0, TLS 1.1ssl_protocols TLSv1.2 TLSv1.3;ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;Certificate Management
- Automate renewal: Certificates expire (90 days for Let's Encrypt)
- Monitor expiration: Set up alerts before certificates expire
- Use CAA records: Restrict which CAs can issue certificates
Checking SSL/TLS
Using DomScan:curl "https://domscan.net/v1/health?domain=example.com"
# Returns SSL validity, issuer, expiration
openssl s_client -connect example.com:443 -servername example.comCommon SSL Issues
Mixed Content: HTTPS page loading HTTP resources (blocked by browsers) Certificate Mismatch: Certificate doesn't match the domain Expired Certificate: Certificate validity period ended Incomplete Chain: Missing intermediate certificatesSSL/TLS is no longer optional—all websites should use HTTPS for security and SEO benefits.