How SSL & TLS Work — The Lock Behind Every HTTPS Website

🔒

Every HTTPS site uses this technology

SSL · TLS · Handshake · AES-256 · Certificate Authority

When you open a website, you see a small lock icon in the address bar. SSL and TLS are the technologies behind that lock. They are encryption protocols that secure the data traveling between your browser and the server — so even if someone intercepts it mid-journey, they see nothing but unreadable gibberish.

Whenever you send a password, credit card number, or any sensitive data, TLS encrypts it first. This happens automatically, invisibly, in milliseconds — and you never notice it.

SSL vs TLS — quick history: SSL (Secure Sockets Layer) was the original protocol, invented by Netscape in 1995. TLS (Transport Layer Security) is its successor and is what every modern website actually uses today. SSL 3.0 was deprecated in 2015 due to vulnerabilities. When people say "SSL" today they almost always mean TLS 1.2 or TLS 1.3.

1 The TLS Handshake

Before Data Moves, a Secret Is Agreed Upon

When you open https://srikanthbadavath.com, your browser and the server don't start sending data immediately. First they have a conversation — the TLS Handshake — to agree on a shared encryption key. Watch it happen live:

⚡ Live TLS Handshake — Watch the packets fly

🌐

Browser

▶

ClientHello

TLS version + cipher list

◀

ServerHello + Certificate

public key + CA signature

▶

Key Exchange 🔑

pre-master secret (encrypted)

◀

Finished ✓

session keys derived

🖧

Server

🔒 Encrypted Channel Established — All further data is AES-256 encrypted

Step 1 of 4

Browser says hello — sends its supported TLS versions and a list of cipher suites it can use.

🤝

Asymmetric Encryption

Used during the handshake. Public key encrypts, private key decrypts. Safe to share the public key openly.

⚡

Symmetric Encryption

Used after the handshake. Both sides share one secret key (AES-256). 1000× faster than asymmetric.

🏛️

Certificate Authority

Trusted third parties (DigiCert, Let's Encrypt) that sign the server's certificate, proving it's genuine.

🔑

Session Key

A temporary AES key negotiated each session. Thrown away afterwards — perfect forward secrecy.

2 What Encryption Actually Does

Your Password Becomes Unreadable Noise

Once the handshake completes, every byte you send is encrypted with the session key before it leaves your device. Type anything below and see what an attacker actually intercepts on the wire:

🔐 Live Encryption Visualizer

💬

Your Data

Hello!

🔑

AES-256 Key

a3f9…b21c

→

🌀

What Attacker Sees

xK#9m@Lp!

AES-256 encryption — used by banks, the US military, and every HTTPS site — would take a supercomputer longer than the age of the universe to brute-force a single key. The scrambled output above is representative of what any interceptor actually receives.

3 The Man-in-the-Middle Threat

Without TLS, Anyone Between You and the Server Can Read Everything

Data on the internet travels through dozens of routers, ISPs, and networks before reaching its destination. On plain HTTP, every one of those hops can read and modify your data. This is the Man-in-the-Middle (MITM) attack.

🦹 Man-in-the-Middle Demo

⚠️ HTTP — Data is PLAINTEXT

🌐

Browser

📦

password=abc123

🦹

Hacker

📦

🖧

Server

Hacker reads: "password=abc123" — your data is exposed.

With HTTPS (TLS), the attacker is still in the middle — they still see packets. But every packet is AES-256 encrypted. They see random noise they can never decrypt without the session key, which is never transmitted in the clear.

4 HTTP vs HTTPS

Why the "S" in HTTPS Changes Everything

HTTP

No encryption — all data sent in plaintext
Anyone on the network can read it
No identity verification of the server
Passwords, cookies exposed to MITM
Google marks site as "Not Secure"

HTTPS

TLS encryption — data is unreadable in transit
Certificate proves server identity
Integrity — data cannot be tampered mid-flight
Passwords and cookies are safe
Required for HTTP/2, PWAs, and SEO ranking

How does your browser know the certificate is real? When the server sends its certificate, your browser checks it against a list of trusted Certificate Authorities (CAs) built into the OS — like DigiCert, Let's Encrypt, and GlobalSign. If the signature matches and the domain matches, the connection proceeds. If not, you see the big red warning page.

5 Real-World HTTPS Everywhere

Sites You Use Every Day — All Protected by TLS

Every time you log into Gmail, check out on Amazon, push code to GitHub, or open your bank — TLS is running silently in the background. Here's exactly what it's protecting on each:

🔒 https://gmail.com Secure

📧

Gmail

TLS encrypts: your password, every email body, attachments, 2FA codes — even Google's own servers route it encrypted.

✅ TLS 1.3 · AES-256-GCM · Perfect Forward Secrecy

🔒 https://amazon.com Secure

🛒

Amazon

TLS encrypts: credit card numbers, home address, purchase history, session cookies — without this, your card details would be plaintext on the wire.

✅ TLS 1.3 · ECDHE · Certificate Pinning

🔒 https://chase.com Secure

🏦

Banking

TLS encrypts: account numbers, transfer amounts, balances, routing numbers — banks use extended validation (EV) certificates for extra identity proof.

✅ EV Certificate · TLS 1.3 · HSTS Preloaded

🔒 https://github.com Secure

🐙

GitHub

TLS encrypts: your code, SSH keys, personal access tokens, private repositories — also used during git push over HTTPS.

✅ TLS 1.3 · HSTS · Let's Encrypt

🔒 https://web.whatsapp.com Secure

💬

WhatsApp Web

TLS secures the WebSocket tunnel from browser to WhatsApp servers — on top of Signal's E2E encryption. Two encryption layers for one message.

✅ TLS + Signal Protocol — double encrypted

🔒 https://srikanthbadavath.com Secure

🧑‍💻

This Portfolio

TLS encrypts: contact form messages, resume downloads, every page load — even static sites need HTTPS for SEO and browser trust.

✅ Let's Encrypt · TLS 1.3 · Auto-renewed

6 The Certificate Chain of Trust

How Your Browser Knows It's Talking to the Real Site

When a server sends its certificate, your browser doesn't just trust it blindly. It traces a chain of trust back to a Root Certificate Authority — an organisation your OS already trusts. Click "Verify Chain" to see it in action:

🏛️ Certificate Chain of Trust

🏛️

Root CA — DigiCert Global Root

Pre-installed in your OS/browser. Trusted by 99.9% of devices worldwide.

Trusted

✍️ Signs →

▼

🏢

Intermediate CA — DigiCert SHA2

Issued by the Root CA. Signs end-entity certificates on behalf of Root.

Verified

✍️ Signs →

▼

🌐

srikanthbadavath.com

Leaf certificate. Valid domain. Expires in 90 days (Let's Encrypt auto-renews).

✓ Valid

What if the chain is broken? If any certificate in the chain is expired, revoked, or signed by an untrusted CA, your browser immediately shows a red warning page ("Your connection is not private"). This protects you from fake sites pretending to be real ones.

7 The Coffee Shop Attack

Public WiFi Without HTTPS — The Hacker's Favourite Place

You're at a coffee shop. You connect to "CoffeeShop_Free_WiFi". A hacker two tables away connects to the same router. On HTTP, they can see everything you send. On HTTPS, they're completely blind.

☕ Coffee Shop WiFi Attack

Same network — hacker is watching

💻

You

GET /login password=abc

📡

Router

🌐

Internet

🦹

Hacker

On HTTP: hacker reads every request in plaintext from the shared router.

8 What Your Browser Checks

The 3 Security Checks Every Browser Runs Instantly

When you visit any HTTPS site, your browser silently runs three checks in milliseconds. Click a site below to see what it finds:

🔒 https://srikanthbadavath.com Secure

✅

Encryption

TLS 1.3 active

✅

Certificate

Valid · 87 days left

✅

Identity

Domain verified

🔒 Connection is secure — all checks passed

In Summary

🤝

Handshake

Browser & server agree on a secret key — happens in <50ms

🔐

Encryption

All data encrypted with AES-256 — unbreakable in practice

🏛️

Authentication

Certificate proves you're talking to the real server

🛡️

Integrity

Any tampering mid-flight is detected and rejected

The next time you see that small 🔒 in the address bar, you know exactly what happened in the 50 milliseconds before the page loaded — a four-step cryptographic handshake that made your connection private, authenticated, and tamper-proof.

TLS 1.3 — the latest version (2018) made the handshake even faster: it now takes just one round-trip instead of two. It also removed weaker cipher suites entirely, making the web more secure by default. Most modern browsers and servers have already upgraded.