Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter I - Foundation / 04. Web Foundations / 02. SSL & TLS

SSL & TLS

SSL/TLS is the technology that encrypts web traffic.

Without it:

Client -------------------> Server
          HTTP

Anyone in the middle can read everything.

With TLS:

Client ==================> Server
         Encrypted

Here is an example of the traffic generated when requesting https://google.com:

TLS

Anyone in the middle sees only ciphertext.

Encryption is the process of using mathematical algorithms and keys to transform readable data (plaintext) into an unreadable form (ciphertext), protecting the data from unauthorized access while it is stored or transmitted.


SSL vs TLS

Historically:

SSL 2.0
SSL 3.0
TLS 1.0
TLS 1.1
TLS 1.2
TLS 1.3

SSL is obsolete and insecure.

Today when people say:

SSL Certificate
SSL Inspection
SSL VPN

they almost always mean TLS.


Why TLS Exists

Without TLS:

POST /login

username=admin
password=Password123

Anybody on the network could read:

  • Usernames
  • Passwords
  • Cookies
  • API keys
  • Banking data

TLS prevents this.


What TLS Actually Provides

TLS provides:

Confidentiality

Only the endpoints can read the data.


Integrity

Traffic cannot be modified unnoticed.


Authentication

The client can verify who the server is.


Certificates

When you connect to:

https://google.com

Google presents a certificate.

A certificate contains:

  • Domain name
  • Public key
  • Issuer
  • Expiration date

Example:

Subject: google.com
Issuer: DigiCert
Expires: 2027

Certificate Authorities (CA)

Why do we trust Google's certificate?

Because it is signed by a trusted Certificate Authority.

Examples:

  • DigiCert
  • GlobalSign
  • Sectigo
  • Let's Encrypt

Your operating system contains a list of trusted root CAs.


Certificate Chain

Typically:

Root CA
    ↓
Intermediate CA
    ↓
Server Certificate

Example:

DigiCert Root
    ↓
DigiCert Intermediate
    ↓
google.com

The browser verifies the entire chain.


Public and Private Keys

The server owns:

Private Key

and publishes:

Public Key

The public key is embedded inside the certificate.

Certificate
    └── Public Key

The private key never leaves the server.


TLS Handshake

Before encrypted communication starts:

Client
Server

must agree on encryption settings.

This process is called:

TLS Handshake

Simplified TLS Handshake

Client:

Hello
I support:
TLS1.2
TLS1.3
AES
CHACHA20

Server:

I choose:
TLS1.3
AES256

Server:

Here is my certificate

Client:

Certificate trusted?
Domain matches?
Not expired?

If yes:

Generate shared secrets

Communication begins.


Session Keys

The certificate key is NOT used to encrypt all traffic.

Instead:

Certificate
    ↓
Handshake
    ↓
Session Key

A temporary session key is generated.

That key encrypts the actual traffic.


Perfect Forward Secrecy

Modern TLS uses ephemeral key exchanges.

Usually:

ECDHE

This means:

Even if the server's private key is stolen later...

Past sessions remain secure.

This is called:

Perfect Forward Secrecy

TLS Versions

Avoid:

SSL 2.0
SSL 3.0
TLS 1.0
TLS 1.1

Current standards:

TLS 1.2
TLS 1.3

TLS 1.3 is preferred.


Cipher Suites

A cipher suite defines:

  • Key exchange
  • Authentication
  • Encryption
  • Integrity algorithms

Example:

TLS_AES_256_GCM_SHA384

Meaning:

AES-256
GCM Mode
SHA384

Modern TLS 1.3 simplified cipher suite selection significantly.


TLS Inspection

Some organizations decrypt TLS traffic.

Example:

Employee
    ↓
Corporate Proxy
    ↓
Internet

The proxy:

  1. Terminates TLS
  2. Reads traffic
  3. Creates a new TLS session

This is often called:

SSL Inspection
TLS Inspection
MITM Proxy

Tools:

  • Burp Suite
  • Zscaler
  • Blue Coat
  • Netskope

Self-Signed Certificates

A certificate can sign itself.

Example:

CN=DC-1
Issuer=DC-1

Browsers typically display:

Connection not private

because the issuer is not trusted (e.g. the little lock in the top-left corner).


Common Certificate Errors

Expired

Certificate expired

Wrong Hostname

Certificate:

google.com

Accessing:

mail.google.com

may fail if not covered.


Untrusted CA

Certificate issued by unknown authority.


Let's Encrypt

Let's Encrypt provides free trusted certificates.

Very common in modern infrastructure.

Most websites today use:

Let's Encrypt

or a commercial CA.