What Does SSL Mean & How Does It Work?

If the connection isn’t encrypted, a snooper could read the information that’s sent back and forth. They may even be able to add themselves as a stopping point in the middle and insert ads into what you see or infect your computer with malware.

One way you can limit your risk is to only visit websites that will create an encrypted connection with your device using secure sockets layer (SSL) protocols.

What is SSL?

Secure sockets layer (SSL) is a cryptographic protocol—i.e., a set of rules—that can create an encrypted connection between a server and a client. While it has different use cases, SSL is often used to encrypt the Hypertext Transfer Protocol (HTTP) and create secure connections between your device’s web browser and the internet.

When HTTP is secured, it’s called HTTPS—HTTP Secure. You can look for the “S” in your browser’s URL to verify that the connection is secure. Some browsers also use a padlock icon to indicate when there’s a secured connection. However, some browsers are phasing out the symbol as users may misconstrue it to mean the site is trustworthy.

While HTTPS indicates you have a secure connection, it doesn’t mean the website is safe. For example, you might have an encrypted connection to a site that’s up to phish (i.e., trick you into sharing info) or infect your computer with malware.

Origins of SSL and TLS

The SSL cryptographic protocols date back to 1995, when Netscape developed the first publicly available version of SSL, SSL 2.0. (Netscape created SSL 1.0, but it wasn't publicly released). Several years later, Netscape also released an updated SSL 3.0.

In 1999, the International Internet Engineering Task Force (IETF) formed a working group to create a standardized SSL protocol. Having a standard is important because you don’t know which web browser a person will use when visiting a website. If there are competing protocols, a website might only be able to create secure connections with certain web browsers.

The IETF initially set out to release SSL 3.1. However, it changed the name to “Transport Layer Security” (TLS) to create a clear separation from Netscape’s original name. However, while TLS is the successor to SSL, the SSL name has stuck as a colloquial term when discussing either SSL or TLS.

As of January 2022, there have been six publicly released versions of these encryption protocols:

• 1995—SSL 2.0
• 1996—SSL 3.0
• 1999—TLS 1.0
• 2006—TLS 1.1
• 2008—TLS 1.2
• 2018—TLS 1.3

These protocols are periodically updated to add security measures, patch vulnerabilities, and make the protocol more efficient. As new versions are released, older ones may become obsolete.

For example, major web browsers like Chrome, Firefox, Edge, and Safari no longer support TLS 1.0 or 1.1 (or SSL versions). You may receive a warning message if you try to connect to a site that’s using an older security protocol. Or, you might not be able to visit the site at all.

How does SSL work?

The SSL protocols work because they’re a known and shared standard for how the client (usually your web browser) and the server will create a secure connection. When you first connect to a website, there’s an initial SSL handshake—an exchange that sets the ground rules for the SSL connection.

Several things happen during the handshake:

• Choose the protocol and cipher suite. Both parties share and decide on which version of TLS and cipher suite to use for the connection. Each may support multiple protocols and cipher suites, and they will use the most secure option available.
• Create a secret key. Both parties have a public key and private key, and there’s a key exchange. They will create a secret or session key that will be used to encrypt and decrypt the data.
• Authentication. In some cases, authentication goes both ways. But when browsing the internet, it’s generally just the web browser trying to authenticate the web server using its SSL certification. Authentication helps ensure that the web server you’re connecting to isn’t an imposter.

The entire process might take less than half a second, and from that point on, your connection is encrypted. The process restarts every time your browser tries to connect with a new web server, and may be periodically refreshed to ensure the connection remains secure.

What is an SSL certificate?

A service will use an SSL certificate to authenticate itself during the SSL handshake and to share its public key with your web browser. If the website doesn’t have a valid SSL certificate, you won’t be able to establish a secure connection.

Someone who owns or runs a website can apply for an SSL certificate from a certificate authority (CA), and the certificate could include:

• The server’s domain name and associated subdomains
• The person or organization that requested the certificate
• The public key
• The CA’s name and digital signature
• The certificate’s issue and expiry date

But remember, even if you have a secure connection, the system isn’t secure if you can’t be certain of who is on the other side of the connection.

To resolve this potential problem, your web browser or operating system has a list of trusted root certificate authorities. There are often multiple SSL CAs involved in the process, but the root CA sits at the top of the certificate chain and helps authenticate the entire chain.

If your browser doesn’t see that a root CA authenticated the server, it might warn you that the connection isn’t secure or block the connection.

Types of SSL certificates

When a person or business applies for an SSL certificate, they may be able to choose from different types and validation levels. Some organizations, such as the non-profit Let’s Encrypt, offer SSL certificates for free. But others may charge for the certificate or renewal.

SSL certificates are generally categorized by several types:

• Single-domain SSL certificate. An SSL certificate you can get to use with one domain. It can be used on multiple pages, for example, Neeva.com and Neeva.com/learn.
• Wildcard SSL certificate. An SSL certificate you can get to use with one domain and its subdomains, such as example.neeva.com
• Multi-domain SSL certificate. One SSL certificate that you can use to certify multiple domains that aren’t connected.

They may also be offered or sold with three validation levels:

• Domain validation. The most-basic validation level simply requires proving that you control the domain when you apply for the certificate. The CA may automate the validation process for domain validation.
• Organization validated. A more stringent validation that may involve the CA directly reaching out to the business to verify its information.
• Extended validation. The most extensive validation level, which could require a background check on the business and its owners.

The type of certificate isn’t an indication of how secure the connection is or whether the website is safe. In many cases, it may be more important for website owners than visitors.

The move toward SSL everywhere

Originally, SSL was seen as an extra security measure rather than the norm. Sites that collected users’ information or handled sensitive data might use SSL, but other sites used non-secure HTTP instead. However, there’s been a movement toward using HTTPS for every website—including sites that don’t collect any personal data. Google even uses SSL as a ranking factor, meaning it can impact where a site shows up in search engine results.

You may have noticed this change without realizing it. Until several years ago, many browsers would turn a website’s URL green to indicate an HTTPS connection. If the domain had an extended validation SSL certificate, it would also include the company’s name in the address bar. However, the green bar was discontinued, partially because of a shifting view toward making SSL the norm.

Today, some popular internet browsers default to trying to create a secure connection, even if it’s not the website's preference. You could also install the HTTPS Everywhere browser extension or choose the HTTPS-only mode in certain browsers to make encryption the default while you’re browsing.

As secure connections have become the rule rather than the exception, most web browsers now highlight when a connection is insecure. You might see a large warning when a site doesn’t have a valid SSL certificate or hasn’t enabled HTTPS—the warning might even take over your entire page.

If a site only supports older versions of SSL or TLS, your browser might block the website completely. But depending on the browser and circumstances, you might be able to bypass the warning and continue. Proceed with caution. Even if you don’t send any personal information, visiting the site could make you more susceptible to certain types of cyberattacks.

HTTPS or not, remember the big picture. SSL means secure—not safe. An HTTPS connection with a well-known company, such as your bank, can give you confidence that you’re connected to the correct server. But only if you typed in the URL yourself or clicked on a link from a trusted source.

You still want to play it safe online, especially when sharing personal information. Someone could send you a phishing email that contains a link to a website that uses SSL and looks nearly identical to your bank’s website. If you’re not careful, you might try to log in and accidentally share your account information with a scammer.

Ready to protect your privacy online and use a browser or search engine that has your best interests in mind. Try Neeva, the world’s first private, ad-free search engine. We will never sell or share your data with anyone, especially advertisers, and we are committed to showing you the best results for every search.