By Charles Joseph | Cybersecurity Researcher

 Published on April 11th, 2023

This post was updated on November 25th, 2023

TLS (Transport Layer Security) and HTTPS (Hyper Text Transfer Protocol Secure) are closely related concepts used in the context of securing data communication over the internet.

While they are often mentioned together, they serve different purposes.

Thank you for signing up, we'll be in contact soon.

Stay One Step Ahead of Cyber Threats

Want to Be the Smartest Guy in the Room? Get the Latest Cybersecurity News and Insights.

Subscribe

We respect your privacy and you can unsubscribe anytime.

TLS

Transport Layer Security (TLS) is a cryptographic protocol that provides secure communication between two parties (e.g., a client and a server) over a computer network.

It ensures that the data being transmitted is confidential, authenticated, and has not been tampered with.

TLS is the successor of the older protocol SSL (Secure Sockets Layer) and is often used interchangeably with it, although SSL is considered deprecated.

HTTPS

Hyper Text Transfer Protocol Secure (HTTPS) is a secure version of the HTTP protocol, which is the foundation of data communication on the World Wide Web.

HTTPS uses TLS (or, in older cases, SSL) to encrypt the communication between the client (typically a web browser) and the server.

When you see a website URL starting with “https://” in your browser’s address bar, it indicates that the connection is secured by TLS/SSL, and any data transmitted between you and the website is encrypted and secure.

TLS is a security protocol that provides encryption and authentication for data transmission over a network, while HTTPS is a secure implementation of the HTTP protocol that uses TLS to protect the data being transmitted between a client and a server.

HTTP (Which Doesn’t Use TLS) and HTTPS (Which Uses TLS)

How HTTP Works

Illustration of HTTP

Client (browser) -> Server (website)
GET /index.html HTTP/1.1
Host: example.com

Server -> Client
HTTP/1.1 200 OK
Content-Type: text/html

<!DOCTYPE html>
<html>
<head>
<title>Example Website</title>
</head>
<body>
<p>Welcome to the example website!</p>
</body>
</html>

How HTTPS Works

Illustration of HTTPS

Client (browser) -> Server (website)
TLS Handshake: Establish a secure connection using certificates and encryption keys

Client -> Server (Encrypted with TLS)
GET /index.html HTTP/1.1
Host: example.com

Server -> Client (Encrypted with TLS)
HTTP/1.1 200 OK
Content-Type: text/html

<!DOCTYPE html>
<html>
<head>
<title>Example Secure Website</title>
</head>
<body>
<p>Welcome to the example secure website!</p>
</body>
</html>

In this example, HTTPS and TLS work together to secure the data communication between the client and the server.

The data is encrypted, preventing eavesdropping and tampering, and the client can trust that it is communicating with the legitimate server.

An important point to note is that the URL path is encrypted in HTTPS communication, which makes it invisible to any intermediaries on the internet who might have the capability to intercept your traffic.

Simplified Illustration of an HTTPS Connection

Here’s a simplified illustration of HTTPS communication in 8 steps between a client (e.g., a web browser) and a server (e.g., a website) using a domain name:

1. The client opens a connection to the server by entering the domain name in the browser’s address bar, such as “https://example.com.”
2. The browser starts the DNS resolution process to obtain the server’s IP address: a. The browser first checks its DNS cache to see if it already has the IP address for the domain. b. If not, it sends a DNS query to its configured DNS resolver. c. The DNS resolver may also have the IP address cached, or it will perform a recursive query to the root, top-level domain (TLD), and authoritative DNS servers to find the IP address for the domain.
3. Once the browser has the IP address, it establishes a TCP connection with the server at the destination IP address on port 443 (the default port for HTTPS).
4. The browser initiates the TLS handshake process with the server to establish a secure connection: a. The client sends a ClientHello message, which includes the protocol version, supported cipher suites, and other information. b. The server responds with a ServerHello message, selecting the protocol version, cipher suite, and other parameters from the client’s list. c. The server sends its digital certificate, which includes its public key and information about the domain and issuing CA. d. The browser validates the server’s digital certificate (as described in the previous answer). e. The client and server perform a key exchange (e.g., Diffie-Hellman or ECDHE) to establish a shared secret (the premaster secret). f. Both the client and server use the premaster secret to derive the symmetric encryption keys (for data encryption and MAC) and start encrypting the communication.
5. With the secure connection established, the browser sends an HTTP request to the server, such as “GET /index.html,” over the encrypted TLS channel.
6. The server processes the request and sends the HTTP response (e.g., the content of the “index.html” file) over the encrypted TLS channel.
7. The browser decrypts the received data, renders the content, and displays it to the user.
8. The client and server continue to exchange data securely over the TLS connection until the connection is closed.

This illustration provides a high-level overview of the steps involved in HTTPS communication using a domain name.

In practice, each step may involve additional details and complexities, but the core concepts remain the same.