SSL / TLS
TLS (Transport Layer Security — SSL is its deprecated predecessor) wraps a plain TCP byte stream in confidentiality, integrity, and authentication. This page is meant to be poked at: zoom into the packet fields, and step through the handshakes.
1 · Where TLS sits
TLS is a thin shim between TCP and your application. The app writes plaintext; TLS turns it into encrypted records; TCP just carries the bytes.
2 · The record — zoom into the bytes
Everything TLS sends is a record: a 5-byte header (type, version, length)
followed by a payload. Depending on the content type, that payload is a
handshake message, an alert, a change-cipher-spec, or your encrypted application
data. Click the boxes marked ⤢ to zoom all the way down into a ClientHello
and its extensions.
3 · The handshake (TLS 1.2)
Before any application data flows, the two sides negotiate a version and cipher
suite, authenticate the server, and agree on keys. Step through the classic
TLS 1.2 handshake below — notice the 🔒 line where traffic flips from
plaintext to encrypted (right after ChangeCipherSpec).
4 · TLS 1.2 vs TLS 1.3
TLS 1.3 collapsed the handshake to one round trip and encrypts almost all of
it. The server's Certificate — visible on the wire in 1.2 — is now hidden.
Toggle between the two and step through to feel the difference.
5 · Reading a cipher suite
A TLS 1.2 cipher suite is a dense string that names every cryptographic choice at once. Hover each segment to decode it.
TLS 1.3 simplified this. Key exchange and authentication are negotiated in separate extensions, so a 1.3 suite only names the AEAD + hash — e.g.
TLS_AES_128_GCM_SHA256. All 1.3 suites are AEAD with forward secrecy by design.
6 · Record & alert types
The one-byte Content Type at the front of every record selects one of four sub-protocols:
An Alert record is just two bytes:
7 · Resumption & 0-RTT
Doing a full handshake on every connection is wasteful. If the client has talked to this server before, it holds a pre-shared key (a session ticket) and can skip the certificate and key exchange entirely. TLS 1.3 goes further: with 0-RTT the client sends application data in its very first packet.
The 0-RTT catch: early data has no protection against replay — an attacker can capture that first flight and send it again. So 0-RTT is only safe for idempotent requests (a
GET, not aPOST /transfer).