Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

SSL / TLS

TLS (Transport Layer Security — SSL is its deprecated predecessor) wraps a plain TCP byte stream in confidentiality, integrity, and authentication. This page is meant to be poked at: zoom into the packet fields, and step through the handshakes.

1 · Where TLS sits

TLS is a thin shim between TCP and your application. The app writes plaintext; TLS turns it into encrypted records; TCP just carries the bytes.

ApplicationHTTP · SMTP · IMAP …GET / HTTP/1.1
▼ plaintext handed down
TLShandshake + record layer🔒 encrypt · authenticate · fragment into records
▼ ciphertext records
TCPreliable, ordered byte stream…just carries the bytes…

2 · The record — zoom into the bytes

Everything TLS sends is a record: a 5-byte header (type, version, length) followed by a payload. Depending on the content type, that payload is a handshake message, an alert, a change-cipher-spec, or your encrypted application data. Click the boxes marked to zoom all the way down into a ClientHello and its extensions.

3 · The handshake (TLS 1.2)

Before any application data flows, the two sides negotiate a version and cipher suite, authenticate the server, and agree on keys. Step through the classic TLS 1.2 handshake below — notice the 🔒 line where traffic flips from plaintext to encrypted (right after ChangeCipherSpec).

4 · TLS 1.2 vs TLS 1.3

TLS 1.3 collapsed the handshake to one round trip and encrypts almost all of it. The server's Certificate — visible on the wire in 1.2 — is now hidden. Toggle between the two and step through to feel the difference.

5 · Reading a cipher suite

A TLS 1.2 cipher suite is a dense string that names every cryptographic choice at once. Hover each segment to decode it.

TLS 1.3 simplified this. Key exchange and authentication are negotiated in separate extensions, so a 1.3 suite only names the AEAD + hash — e.g. TLS_AES_128_GCM_SHA256. All 1.3 suites are AEAD with forward secrecy by design.

6 · Record & alert types

The one-byte Content Type at the front of every record selects one of four sub-protocols:

22HandshakeNegotiation messages (§3). ClientHello, Certificate, Finished …
20ChangeCipherSpecOne-byte "keys are hot now" signal. Legacy in 1.3.
21AlertWarnings and fatal errors — structure below.
23Application DataYour encrypted payload. The whole point.

An Alert record is just two bytes:

7 · Resumption & 0-RTT

Doing a full handshake on every connection is wasteful. If the client has talked to this server before, it holds a pre-shared key (a session ticket) and can skip the certificate and key exchange entirely. TLS 1.3 goes further: with 0-RTT the client sends application data in its very first packet.

The 0-RTT catch: early data has no protection against replay — an attacker can capture that first flight and send it again. So 0-RTT is only safe for idempotent requests (a GET, not a POST /transfer).