The padlock icon in a browser’s address bar represents a specific technical process — Transport Layer Security — that runs after DNS has resolved a domain to an IP address but before any actual web page data is exchanged. It’s worth understanding what that process actually verifies, and what it doesn’t.
TLS versus SSL: naming, not two different things in use today
SSL (Secure Sockets Layer) was the original protocol for encrypting connections; TLS (Transport Layer Security) is its formal successor, and all versions of SSL are now considered insecure and obsolete. “SSL” persists in casual usage — and in product names, like “SSL certificates” — almost entirely out of habit; what’s actually running behind essentially every secure connection today is TLS. The Mozilla Developer Network’s overview of Transport Layer Security documents the current protocol in detail.
What TLS actually protects
TLS provides three things for a connection: encryption (data in transit can’t be read by anyone intercepting it), integrity (data can’t be silently modified in transit without detection), and authentication (the client can verify it’s actually talking to the server it intended to, not an impostor). It’s worth being precise about scope: TLS protects data in transit between two points. It says nothing about how securely that data is stored once it arrives, or whether the server itself is trustworthy with what it does with the data after decrypting it.
What happens during the handshake
Before any encrypted application data flows, the client and server perform a handshake — a negotiation that establishes a shared encryption key and verifies identity, using public-key cryptography. At a high level:
- The client and server agree on which TLS version and encryption methods (cipher suite) to use.
- The server presents its certificate — issued by a trusted certificate authority — which the client verifies to confirm the server is actually who it claims to be, rather than an impostor intercepting the connection.
- Client and server use public-key cryptography to establish a shared secret key, without ever transmitting that key itself in a way an eavesdropper could capture.
- From that point on, all traffic is encrypted using that shared key, via faster symmetric encryption, for the rest of the connection.
Modern TLS (version 1.3, the current standard) reduced the number of round trips this negotiation requires compared to earlier versions, which matters directly for the latency users experience when first connecting to a service — fewer round trips before the connection is ready to carry real data means a faster perceived load time.
Why certificate validity matters
The certificate step is what actually prevents a specific, realistic attack: someone intercepting a connection and impersonating the intended server. A certificate is issued by a trusted certificate authority specifically to vouch for the identity of whoever holds it, and browsers maintain a list of authorities they trust to make that determination. An expired, misconfigured, or self-signed (unverified) certificate breaks this chain of trust, which is why browsers show explicit warnings rather than silently proceeding — the entire security guarantee TLS provides depends on that identity check actually succeeding.
Where TLS termination happens in a real architecture
In a typical cloud deployment, TLS is often “terminated” — decrypted — at a load balancer or CDN edge, discussed in Load Balancing Explained and What Is a CDN?, rather than at the application server itself. Traffic between the edge and the origin may then run over a separate, often still-encrypted connection. Understanding where termination happens matters for reasoning about exactly which network segments are encrypted and which aren’t in a given architecture.
Key takeaway
TLS encrypts and authenticates connections in transit through a handshake that verifies server identity via a certificate and establishes a shared encryption key before any real data is exchanged. “SSL” is a legacy name for a now-obsolete predecessor protocol; the actual mechanism protecting connections today is TLS, most commonly version 1.3.
This article explains a general security protocol; specific implementation and configuration details vary by platform. See our disclaimer.