About TLS / HTTPS Basics

Handshake, certs, Let's Encrypt, hardening to A+. Part of the DevTools Surf developer suite. Browse more tools in the Info / Guides collection.

Use Cases

• DevOps engineers setting up HTTPS for production web servers
• Full-stack developers understanding certificate chains and pinning
• Security teams hardening TLS configurations to prevent downgrade attacks
• Startup founders getting free HTTPS certificates via Let's Encrypt

Tips

• Follow the Let's Encrypt setup steps for free automated certificates
• Check the hardening checklist to reach an A+ rating on SSL Labs
• Review the handshake diagram to understand certificate validation flow

Fun Facts

• TLS 1.0 was published in 1999 as an upgrade to Netscape's SSL 3.0. TLS 1.3 (RFC 8446, August 2018) reduced the handshake from 2 round trips to just 1.
• Let's Encrypt, launched in April 2016 by the EFF and Mozilla, has issued over 4 billion certificates and drove HTTPS adoption from 40% to over 95% of web traffic.
• The Heartbleed bug (CVE-2014-0160) in OpenSSL affected an estimated 17% of all HTTPS servers worldwide and led to the creation of the Core Infrastructure Initiative.

FAQ

What does the handshake do?

Client and server negotiate cipher, exchange public keys, verify the server's cert against a trusted CA, and derive a session key for symmetric encryption. ~1 round trip with TLS 1.3.

Why do I need a certificate?

Proves the server is who it says it is. Lets clients encrypt to a known recipient. Without it, traffic can be intercepted or modified in transit.

Let's Encrypt?

Free, automated, trusted CA. 90-day certs (short for security). Use certbot or Caddy's auto-TLS. Has replaced paid CAs for most use cases.

How do I get A+ on SSL Labs?

TLS 1.3 only, modern ciphers, HSTS with includeSubDomains, forward secrecy, OCSP stapling. The test gives actionable guidance for each.