What is SSL/TLS?
What is SSL/TLS and how does the handshake work? Learn certificates, symmetric vs asymmetric keys, and why HTTPS depends on it.
Expected Interview Answer
SSL/TLS is a cryptographic protocol that encrypts data in transit between a client and server, verifies the server’s identity using certificates, and ensures the data has not been tampered with — it is what turns HTTP into HTTPS.
TLS (the modern successor to the deprecated SSL) begins with a handshake where the client and server agree on a cipher suite, the server presents a certificate signed by a trusted certificate authority to prove its identity, and both sides derive a shared symmetric session key using asymmetric cryptography without ever transmitting that key in plaintext. Once the handshake completes, all subsequent application data is encrypted with the fast symmetric key, giving both confidentiality and integrity via message authentication codes. Modern TLS 1.3 shortens the handshake to a single round trip and removes support for older, weaker cipher suites that were vulnerable to downgrade attacks. Interviewers ask this to check whether a candidate understands the handshake flow, the role of certificates, and why asymmetric and symmetric cryptography are combined rather than using just one.
- Encrypts data in transit for confidentiality
- Verifies server identity via trusted certificates
- Detects tampering through message integrity checks
- Combines asymmetric handshake speed with symmetric bulk encryption
AI Mentor Explanation
SSL/TLS is like verifying an umpire’s official accreditation badge (the certificate) before trusting any decision they make, then agreeing on a private hand-signal code (the session key) that only the two captains understand for the rest of the match. Anyone watching from the stands sees signals exchanged but cannot decode the actual instructions being passed. Once that private code is set up through the initial verification, every subsequent signal during play is fast and secure because both sides already trust the shared code.
Step-by-Step Explanation
Step 1
Client Hello
Client proposes supported TLS versions and cipher suites to the server.
Step 2
Server certificate
Server responds with its certificate, signed by a trusted certificate authority, proving its identity.
Step 3
Key exchange
Both sides derive a shared symmetric session key using asymmetric cryptography, without sending the key in plaintext.
Step 4
Encrypted application data
All further data is encrypted and integrity-checked using the fast symmetric session key.
What Interviewer Expects
- Understanding the handshake sequence at a high level
- Knowing certificates prove server identity via a trusted CA
- Explaining why symmetric keys handle bulk data after an asymmetric handshake
- Awareness that TLS supersedes the deprecated SSL
Common Mistakes
- Using "SSL" and "TLS" interchangeably without noting SSL is deprecated
- Saying the entire session uses asymmetric encryption
- Forgetting the certificate authority’s role in trust
- Not mentioning integrity checks, only confidentiality
Best Answer (HR Friendly)
“SSL/TLS is the technology that turns HTTP into HTTPS — it encrypts the data flowing between your browser and a website, checks the website’s certificate to make sure it is really who it claims to be, and makes sure nobody can tamper with the data in between. It is why you see the padlock icon in your browser.”
Code Example
# View the certificate chain and negotiated TLS version
openssl s_client -connect example.com:443 -servername example.com < /dev/null
# Quick check of certificate expiry
echo | openssl s_client -connect example.com:443 2>/dev/null \
| openssl x509 -noout -datesFollow-up Questions
- How does TLS 1.3 reduce the handshake to one round trip?
- What is the difference between a self-signed certificate and a CA-signed one?
- How does certificate pinning protect against a compromised CA?
- What is a man-in-the-middle attack and how does TLS prevent it?
MCQ Practice
1. What does a TLS certificate primarily prove?
A certificate, signed by a trusted CA, proves the server is who it claims to be during the handshake.
2. After the TLS handshake completes, what type of key encrypts the bulk application data?
A fast symmetric session key, derived during the handshake, encrypts the ongoing application data.
3. Which statement about SSL and TLS is accurate?
TLS replaced SSL after SSL versions were found to have serious security vulnerabilities.
Flash Cards
SSL/TLS in one line? — A protocol that encrypts data in transit and verifies server identity via certificates.
What proves server identity? — A certificate signed by a trusted certificate authority.
Which key type encrypts bulk data after the handshake? — A symmetric session key.
Is SSL still recommended? — No — TLS is the modern, secure successor; SSL is deprecated.