Blog

Inside the TLS Handshake: How HTTPS Earns Your Trust

HTTPS is TLS wrapped around HTTP, and the handshake that begins each connection quietly solves authentication, key exchange, and encryption negotiation in milliseconds.

March 22, 20266 min readMuhammad Shehzaib
NETWORKINGTLSHTTPSSECURITY

When your browser shows a padlock, an enormous amount of cryptographic negotiation has already happened beneath it. HTTPS is simply HTTP carried inside TLS, the Transport Layer Security protocol, which sits between TCP and your application data. TLS solves three intertwined problems at once: confidentiality so eavesdroppers cannot read the traffic, integrity so it cannot be silently altered, and authentication so you know you are actually talking to the server you intended rather than an impostor. All three are established by the TLS handshake, a short negotiation at the start of the connection that agrees on a cipher, proves the server's identity with a certificate, and derives shared encryption keys. As a backend developer you configure certificates, choose protocol versions, and debug handshake failures, so understanding what actually happens turns cryptic errors into solvable problems.

What TLS Sits On Top Of

TLS is a layer that wraps an existing reliable transport, almost always TCP, and presents an encrypted byte stream to the application above it. The sequence for an HTTPS request is therefore: complete the TCP three-way handshake first, then perform the TLS handshake over that connection, and only then send the actual HTTP request inside the encrypted channel. This layering is why HTTPS historically cost extra round trips compared to plain HTTP, and why connection reuse matters so much. TLS does not care that the payload is HTTP; the same protocol secures SMTP, database connections, and gRPC. It provides record-layer framing that breaks the stream into encrypted, integrity-protected records. Once the handshake completes, every record is authenticated and encrypted, so an attacker on the path can see only that encrypted records are flowing between two addresses, not their contents.

ClientHello Starts It

The handshake opens with the client sending a ClientHello message in the clear. This message advertises the highest TLS version the client supports, a list of cipher suites it can use ordered by preference, a random value used later in key derivation, and a set of extensions. Two extensions matter enormously in practice. Server Name Indication carries the hostname the client wants, which lets one server hosting many domains on one IP present the correct certificate; without it, virtual hosting over HTTPS would be impossible. The Application-Layer Protocol Negotiation extension lets the client and server agree on whether to speak HTTP/1.1 or HTTP/2 during the same handshake, avoiding an extra negotiation. The ClientHello essentially lays out everything the client can do, and the server's job is to pick a mutually acceptable subset from it.

ServerHello And Certificate

The server responds with a ServerHello that selects one cipher suite from the client's list and the protocol version both will use, plus its own random value. It then sends its certificate, which contains the server's public key and identifying information like the domain name, all signed by a certificate authority. In modern TLS the server also sends key-exchange parameters and a signature proving it holds the private key matching the certificate. The certificate is the heart of authentication: it binds a public key to a domain name, and that binding is vouched for by an authority the client already trusts. Crucially the private key never leaves the server and is never transmitted, so even a full recording of the handshake reveals nothing that lets an attacker impersonate the server later or decrypt the session.

How Certificates Prove Identity

A certificate alone proves nothing; trust comes from the chain behind it. Your operating system and browser ship with a list of trusted root certificate authorities. The server's certificate is signed by an intermediate authority, which is in turn signed by a root in that trusted store, forming a chain. The client verifies each signature up the chain until it reaches a trusted root, confirming that a recognized authority vouched for this domain's public key. It also checks that the certificate has not expired, that the requested hostname matches a name in the certificate, and increasingly that the certificate has not been revoked. A common production error is forgetting to send the intermediate certificates, so the client cannot complete the chain to a root even though the leaf certificate is valid, producing confusing trust failures that work in some clients but not others.

Deriving The Session Keys

Authentication establishes who you are talking to, but the connection still needs a shared secret to encrypt data, and that secret must be created without ever transmitting it. Modern TLS uses ephemeral Diffie-Hellman key exchange, where each side contributes a public value and combines it with its own private value to independently compute the same shared secret, which is never sent across the wire. Because the keys are ephemeral, generated fresh for each session and discarded afterward, recording the traffic today and stealing the server's private key tomorrow still will not let an attacker decrypt past sessions. This property is called forward secrecy and is now standard. The shared secret, mixed with the client and server random values exchanged earlier, is fed through a key derivation function to produce the symmetric keys that actually encrypt the bulk of the connection.

Symmetric Encryption Takes Over

The public-key cryptography in the handshake is computationally expensive, so it is used only to authenticate and to agree on keys, not to encrypt the actual data. Once both sides hold the derived symmetric keys, they switch to a fast symmetric cipher, today almost always an authenticated encryption mode like AES-GCM or ChaCha20-Poly1305. These modes encrypt and authenticate each record together, so any tampering is detected and the record rejected, which delivers both confidentiality and integrity in one operation. Symmetric encryption is orders of magnitude faster than the asymmetric math used during setup, and on modern hardware AES is accelerated by dedicated CPU instructions, making the per-byte cost of HTTPS negligible compared to the one-time handshake cost. This split, expensive asymmetric setup followed by cheap symmetric bulk transfer, is the fundamental design pattern of practical secure communication.

TLS 1.3 Cut A Round Trip

Older TLS versions needed two full round trips to complete the handshake before any application data could flow, adding noticeable latency on top of the TCP handshake. TLS 1.3, the current standard, redesigned the flow to finish in a single round trip. The client sends its key-exchange guess optimistically in the ClientHello, betting on which parameters the server will accept, so the server can reply with everything needed to start encrypting immediately. TLS 1.3 also pruned the cipher suite list down to a handful of modern, secure options, removing legacy algorithms that caused most historical vulnerabilities. It even supports a zero round trip resumption mode, where a returning client can send encrypted data in its very first message using a key from a previous session, though that mode carries replay considerations that require care for non-idempotent requests.

Session Resumption Saves Time

Performing a full handshake on every connection would be wasteful when a client reconnects to a server it recently spoke with. TLS supports resumption, where the server issues the client a session ticket or identifier representing the previously negotiated secret. On reconnection the client presents this ticket, and both sides skip the expensive key-exchange and certificate verification, resuming with the established secret much faster. This is why the second and later visits to an HTTPS site feel quicker than the first, and why keeping connections alive and pooling them in backend services pays off doubly: you avoid both the TCP handshake and the costly TLS negotiation. For a service making many outbound HTTPS calls, reusing connections and enabling resumption can cut latency and CPU dramatically. As with TCP, the cheapest handshake is the one you never have to perform because the connection already exists.