HTTPS, TLS & Certificates

Three things TLS gives you

• Confidentiality — nobody on the wire can read your traffic.
• Integrity — nobody can tamper with it without detection.
• Authentication — you know the server is who it claims to be.

The TLS handshake (simplified)

• 1. Client says 'hello, here are the cipher suites I support'.
• 2. Server says 'hello, here's my certificate, let's use this cipher'.
• 3. Client validates the cert: checks signatures up to a trusted root CA; checks the domain matches; checks expiration.
• 4. They exchange a SHARED SECRET (modern: Diffie-Hellman key exchange — even an eavesdropper can't derive it).
• 5. From that secret they derive symmetric encryption keys. Subsequent traffic is encrypted with fast symmetric ciphers (AES-GCM, ChaCha20).

Certificates and CAs

A CERTIFICATE binds a public key to a domain name and is SIGNED by a Certificate Authority (CA) that your browser trusts. Your browser ships with a list of trusted root CAs (DigiCert, Let's Encrypt, Sectigo, etc.). If a server presents a certificate signed by a chain leading to one of those roots, you trust it.