But what is the TLS handshake (sometimes called an SSL handshake) and how does it help create a safer and more secure experience for website users?<\/p>\n\n\n\n
What Is the TLS Handshake? TLS Handshake Explained<\/h2>\n\n\n\n
The simple way of looking at the SSL\/TLS handshake is that it\u2019s a communication process that enables two parties to communicate securely on the internet. This is done by enabling the use of the secure hypertext transfer protocol (HTTPS)<\/a> (instead of relying on the insecure traditional HTTP) by forming a TLS connection. TLS, which stands for transport layer security, is the successor of SSL (secure sockets layer) and is the set of rules browsers use to connect to websites on the internet. <\/p>\n\n\n\n It’s customary to shake hands and introduce yourself when meeting someone for the first time. (Or, in the post-COVID era, bump elbows or some other similar greeting.) Similarly, the TLS handshake is how a web browser and the site server it\u2019s connecting to:<\/p>\n\n\n\n What\u2019s the point of the introduction? Let\u2019s consider this question from the perspective of your site visitor and you as a site owner:<\/p>\n\n\n\n Before the development of the internet (or, more specifically, public key infrastructure<\/a>), people had to travel and be in the same physical location to exchange information securely. There was a certain level of implicit trust involved, as you could see the person you were meeting with and could verify their identity by checking their official government-issued ID card.<\/p>\n\n\n\n The creation of the internet made remote access<\/a> and communications possible, however, it also created a slew of new issues because it isn\u2019t secure. Anyone with the know-how can intercept messages (this is called a man-in-the-middle attack) and steal, alter, or even delete some or all of the data while it\u2019s in transit. <\/p>\n\n\n\n This is where public key infrastructure and public key cryptography come into play: it\u2019s all about using secure processes and digital identity to create a secure communication channel. By using authentication of digital identity and protecting the integrity of your data, two parties can securely exchange data without having to physically be in the same place.<\/p>\n\n\n\n The TLS handshake enables one or both parties to authenticate and negotiate all of the technical details regarding how to communicate. This means that there are mechanisms in place that help prove one or both parties are who they claim to be and aren\u2019t skeevy imposters. The handshake itself is just a term that describes the back-and-forth data exchanges that occur in the blink of an eye.<\/p>\n\n\n\n As we touched on, a TLS handshake is a way for one or both parties to identify themselves and engage in secure communications. In some ways, it reminds me of the time my husband and I traveled to Mexico. As native English-speaking Americans, we got first-hand experience of what it\u2019s like being somewhere where English isn\u2019t the primary language. (It was eye-opening, to say the least.) At the resort, we were fine because virtually everyone there spoke English. But once we traveled outside the resort, it was a different story.<\/p>\n\n\n\n One of the most shocking experiences was when we landed at the airport. There were mobs of taxi drivers and transportation service workers from different companies waiting, trying to pick up unsuspecting travelers. Thankfully, we\u2019d done our research and read up on the travel scams that are common in the area. As such, we knew that many of these drivers would pretend to be our legitimate transportation company to get us to hire their services and pull different scams.<\/p>\n\n\n\n The legitimate transport company we hired in advance gave the driver our names and provided us with the following information:<\/p>\n\n\n\n In some ways, a TLS handshake is similar. Much like how the driver verified who it was we would be meeting up with and validated he was one of their employees, a server identifies itself using an SSL\/TLS certificate<\/a>. This is how things go in the traditional TLS handshake when you\u2019re connecting to a website. This is known as one-way authentication because only the server has to prove its identity.<\/p>\n\n\n\n But a TLS handshake isn\u2019t only useful for one-way authentication; it can also be used for mutual or two-way authentication, meaning that the browser and web server it\u2019s connecting to can verify each other\u2019s identities. In the case of our Mexico trip, since we also provided our information to the company, the driver knew our names and could check our IDs to ensure he was picking up the right passengers.<\/p>\n\n\n\n Okay, now that we know what a TLS handshake is, let\u2019s get into the fun part and explore how performing a TLS handshake works. The TLS handshake is basically a back-and-forth dialogue between your web server and the site visitor\u2019s client. In a traditional TLS handshake, the browser is the one that initiates the conversation, but it\u2019s up to the server to prove its identity. This way, the web client knows it\u2019s connecting to your legitimate website (and not an imposter\u2019s version of it).,<\/p>\n\n\n\n When talking about how the TLS handshake works, though, it\u2019s important to point out that the specifics of this process vary depending on whether you\u2019re talking about TLS version 1.2 or TLS 1.3. Why? Because these two protocols work differently to achieve the same end goal. Let\u2019s talk through a TLS 1.2 handshake before moving on to see how differently TLS 1.3 operates.<\/p>\n\n\n\n TLS 1.2 is the older and most commonly used protocol. According to SSL Lab\u2019s January 2023 data<\/a> (based on Alexa\u2019s list of the top 150,000 SSL\/TLS enabled websites), 99.9% of websites still support TLS 1.2 to enable secure HTTPS connections<\/a>. It involves two round trips \u2014 this term refers to the number of times the initiating party has to reach out and receive messages from the server.<\/p>\n\n\n\n Let\u2019s take a quick peek at what this looks like in practice:<\/p>\n\n\n\n Look at the first golden arrow. It reaches out from the web client to the web server before circling back again. Then the client reaches out a second time (as illustrated with the dark arrow); it receives a response from the server, and the two use the exchanged data to establish a secure, encrypted connection. This is basically a series of four communications that occur within milliseconds:<\/p>\n\n\n\n This is when the user\u2019s web client initially reaches out to establish a connection with the web server. Basically, it\u2019s initiating an introduction and making it known to the server that it wishes to connect.<\/p>\n\n\n\n This next step is when the server responds for the first time. It\u2019s an opportunity for the server to:<\/p>\n\n\n\n Of course, things can go wonky in this part of the process if your digital certificate<\/a> is expired or there\u2019s a misconfiguration issue. Check out our article on the TLS handshake failed<\/a> error to learn more about these situations and how to mitigate them.<\/p>\n\n\n\n Here, the client sends the server information its needs to decrypt and use a secure session key. (This is what will be used to create the secure, encrypted communication channel.) It also gives the server the heads up that it\u2019s switching to that encrypted channel to communicate from this point on.<\/p>\n\n\n\n Once the server gets the message, it takes the info received from the user\u2019s web client and decrypts it. This enables it to calculate a shared session key that can be used to connect via an authenticated, secure channel.<\/p>\n\n\n\n Yup. That\u2019s, basically, the TLS 1.2 Handshake in a nutshell! Now that we\u2019ve seen how this works, let\u2019s switch gears to change out the streamlined version of this process that occurs when using the TLS 1.3 handshake.<\/p>\n\n\n\n\n
\n
A TLS Handshake Uses Identity to Enable Secure Connection on Insecure Networks<\/h2>\n\n\n\n
![\"A](\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2023\/01\/tls-connection-firefox-shadow.png\")
A TLS Handshake Helps You Feel Confident Exchanging Info With Someone You\u2019ve Never Met<\/h3>\n\n\n\n
\n
An Overview of How the TLS Handshake Works<\/h2>\n\n\n\n
How the TLS Handshake Works in TLS 1.2<\/h3>\n\n\n\n
![\"TLS](\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2023\/01\/tls-12-handshake-roundtrips-shadow.png\")
1. Client Hello<\/h4>\n\n\n\n
2. Server Hello and Certificate Delivery<\/h4>\n\n\n\n
\n
3. Client Key and Cipher Spec Exchange<\/h4>\n\n\n\n
4. Server Changes to the Agreed Upon Cipher So Both Parties Can Connect Securely<\/h4>\n\n\n\n
The TLS Handshake in TLS 1.3 Is Similar But Requires Fewer Steps<\/h3>\n\n\n\n
![\"TLS](\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2023\/01\/tls13-handshake-roundtrip-shadow.png\")