What Is SSL/TLS?
SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that encrypt the connection between a web browser and a server. When you see the padlock icon in your browser's address bar and the URL starts with https://, it means SSL/TLS is protecting the data flowing between you and the website.
Although the industry moved from SSL to TLS years ago, the term "SSL certificate" has stuck around in common usage. When people say "SSL certificate," they almost always mean a TLS certificate. The two terms are used interchangeably, even though TLS is the actual protocol in use today.
How the HTTPS Handshake Works
Every time your browser connects to an HTTPS website, a process called the TLS handshake takes place before any data is exchanged. Here's what happens in simplified terms:
- Client Hello — Your browser sends a message to the server saying "I'd like to connect securely" along with a list of supported TLS versions and cipher suites.
- Server Hello — The server responds with its chosen TLS version and cipher suite, and sends its SSL certificate.
- Certificate Verification — Your browser checks the certificate against its list of trusted Certificate Authorities (CAs). It verifies the certificate hasn't expired, the domain name matches, and the chain of trust is intact.
- Key Exchange — Both parties agree on a shared session key using asymmetric encryption. This key will be used to encrypt all subsequent communication.
- Secure Connection — The handshake is complete. All data exchanged from this point is encrypted with the session key using fast symmetric encryption.
With TLS 1.3, this handshake is streamlined to just one round trip (down from two in TLS 1.2), making HTTPS connections noticeably faster. You can check which TLS version your server uses with our SSL Checker tool.
Certificate Types: DV, OV, and EV
SSL certificates come in three validation levels, each representing a different degree of identity verification by the Certificate Authority.
Domain Validated (DV)
DV certificates are the simplest and most common type. The CA only verifies that you control the domain — typically by checking a DNS record or responding to an email. They're issued in minutes, often for free, and are perfectly suitable for most websites. If you're running a blog, portfolio, or small business site, a DV certificate is all you need.
Organisation Validated (OV)
OV certificates require the CA to verify that your organisation legally exists. This involves checking business registration documents and sometimes making a phone call. The process takes a few days. OV certificates display the organisation name in the certificate details, which can provide additional trust for business websites.
Extended Validation (EV)
EV certificates undergo the most rigorous validation process. The CA verifies legal, physical, and operational existence of the organisation. These were once considered essential for e-commerce sites because browsers displayed a green address bar with the company name. Most modern browsers no longer show this visual distinction, which has reduced the practical advantage of EV certificates.
Free vs Paid Certificates
Let's Encrypt revolutionised the SSL landscape by offering free, automated DV certificates. Today, there is no security difference between a free Let's Encrypt certificate and a paid DV certificate from a commercial CA — the encryption is identical. Both use the same cryptographic standards and are trusted by all major browsers.
Paid certificates still make sense in specific situations: if you need OV or EV validation, if you want a warranty or dedicated support, or if your organisation requires a specific CA for compliance reasons. For the vast majority of websites, though, a free Let's Encrypt certificate provides excellent security at no cost.
Wildcard and Multi-Domain Certificates
A wildcard certificate covers a domain and all its subdomains at one level. For example, a wildcard for *.example.com would cover www.example.com, shop.example.com, and api.example.com — but not sub.api.example.com. Wildcards simplify management when you run many subdomains.
Multi-domain (SAN) certificates use Subject Alternative Names to cover multiple completely different domain names under a single certificate. This is useful if your organisation operates several websites and you want to manage them with one certificate.
How to Check Your Certificate
You can click the padlock icon in your browser to view basic certificate details, but this only tells part of the story. Our SSL Checker gives you a complete picture — certificate validity, expiry date, the full certificate chain, TLS version support, cipher suites, and HSTS configuration. It's the same analysis you'd get from a paid security audit, but instant and free.
For ongoing monitoring, consider pairing SSL Checker with tools like Site Speed Check to ensure your TLS configuration isn't adding unnecessary latency, and Broken Link Finder to catch any mixed-content issues where HTTP resources are loaded on HTTPS pages.
Why Every Site Needs HTTPS
HTTPS is no longer optional. Here's why:
- Security — HTTPS encrypts all data in transit, protecting login credentials, payment details, and personal information from interception.
- SEO — Google has used HTTPS as a ranking signal since 2014. Sites without HTTPS are at a measurable disadvantage in search results.
- Trust — Modern browsers label HTTP sites as "Not Secure." This warning alone is enough to drive visitors away from your site.
- Compliance — Regulations like GDPR and PCI DSS require encryption of data in transit. HTTPS is the baseline for compliance.
- Modern Features — Many web APIs (geolocation, service workers, HTTP/2) require HTTPS. Without it, you're locked out of modern web capabilities.
If your site still runs on HTTP, the good news is that migrating to HTTPS has never been easier. Most hosting providers offer one-click SSL installation, and Let's Encrypt makes certificates free. There's no reason not to make the switch today.