How online security works

Online security is enabled through HTTPS protocols and TLS encryption.

With so many major data breaches in the news recently, you might be wondering how your data is protected when you're online. You know, you go to a website to do some shopping, enter your credit card number, and hopefully in a few days a package arrives at your door.  But in that moment before you click Order, do you ever wonder how online security works?

The Basics of Online Security

In it's most basic form, online security–that's the security that takes place between your computer and a website you're visiting - is performed through a series of questions and responses.

You type a web address into your browser, then your browser asks that site to verify it's authenticity, the site responds back with the appropriate information, and once both agree, the site opens in your web browser. 

Among the questions being asked and information being exchanged is data about the type of encryption that is used to pass your browser information, computer information, and personal information between your browser and the website. These questions and answers are called a handshake. If that handshake doesn't take place, then the website you're trying to visit will be deemed unsafe.


One thing you may notice when you visit sites on the web is that some have an address that starts with http and some start with https. HTTP means Hypertext Transfer Protocol; it's a protocol or set of guidelines that designates secure communication over the internet. You may even notice that some sites, especially sites where you are asked to provide sensitive or personally identifying information may display https either in green or in red with a line through it.

HTTPS means Hypertext Transfer Protocol Secure, and green means the site has a verifiable security certificate. Red with a line through it means the site does not have a security certificate, or the certificate is inaccurate or expired. 

Here's where things get a little confusing. HTTP does not mean data transferred between your computer and a web site is encrypted.

It only means the website that is communicating with your browser has an active security certificate. Only when an S (as in HTTPS) is included is the data that's being transferred secure, and there's another technology in use that makes that secure designation possible. 

Understanding the SSL Protocol

When you consider sharing a handshake with someone, that means there is a second party involved. Online security is much the same way.  For the handshake that ensures security online to take place, there must be a second party involved. If HTTPS is the protocol that the web browser uses to ensure there is security, then the second half of that handshake is the protocol that ensures encryption. 

Encryption is the technology that's used to disguise data that's transferred between two devices on a network. It's accomplished by turning recognizable characters into unrecognizable gibberish that can be returned to its original state using an encryption key. This was originally accomplished through a technology called Secure Socket Layer security (SSL). 

In essence, SSL was the technology that turned any data moving between a website and a browser into gibberish and then back into data again. Here's how it works:

  • You open your browser and type in the address for your bank.
  • Your web browser knocks on the bank's door and introduces you.
  • The doorman verifies that you are who you say you are and then agrees to let you in under a set of conditions.
  • Your web browser agrees to those conditions and then you're allowed to access the bank's website.

The process repeats itself when you enter your user name and password, with some additional steps. 

  • You enter your user name and password to gain access to your account.
  • Your web browsers tells the bank's account manager that you would like access to your account.
  • They converse and agree that if you can provide the correct credentials, then you'll be granted access. However, those credentials need to be presented using a special language. 
  • The web browser and the bank's account manager agree to the language that will be used.
  • The web browser converts your user name and password into that special language and passes it to the bank's account manager.
  • The account manager receives the data, decodes it, and compares it to their records.
  • If your credentials match, you're granted access to your account. 

The process takes place in nano seconds, so you don't notice the time it takes for this whole conversation and handshake to take place between the web browser and website. 


SSL was the original security protocol that was used to ensure that websites and the data passed between them was secure. According to GlobalSign, SSL was introduced in 1995 as version 2.0. The first version (1.0) never made its way into the public domain. Version 2.0 was replaced by version 3.0 within a year to address vulnerabilities in the protocol. In 1999, another version of SSL, called Transport Layer Security (TLS) was introduced to improve the speed of the conversation and security of the handshake. TLS is the version that's currently in use, though it is often still referred to as SSL for the sake of simplicity. 

TLS Encryption

TLS encryption was introduced to improve data security. While SSL was a good technology, security changes at a rapid rate, and that led to the need for better, more up-to-date security. TLS was built on the framework of SSL with significant improvements to the algorithms that govern the communications and handshake process.

Which TLS Version Is Most Current?

As with SSL, TLS encryption has continued to improve. The current TLS version is 1.2, but TLSv1.3 has been drafted and some companies and browsers have used the security for short periods of time. In most cases, they revert back to TLSv1.2 because version 1.3 is still being perfected.

When finalized, TLSv1.3 will bring numerous security improvements, including improved support for more current types of encryption. However, TLSv1.3 will also drop support for older versions of SSL protocols and other security technologies that are no longer robust enough to ensure the proper security and encryption of your personal data.

Was this page helpful?