Back to Blog
Security9 min readJun 2026

The TLS handshake: how HTTPS actually becomes private

Before a single byte of your password is sent, your browser and the server run a short negotiation that proves identity and agrees a secret key. Step through it, then break the certificate to see why it matters.

securitytlshttpsencryptionfundamentals
SB

Sri Balaji

Founder

On this page

The padlock isn't magic

Who this is for

You see the padlock in the address bar and know it means "secure," but you have no idea what happens in the split second before a page loads over HTTPS.

Before any real data flows, the browser and server run a handshake that does two jobs: prove the server is who it claims to be (via a certificate), and agree on a secret key that only the two of them know. Get this right and everything after is private and tamper-proof.

Step through it

Walk the handshake one message at a time. Then flip the certificate to invalid and step to the verification stage to see the browser refuse to continue, which is the entire reason certificates exist.

TLS handshake, step by step

Your browser

The server

ClientHello
Step 1 of 5: Your browser opens: "Hi. I speak TLS 1.3, here are the cipher suites I support, and a random number to seed keys."

Use Next step to advance. Toggle the certificate to invalid to see the connection abort at verification.

Two problems, solved together

ProblemHow the handshake solves it
Is the server really who it claims?The certificate, signed by a trusted CA and matching the domain, proves identity. A bad cert aborts the connection.
How do we get a shared secret over an open wire?Key agreement lets both sides derive the same session key without ever sending it, so an eavesdropper can't learn it.
Could someone tamper with data later?Once the session key is set, all data is encrypted and integrity-checked with it.

Watch out

This is why certificate warnings matter. Clicking through "your connection is not private" can mean an attacker is sitting in the middle with a fake certificate. The handshake is doing its job; the warning is the point.

Key takeaways

  • HTTPS starts with a handshake before any real data is sent.
  • The certificate proves the server's identity; an invalid one aborts the connection.
  • Key agreement derives a shared secret without ever transmitting it.
  • After the handshake, everything is encrypted and tamper-checked with the session key.
  • Certificate warnings are the security working, not a nuisance to click past.

Want to go deeper?

This article covers concepts taught hands-on in the Cloud Engineer and DevOps career paths, with real terminal labs, production scenarios, and structured lessons.

Explore Career Paths Try the Labs

Keep reading

Security

Security as a Non-Functional Requirement

Read

Security

Zero Trust Networking for Beginners, From "Never Trust" to a Working Policy

Read

Security

What Is Application Security?

Read