Wire and Logic
Hourly · Synthesized · Opinionated
securitySaturday, June 6, 2026·3 min read

Understanding the TLS Handshake: What HTTPS Secures and What It Doesn’t

Learn how the TLS handshake establishes an encrypted tunnel for HTTPS, what it protects, and the limits developers should be aware of.

Piergorite-3520 0,8mm
Photo: Henk Smeets - Tomeik Minerals

When you type https:// in a browser, a series of network protocols spring into action before any page appears. First TCP establishes a reliable connection, then TLS negotiates an encrypted tunnel, and finally HTTP runs inside that tunnel. Understanding each step reveals what HTTPS truly protects and where its guarantees stop. For developers, the handshake details affect performance, security posture, and debugging strategies.

What happened

The client begins by completing TCP’s three‑way handshake, creating a bidirectional, ordered channel that carries raw bytes without encryption. Over this channel the TLS handshake starts. The client sends a ClientHello listing supported TLS versions and cipher suites along with a random nonce. The server replies with ServerHello choosing the protocol version and cipher suite, then sends its X.509 certificate containing a public key signed by a trusted CA. If the chosen suite uses an ephemeral key exchange, the server adds a ServerKeyExchange with a temporary public key signed by its private key. The client responds with ClientKeyExchange, providing its own temporary public key. Both sides compute a shared secret, send ChangeCipherSpec to switch to encrypted records, and finish with a Finished message that hashes the entire handshake.

Why it matters

The handshake guarantees confidentiality (the shared secret encrypts traffic), integrity (the Finished hash detects tampering), and authentication (the certificate proves the server’s identity). This protects against eavesdropping and man‑in‑the‑middle attacks, but only as long as the PKI remains trustworthy and the client validates the certificate chain. Developers must also consider the performance cost of extra round‑trips and cryptographic operations, especially on mobile or high‑latency networks.

+ Pros
  • Strong encryption prevents passive network sniffing.
  • Server authentication stops most man‑in‑the‑middle attacks.
  • Forward‑secrecy ciphers limit damage if long‑term keys are later compromised.
Cons
  • Additional round‑trips increase latency.
  • Complex configuration can lead to weak cipher suites or protocol downgrades.
  • HTTPS does not protect data once it reaches the server or client.

How to think about it

Treat the TLS handshake as a baseline security layer, not a silver bullet. Verify certificates against up‑to‑date trust stores, enforce TLS 1.2 or higher, and prefer cipher suites with forward secrecy. Enable HTTP Strict Transport Security (HSTS) to force browsers to use HTTPS. For highly sensitive payloads, add end‑to‑end encryption at the application level so that data remains protected even if the server is compromised.

FAQ

Does HTTPS encrypt the entire request and response?+
Yes. Once the TLS handshake completes, all HTTP headers and body are wrapped in encrypted TLS records, so the network sees only ciphertext.
Which handshake message provides server authentication?+
The server’s Certificate message (and any subsequent ServerKeyExchange signatures) proves its identity, as long as the client validates the CA chain.
Can a TLS handshake be downgraded or bypassed?+
Modern browsers reject downgrade attempts and require at least TLS 1.2, but misconfigured servers or outdated clients can still fall back to weaker versions, exposing the connection to attacks.
Sources
  1. 01How a TLS handshake works and what HTTPS actually protects
  2. 02TLS Handshake Explained: How HTTPS Actually Works
  3. 03What Is an SSL Handshake? How TLS Protects Your HTTPS Connections
Keep reading
Get the weekly dispatch

The week’s highest-signal tech and AI stories, synthesized into a five-minute read. One email a week, no spam, unsubscribe anytime.