SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that encrypt data sent between a web browser and a server, preventing anyone in between from reading or tampering with it. When you see the padlock icon or "https" in your browser's address bar, TLS is active. SSL was the original protocol, but it had security flaws and was replaced by TLS. People still say "SSL" out of habit, but modern connections use TLS 1.2 or TLS 1.3.
The process starts with a handshake. Your browser connects to a server and says which TLS versions and encryption methods it supports. The server picks the strongest options they both understand and sends back its digital certificate, which contains the server's public key and is signed by a trusted Certificate Authority (CA). Your browser checks that the certificate is valid, matches the domain, and has not expired. If everything checks out, the browser and server agree on a shared encryption key using public-key cryptography. From that point on, all data between them is encrypted with that shared key using faster symmetric encryption.
What TLS actually protects against: without it, anyone on the same Wi-Fi network, your internet provider, or any router between you and the server can read every byte you send. Login credentials, credit card numbers, personal messages, all transmitted in plain text. TLS makes the data unreadable to everyone except the intended recipient. It also verifies identity: the certificate system ensures you are actually talking to your bank's server and not a fake copy set up by an attacker.
TLS 1.3, released in 2018, made meaningful improvements over 1.2. The handshake takes one round trip instead of two, cutting connection setup time in half. It removed support for older, weaker encryption methods, so there are fewer ways to misconfigure it. It also introduced 0-RTT resumption, which lets returning visitors skip the handshake entirely for even faster connections. Getting a TLS certificate used to cost money, but Let's Encrypt now issues them for free, which played a big role in pushing HTTPS adoption past 95% of all web traffic.