---
title: "TLS in plain English"
slug: tls-in-plain-english
canonical_url: https://oreoro.github.io/posts/tls-in-plain-english/
published_at: 2026-06-04T00:00:00.000Z
updated_at: 2026-06-04T00:00:00.000Z
tags: 
  - Information
excerpt: "What happens during a TLS handshake, without the math."
author: "Unknown Author"
---

## Navigation Context

- Canonical URL: https://oreoro.github.io/posts/tls-in-plain-english/
- You are here: Home > Posts > TLS in plain English

### Useful Next Links
- [Home](https://oreoro.github.io/)
- [Contact](https://oreoro.github.io/contact/)
- [Donate](https://oreoro.github.io/donate/)
- [Personal Notes](https://oreoro.github.io/collections/personal-notes/)

### The handshake

-   Client says: “Here are the cipher suites I support”
-   Server replies with a certificate (public key)
-   Client verifies the certificate chain
-   They agree on session keys (usually via ECDHE)
-   After that: traffic is encrypted + authenticated

### What you get

-   **Confidentiality** (encryption)
-   **Integrity** (tamper detection)
-   **Authenticity** (you’re talking to the right server)

**Common gotchas**

-   Expired certs
-   Wrong hostname (SAN mismatch)
-   Missing intermediate certs