Letâs start with a simple scenario. Youâre sitting in a coffee shop, and you want to buy something online. You pull out your phone, open a shopping site, and type in your credit card number.
That credit card number has to travel from your phone to the storeâs server. But how does it get there?
Your data doesnât teleport from your phone to the server. It travels through a chain of devices. Your phone sends it to the coffee shopâs wifi router. The router sends it to the ISP. The ISP routes it through several more routers, possibly across cities or continents, until it reaches the serverâs network.
graph LR
A[Your Phone] --> B[Coffee Shop Router]
B --> C[ISP Router]
C --> D[Regional Router]
D --> E[Another ISP]
E --> F[Data Center Router]
F --> G[Store's Server]
Each one of those hops is a separate device, owned by a separate organization. Your data passes through all of them.
Think of sending a postcard through the mail. You write your message on the card, drop it in a mailbox, and it passes through sorting facilities, trucks, and mail carriers before it reaches the recipient. Every person who handles that postcard can read what you wrote.
The internet works the same way. Without any protection, your data travels as plain text. Every router, every switch, every device along the path can see exactly what youâre sending. Your credit card number, your passwords, your messages, all of it readable by anyone who can tap into any point along the route.
The coffee shop scenario is actually one of the easier attacks. The wifi network in a coffee shop is shared. Anyone on the same network can run software that captures all the traffic flowing through it. This isnât theoretical. Tools like Wireshark make it trivially easy. A person sitting two tables away could be recording every packet your phone sends.
But itâs not just coffee shops. Your ISP can see your traffic. Government agencies can tap undersea cables. A compromised router at any hop along the path can silently copy everything passing through it.
And hereâs the thing: you have no control over which path your data takes. The internetâs routing protocols choose the path dynamically. Your data might take a different route every time you send a request. You canât choose to avoid the sketchy router in some data center youâve never heard of.
The fundamental problem is simple: the internet was designed as a public network. It was built to move data from point A to point B as efficiently as possible. It was not built to keep that data private.
When the internet was created in the 1970s and 1980s, the users were researchers at universities and government labs. They trusted each other. Privacy wasnât a design goal. The protocols that move data around the internet, TCP/IP, donât have any built-in encryption. They just move bytes.
That design decision made the internet incredibly flexible and scalable. But it also means that by default, everything you send is visible to everyone between you and the destination.
We need a way to make the data unreadable to everyone except the intended recipient. Even if someone captures every single packet along the way, they should see nothing but gibberish.
Thatâs encryption. And the protocol that applies encryption to internet traffic is called TLS, Transport Layer Security.
But encryption isnât just one thing. Itâs a collection of tools, each solving a specific piece of the puzzle. Before we can understand TLS, we need to understand those tools. And before we understand the tools, we need to understand exactly what problems they solve.
Letâs start by looking at what actually happens when you type a URL into your browser.