When a user enters an HTTPS address in the browser, the first communication with the server happens within milliseconds. This exchange is called the SSL or TLS handshake, and during it the parties identify each other, establish trust and generate a key for the subsequent encrypted communication. The seemingly simple process actually combines several security mechanisms and forms the foundation of internet privacy.
The client hello step
The handshake begins from the user's browser. The browser sends the server a client hello message, declaring its capabilities: which TLS versions it supports, which cipher suites it can use, which compression methods it knows. The client also sends a random number (client random), which is later used to generate the key. The SNI field indicates which domain is being requested, which matters when multiple sites share a single IP address.
Server hello and certificate
The server responds and declares its choices: which TLS version and cipher suite will be used. The server also sends its own random number (server random) and presents its certificate. Through the certificate, the server proves its authenticity โ it is signed by a Certificate Authority and chains to root certificates the browser already trusts. The browser verifies the certificate: validity period, domain match, signer reliability and revocation status.
Key exchange
In the next step, the parties must create a shared secret key for symmetric encryption. In modern TLS versions, this is done via the Diffie-Hellman algorithm. The client and server exchange public key data, and each independently computes the same secret key. The remarkable feature of this approach is that even if someone eavesdrops on the connection, they cannot recover this key. This property is called forward secrecy and matters especially because even if the server key is compromised later, old recordings remain undecryptable.
Finished message and symmetric communication
After the key is created, the parties send each other a finished message containing a hash of all handshake messages. This step confirms that the process was not tampered with and no third party intervened. After this, all subsequent data is transmitted with symmetric encryption โ AES or ChaCha20. In TLS 1.3 the process is optimized and completes in a single round trip (1-RTT), whereas TLS 1.2 required two round trips.
Sayt.uz practice
Sayt.uz infrastructure made TLS 1.3 mandatory in spring 2036. Statistics show that after the upgrade, average handshake time dropped from 187 to 94 milliseconds โ about 50 percent. This boosted site loading speed by 12 percent and directly improved user experience. For Sayt.uz clients, TLS 1.3 and forward secrecy are enabled by default on all plans. Wildcard SSL costs 645,000 soum, DV certificates 312,000 soum, and EV certificates start at 1,870,000 soum. Technical support resolves handshake issues in 38 minutes on average.