TLS Handshake
Before your browser sends a single byte of real data, it negotiates encryption with the server. Watch the dance. Switch versions. See what changed in TLS 1.3.
Scenario
Wire detail
What just happened
Nerd tip
TLS 1.3 removed RSA key exchange entirely. Every TLS 1.3 handshake uses ephemeral Diffie-Hellman (X25519 or P-256). That means forward secrecy is mandatory, not optional. Even if someone steals the server's private key later, they cannot decrypt past traffic they recorded. In TLS 1.2 this was optional. Many servers didn't enable it. All recorded pre-2018 HTTPS traffic is recoverable if those keys ever leak.
Nerd tip
ECH (Encrypted Client Hello) is the newest piece of the puzzle. In the handshakes you see here, the server_name extension is sent in plaintext. A coffee shop network can read it and see which sites you're visiting, even though the rest is encrypted. ECH wraps ClientHello itself in an outer TLS envelope so even the hostname is hidden. Cloudflare and Firefox enabled it in 2024. It's the last piece of metadata TLS didn't protect.
Nerd tip
0-RTT is not free. Sending application data in the first client flight is fast, but the data is vulnerable to replay attacks. An attacker who captures a 0-RTT packet can send it again later, and the server will happily process it. That is why 0-RTT is only safe for idempotent requests: GETs that return the same thing every time. A 0-RTT POST that adds a charge to your credit card is a production incident waiting to happen.