TLS Handshake

Before your browser sends a single byte of real data, it negotiates encryption with the server. Watch the dance. Switch versions. See what changed in TLS 1.3.

Scenario

Idle
TLS 1.3 · 1-RTT Cumulative: 0ms
Client → Server Server → Client Encrypted
Pick a scenario and click Play handshake. Watch the messages fly, then tap any message to see its real wire contents.

Wire detail

What just happened

Nerd tip

TLS 1.3 removed RSA key exchange entirely. Every TLS 1.3 handshake uses ephemeral Diffie-Hellman (X25519 or P-256). That means forward secrecy is mandatory, not optional. Even if someone steals the server's private key later, they cannot decrypt past traffic they recorded. In TLS 1.2 this was optional. Many servers didn't enable it. All recorded pre-2018 HTTPS traffic is recoverable if those keys ever leak.

Nerd tip

ECH (Encrypted Client Hello) is the newest piece of the puzzle. In the handshakes you see here, the server_name extension is sent in plaintext. A coffee shop network can read it and see which sites you're visiting, even though the rest is encrypted. ECH wraps ClientHello itself in an outer TLS envelope so even the hostname is hidden. Cloudflare and Firefox enabled it in 2024. It's the last piece of metadata TLS didn't protect.

Nerd tip

0-RTT is not free. Sending application data in the first client flight is fast, but the data is vulnerable to replay attacks. An attacker who captures a 0-RTT packet can send it again later, and the server will happily process it. That is why 0-RTT is only safe for idempotent requests: GETs that return the same thing every time. A 0-RTT POST that adds a charge to your credit card is a production incident waiting to happen.