What is TLS/SSL?

TLS is the protocol behind HTTPS and is the most widely deployed security protocol on the internet. A TLS handshake establishes a secure channel in several steps: the client and server agree on a protocol version and cipher suite, the server presents its certificate (verified via PKI), they perform a key exchange to derive shared session keys, and all subsequent communication is encrypted with those symmetric keys. Modern TLS 1.3 simplified this to a single round trip.

The security properties TLS provides are confidentiality (encryption prevents eavesdropping), integrity (message authentication codes detect tampering), and authentication (certificates verify the server's identity, and optionally the client's). Without TLS, data on the network is visible to anyone who can observe the traffic — ISPs, Wi-Fi operators, network administrators, and attackers performing man-in-the-middle attacks.

SSL (versions 1.0 through 3.0) has been deprecated due to known vulnerabilities like POODLE and BEAST. TLS 1.0 and 1.1 are also deprecated. TLS 1.2 remains widely supported, and TLS 1.3 (released in 2018) is the current standard, offering improved security and performance by removing legacy cipher suites and reducing handshake latency. Despite the deprecation, "SSL" persists as a colloquial term — "SSL certificate" and "SSL termination" typically refer to TLS in practice.

How Vaulted uses TLS/SSL

Vaulted serves all traffic over HTTPS, meaning every request between your browser and the server is protected by TLS. This encrypts the ciphertext and metadata in transit and authenticates that you are communicating with the real Vaulted server. However, TLS alone would not protect your secrets if the server could read them. Vaulted layers client-side AES-256-GCM encryption on top of TLS, so the server receives only ciphertext it cannot decrypt — TLS protects the transport channel, while client-side encryption protects the data itself.