Secure Socket Layer and Transport Layer Security are technologies designed to encrypt data sent across a connection. In the modern web TLS is slowly replacing SSL but ‘SSL’ is still the more commonly used term. In any case, TLS is simply an improved implementation of SSL with a name change to avoid legal issues with Netscape who originally created SSL.
SSL is built upon TCP. As TCP creates data packets for transmission across the internet, the packets are encrypted by SSL. Since TCP/IP is used by most web protocols, SSL can be used to encrypt most types of communication on the internet. In the web industry SSL is most commonly used to encrypt HTTP connections. These are the connections made between a website and your browser as you surf the web. A HTTP connection encypted with SSL/TLS becomes a HTTPS connection. SSL is also used to encrypt file transfers using the FTP protocol and email.
How does it work?
In any connection between two computers on the internet, one computer is the client and the other is the server. Data in an SSL connection is encrypted with the use of two related cryptographic keys. Using some very complex mathematics, data is encrypted by one key and can only be decrypted by the other key. These key pairs are generated on the server. One key is called the ‘private’ key and stays on the server. The other key is called the ‘public’ key. The server sends the public key to any client that wants to make a connection.
Since anyone can obtain the public key, it is easy to decrypt information sent from the server. But because only the server owns the private key, only it can decrypt information sent from the public key. In an eCommerce situation where you enter your credit card details in a form in your browser and send it to the server, the credit card info is encrypted by the public key, sent across the internet in encrypted form and decrypted by the private key when it arrives.
An encrypted connection is great. But anyone can create a pair of keys and trick you into sending them data. Just because it’s encrypted, doesn’t mean the recipient doesn’t have malevolent intentions. As part of the SSL handshake performed at the start of any SSL connection, the server must prove they are who they say they are.
When the client and server first connect, the server sends a certificate along with the public key which tells the client who the public key belongs to. This certificate is signed to establish its authenticity. The signatory can be the owner of the server themselves in a so called ‘self-signed’ certificate. This is sometimes used in the wild, but is not very useful for establishing trust. More commonly, the certificate is signed by a third party. While any Joe Bloggs could be a third party, most certificates are signed by a Certificate Authority.
Certificate Authorities or CAs are companies that are considered trusted authorities by the client and server. The owner of the server established that they trust the CA by obtaining a certificate from them. You probably didn’t consciously decide to trust the CA, but the developers of whichever modern browser you use did. A list of CAs is included with all modern web browsers. By trusting a modern web browser, you implicitly trust the CA.
This Stack Exchange question has a more complex examination of SSL/TLS technology.