Back Through the Wire
TLS decrypt โ TCP reassemble โ IP route home
The response travels back through every network layer in reverse. TLS decrypts the ciphertext, TCP reassembles segments in order, and IP routes packets back to your machine.
How It Works
The response traverses the same network path in reverse โ but the path may differ. IP routing is stateless: each packet is independently routed, and the return path may traverse different autonomous systems than the forward path. TCP sequence numbers ensure that segments are reassembled in the correct order even if they arrive out of sequence. If any segment is lost, TCP's selective acknowledgment (SACK) tells the sender exactly which segments to retransmit.
Once TCP delivers the ordered byte stream, TLS decrypts each record using the symmetric session key derived during the handshake (AES-256-GCM or ChaCha20-Poly1305). The decrypted data is HTTP frames, which the browser's HTTP/2 or HTTP/3 decoder demultiplexes into individual response streams. The completed response body โ HTML, JSON, images, whatever โ is delivered to the renderer process via IPC for processing.
The Signal Flow
Key Concepts
The internet's return path often differs from the forward path. Router A may send your request through ISP-X, but the response may come back through ISP-Y. This is normal โ IP routing is per-packet and per-direction.
Instead of just acknowledging the last contiguous byte received, SACK tells the sender exactly which ranges arrived. This lets the sender retransmit only the missing segments, not everything after the gap.
TLS wraps data in 'records' of up to 16 KB. Each record is independently encrypted and authenticated with a sequence number to prevent reordering/replay attacks. Decryption verifies the authentication tag โ any tampering is detected.
TCP and QUIC both have flow control โ the receiver advertises how much buffer space it has. The sender must not exceed this window. This prevents a fast server from overwhelming a slow client.
Deep Dive
The internet's path diversity
Your request and response may traverse completely different physical paths. A request from New York to Tokyo might go NY โ Chicago โ LA โ undersea cable โ Tokyo, but the response might come back Tokyo โ undersea cable โ Seattle โ NY. This happens because each AS makes independent routing decisions. It also means latency can differ between request and response. Tools like traceroute (sending packets with incrementing TTL values) reveal the forward path, but not the return path.
TCP fast retransmit
TCP doesn't wait for a timeout to retransmit lost packets. If the sender receives three duplicate ACKs (the receiver acknowledging the same sequence number three times โ meaning subsequent segments arrived but one is missing), it immediately retransmits the missing segment. This 'fast retransmit' mechanism recovers from single packet loss in about 1 RTT, instead of waiting for a timeout (typically 200โ3000 ms).
Related Specs
Must-know specifications from the Transport, Transport Security layers.
Every HTTPS connection, SMTP/IMAP over TLS, OAuth token exchange, and API call uses TLS. It is the foundational security layer.
A one-line HTTP header that eliminates a class of downgrade attacks. Every public web app should set HSTS.