[wolf550e]

Even in the 90s, SSL (and PGP) used hybrid encryption. The data is encrypted (and authenticated) using symmetric primitives and the symmetric keys are exchanged or established using asymmetric cryptography. Asymmetric cryptography is also used to authenticate the counter party.

RSA encryption was popular for SSL/TLS but because it does provide forward secrecy it was deprecated. These days RSA is only used in digital signatures (which are not encryption) while key exchange is done using Diffie Hellman (specifically ECDHE).

CBC mode cipher suites used to add up to 8 bytes of padding (for deprecated 3DES) and up to 16 bytes of padding for AES, but the mac-then-encrypt TLS construction turned out to be very hard to implement correctly, so TLS 1.3 only allows modes based on CTR (AES GCM, CCM and ChaCha20-Poly1305) so not even minimal padding is done.

[maqp]

"These days RSA is only used in digital signatures (which are not encryption)"

AFAIK digital signatures are created by encrypting the hash of the plaintext (be it content ofthe certificate or a message or whatnot). But yeah, RSA isn't really used for key exchanges due to it lacking forward secrecy. There are exceptions to this unfortunately, such as Apple's iMessage which is decades behind in cryptographic innovation.

[wolf550e]

Please don't repeat terrible 90s pedagogy about RSA. Even in RSA, the padding for signatures and for encryption is different (for very important reasons). The fact that RSA encryption and RSA signatures share code (but are not identical) is just a quirk of RSA that instead of making the thing simpler to explain made it harder to explain well - people think this generalizes and try to understand where is the encryption in Ed25519 or whatever and are very confused.

If you want to point out the difference between "public key operation" (encrypt, verify) and "private key operation" (decrypt, sign), use those terms. That makes sense and the distinction is important.

People end up with basically misinformation in their heads and other people on stackoverflow (and IRL) spend lots of time trying to sort them out. You just made the problem a little worse. Please don't do that.

Here is an actual cryptographer explaining: https://security.stackexchange.com/a/87373/70830

[SAI_Peregrinus]

> RSA encryption was popular for SSL/TLS but because it does provide forward secrecy it was deprecated.

s/does/doesn't/ there.