Theory
TLS: Transport Layer Security
📋 Overview
TLS (Transport Layer Security) is the industry-standard cryptographic protocol designed to provide secure communication over a network. It is the backbone of HTTPS, ensuring that data moving between a client and a server is encrypted, authenticated, and untampered.
🏗️ Core Principles & Characteristics
- The Three Pillars:
- Encryption: Symmetric (fast) and Asymmetric (secure handshake) crypto to hide data.
- Authentication: Using X.509 Digital Certificates to prove the server's identity.
- Integrity: Using Hashing (HMAC) to ensure data hasn't been modified in transit.
- The Hybrid Model: Uses slow Asymmetric encryption (RSA/ECC) to exchange a secret "Session Key," then uses that key for fast Symmetric encryption (AES) during data transfer.
- Perfect Forward Secrecy (PFS): Ensures that even if a server's long-term private key is stolen, past recorded sessions cannot be decrypted.
⚖️ Trade-offs: Pros & Cons
Pros
- Standardized Trust: Built into every modern browser and OS.
- Resiliency: Protects against Man-in-the-Middle (MITM) attacks and eavesdropping.
- Compliance: Required for almost all modern security certifications (SOC2, PCI).
Cons
- Latency Overhead: The handshake adds 1-2 Round Trip Times (RTT) before data can be sent.
- CPU Overhead: Encryption and decryption require significant CPU cycles, especially on the server side.
- Operational Complexity: Managing, renewing, and securing certificates (SPOF) is a constant operational burden.
🌍 Real-World Implementation
- HTTPS: Encrypting all web traffic.
- mTLS (Mutual TLS): Used in Service Meshes (Istio/Linkerd) where both the client and server must provide certificates to prove their identity to each other.
- VPNs & Proxies: Securing tunnels for remote work or internal network communication.
- IoT: Securing lightweight communication between devices and the cloud.
💡 Interview "Gotchas" & Tips
- TLS 1.2 vs. 1.3: Always highlight that TLS 1.3 is faster (1-RTT handshake) and more secure (removes weak ciphers like SHA-1).
- SNI (Server Name Indication): Explain how SNI allows one IP to host multiple HTTPS sites by sending the hostname in the plain-text ClientHello.
- 0-RTT Resumption: A feature of TLS 1.3 where a returning client can send data in the very first packet (sacrificing some anti-replay security for speed).
- Certificate Revocation: Mention CRLs (Certificate Revocation Lists) and OCSP Stapling as ways to check if a certificate is still valid.
📐 Suggested Architecture Primitives
- Certificate Authority (CA): Let's Encrypt or DigiCert.
- Load Balancer (SSL Termination): AWS ALB, Nginx, or HAProxy to handle the TLS handshake at the edge.
- OpenSSL / BoringSSL: The underlying libraries used to implement TLS in most software.
- mTLS: For secure service-to-service communication within a VPC.
Canvas