SYS ARCHITECTLearning Platform
Settings
Theory

TLS: Transport Layer Security

📋 Overview

TLS (Transport Layer Security) is the industry-standard cryptographic protocol designed to provide secure communication over a network. It is the backbone of HTTPS, ensuring that data moving between a client and a server is encrypted, authenticated, and untampered.


🏗️ Core Principles & Characteristics

  • The Three Pillars:
    1. Encryption: Symmetric (fast) and Asymmetric (secure handshake) crypto to hide data.
    2. Authentication: Using X.509 Digital Certificates to prove the server's identity.
    3. Integrity: Using Hashing (HMAC) to ensure data hasn't been modified in transit.
  • The Hybrid Model: Uses slow Asymmetric encryption (RSA/ECC) to exchange a secret "Session Key," then uses that key for fast Symmetric encryption (AES) during data transfer.
  • Perfect Forward Secrecy (PFS): Ensures that even if a server's long-term private key is stolen, past recorded sessions cannot be decrypted.

⚖️ Trade-offs: Pros & Cons

Pros

  • Standardized Trust: Built into every modern browser and OS.
  • Resiliency: Protects against Man-in-the-Middle (MITM) attacks and eavesdropping.
  • Compliance: Required for almost all modern security certifications (SOC2, PCI).

Cons

  • Latency Overhead: The handshake adds 1-2 Round Trip Times (RTT) before data can be sent.
  • CPU Overhead: Encryption and decryption require significant CPU cycles, especially on the server side.
  • Operational Complexity: Managing, renewing, and securing certificates (SPOF) is a constant operational burden.

🌍 Real-World Implementation

  • HTTPS: Encrypting all web traffic.
  • mTLS (Mutual TLS): Used in Service Meshes (Istio/Linkerd) where both the client and server must provide certificates to prove their identity to each other.
  • VPNs & Proxies: Securing tunnels for remote work or internal network communication.
  • IoT: Securing lightweight communication between devices and the cloud.

💡 Interview "Gotchas" & Tips

  • TLS 1.2 vs. 1.3: Always highlight that TLS 1.3 is faster (1-RTT handshake) and more secure (removes weak ciphers like SHA-1).
  • SNI (Server Name Indication): Explain how SNI allows one IP to host multiple HTTPS sites by sending the hostname in the plain-text ClientHello.
  • 0-RTT Resumption: A feature of TLS 1.3 where a returning client can send data in the very first packet (sacrificing some anti-replay security for speed).
  • Certificate Revocation: Mention CRLs (Certificate Revocation Lists) and OCSP Stapling as ways to check if a certificate is still valid.

📐 Suggested Architecture Primitives

  • Certificate Authority (CA): Let's Encrypt or DigiCert.
  • Load Balancer (SSL Termination): AWS ALB, Nginx, or HAProxy to handle the TLS handshake at the edge.
  • OpenSSL / BoringSSL: The underlying libraries used to implement TLS in most software.
  • mTLS: For secure service-to-service communication within a VPC.
Canvas