1. What is TLS and what problem does it solve? TLS (Transport Layer Security) is a protocol that provides confidentiality, integrity, and authentication for internet communications. It encrypts data in transit so eavesdroppers canât read it, detects tampering, and verifies the identity of the server.
2. Whatâs the difference between SSL and TLS? SSL (Secure Sockets Layer) is the predecessor to TLS. SSL 3.0 was the last SSL version. TLS 1.0 was its successor. All SSL versions are deprecated and insecure. When people say âSSL,â they usually mean TLS.
3. What are the three security properties TLS provides? Confidentiality (encryption), integrity (tamper detection via hashing/MAC), and authentication (server identity verification via certificates).
4. Whatâs the difference between symmetric and asymmetric encryption? Symmetric uses one key for both encryption and decryption (fast, used for bulk data). Asymmetric uses a key pair: public key encrypts, private key decrypts (slow, used for key exchange and signatures).
5. Why does TLS use both symmetric and asymmetric encryption? Asymmetric encryption is too slow for bulk data. TLS uses asymmetric crypto during the handshake to establish a shared secret, then switches to fast symmetric encryption (AES) for the actual data.
6. What role do certificates play in TLS? The server presents a certificate during the handshake to prove its identity. The certificate binds the serverâs public key to its domain name, signed by a trusted Certificate Authority. The client verifies the signature and checks the domain matches. For certificate deep dives, see PKI From First Principles.
7. What happens if the certificate doesnât match the domain? The client rejects the connection. The browser shows a domain mismatch error. The SAN (Subject Alternative Name) extension in the certificate must include the domain the client is connecting to.
8. Why does the server send intermediate certificates during the handshake? The clientâs trust store only contains root CA certificates. The serverâs leaf certificate is signed by an intermediate CA, not the root directly. The server must send the intermediate so the client can build the chain from leaf to root.
9. What is a cipher suite? A combination of algorithms for key exchange, authentication, bulk encryption, and hashing. Example: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
10. What is forward secrecy? The property that compromising a serverâs long-term private key doesnât allow decryption of past sessions. Achieved by using ephemeral key exchange (ECDHE) where session keys are generated fresh and discarded.
11. Why was RSA key exchange removed in TLS 1.3? No forward secrecy. If the serverâs RSA private key is compromised, all past recorded traffic can be decrypted.
12. What is AEAD and why does it matter? Authenticated Encryption with Associated Data. Combines encryption and integrity in one operation (e.g., AES-GCM). Prevents padding oracle attacks that affected CBC mode.
13. What cipher suites does TLS 1.3 support? Only five: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, TLS_AES_128_CCM_SHA256, TLS_AES_128_CCM_8_SHA256.
14. How many round trips does the TLS 1.2 handshake take? Two round trips before encrypted data can flow.
15. How many round trips does the TLS 1.3 handshake take? One round trip. The client sends key shares upfront in the ClientHello.
16. What is 0-RTT in TLS 1.3? Zero round trip time resumption. The client sends encrypted application data in the first message using a pre-shared key from a previous session. Vulnerable to replay attacks.
17. What is the purpose of the Finished message? Contains a hash of all handshake messages. Verifies that both sides saw the same handshake (detects tampering/downgrade attacks) and that both derived the same keys.
18. What happens during certificate validation? The browser checks: signature validity, expiration dates, domain name match (SAN), certificate chain to a trusted root, and revocation status.
19. What is SNI and why is it needed? Server Name Indication. The client includes the desired hostname in the ClientHello so the server knows which certificate to present. Essential for virtual hosting (multiple sites on one IP).
20. What is ALPN? Application-Layer Protocol Negotiation. Client and server agree on the application protocol (HTTP/1.1, HTTP/2) during the TLS handshake. Required for HTTP/2.
21. What is OCSP stapling? The server fetches its own OCSP response from the CA and includes it in the TLS handshake. Eliminates the clientâs need to contact the CA, improving privacy and performance.
22. What is a man-in-the-middle attack on TLS? An attacker intercepts the connection, establishes separate TLS sessions with client and server, and relays traffic. Prevented by certificate validation (the attacker canât forge a valid certificate).
23. What is a downgrade attack? An attacker modifies the ClientHello to force weaker cipher suites or older TLS versions. Prevented by the Finished message hash and TLS 1.3âs downgrade sentinel.
24. What was Heartbleed? A bug in OpenSSLâs Heartbeat extension that leaked server memory (including private keys) to any attacker. Not a protocol flaw, an implementation bug.
25. What is HSTS? HTTP Strict Transport Security. A header that tells browsers to always use HTTPS for a domain, preventing SSL stripping attacks.
26. What is Certificate Transparency? A system of public, append-only logs where CAs must record every certificate they issue. Allows domain owners to detect unauthorized certificates.
27. What is mTLS? Mutual TLS. Both client and server present certificates and prove their identity. Used for service-to-service authentication, API security, and zero trust architectures.
28. What is the purpose of the ServerKeyExchange message in TLS 1.2? It carries the serverâs ephemeral Diffie-Hellman public value and a signature over it. The signature proves the DH parameters came from the legitimate server, preventing man-in-the-middle injection.
29. Why does TLS 1.3 send key shares in the ClientHello? To eliminate a round trip. The client guesses which key exchange the server will pick and sends its public values upfront. If the server supports one, the handshake completes in one round trip instead of two.
30. What is the difference between RSA key exchange and ECDHE in TLS 1.2? RSA key exchange has the client encrypt a pre-master secret with the serverâs RSA public key. No forward secrecy. ECDHE uses ephemeral Diffie-Hellman, generating fresh keys per session. Forward secrecy. TLS 1.3 removed RSA key exchange entirely.
31. What is the ChangeCipherSpec message? A TLS 1.2 message signaling the switch from unencrypted to encrypted communication. Itâs a single byte. TLS 1.3 removed it (sends a dummy one for middlebox compatibility).
32. What is the record layer in TLS? TLS wraps all data in records with a header (content type, version, length) and payload. Records are the unit of encryption and integrity. Maximum payload is 16KB. In TLS 1.3, the real content type is hidden inside the encrypted payload.
33. What is the difference between session IDs and session tickets? Session IDs require the server to store session state in memory. Session tickets encrypt the session state and send it to the client, so the server stores nothing. Tickets scale better but the ticket encryption key is a forward secrecy risk if not rotated.
34. What is the TLS 1.3 key schedule? A structured key derivation process using HKDF. Derives keys in three stages (Early Secret, Handshake Secret, Master Secret), each incorporating more information.
35. What is a session ticket? Encrypted session state sent to the client. On reconnection, the client sends it back, and the server decrypts it to resume the session without a full handshake.
36. Why does TLS 1.3 encrypt the server certificate? To prevent eavesdroppers from seeing which website the user is connecting to (beyond the SNI, which is still visible in plain text).
37. What is Encrypted Client Hello (ECH)? An emerging standard that encrypts the SNI and other sensitive ClientHello fields, preventing eavesdroppers from seeing which hostname the client is requesting.
38. What is the difference between ECDHE and DHE? Both provide ephemeral key exchange with forward secrecy. ECDHE uses elliptic curves (smaller keys, faster). DHE uses classic modular arithmetic (larger keys, slower).
39. How do quantum computers threaten TLS? Shorâs algorithm breaks RSA, ECDHE, and ECDSA. An attacker with a quantum computer could break key exchange (decrypt traffic) and forge signatures (impersonate servers).
40. What is harvest now, decrypt later? Attackers record encrypted traffic today, planning to decrypt it when quantum computers become available. Data with long-term sensitivity is already at risk.
41. What is hybrid key exchange? Combining a classical key exchange (X25519) with a post-quantum key exchange (ML-KEM) in the same TLS handshake. Both must be broken to compromise the session.
42. What is crypto agility? The ability to swap cryptographic algorithms without redesigning systems. Essential for surviving the quantum transition and future algorithm deprecations.
43. Is AES broken by quantum computers? Not broken, but weakened. Groverâs algorithm halves the effective key strength. AES-256 becomes AES-128 equivalent, which is still secure. AES-128 becomes AES-64, which is not.
44. How do you check a serverâs TLS configuration? Use SSL Labs (ssllabs.com), testssl.sh, nmap ssl-enum-ciphers, or openssl s_client.
45. What does openssl s_client show you? The negotiated TLS version, cipher suite, server certificate chain, session details, and any errors. Itâs the primary command-line tool for debugging TLS connections.
46. What is HSTS and why does it matter? HTTP Strict Transport Security. A response header that tells browsers to always use HTTPS for a domain. Prevents SSL stripping attacks where an attacker downgrades HTTPS to HTTP.
47. What happens if a client and server have no cipher suites in common? The handshake fails with a âhandshake_failureâ alert. The server cannot pick a cipher suite from the clientâs list. Usually caused by misconfiguration or version mismatch.
48. What is the recommended minimum TLS configuration today? TLS 1.2 minimum (TLS 1.3 preferred), ECDHE key exchange only, AES-GCM or ChaCha20-Poly1305 encryption, SHA-256+ hashing, no CBC, no RSA key exchange, HSTS enabled.