Internet Security, March 2022

Understanding TLS and How It Secures Your Traffic

Transport Layer Security is the protocol that turns a plain TCP connection into an authenticated, encrypted channel, and almost every secure exchange on a modern network rides on it, HTTPS, mail submission, API traffic, and the control channels of VPNs alike. It delivers three guarantees at once. Confidentiality, because the payload is encrypted, so anyone in the path, a transit provider, a compromised switch, a passive tap, sees only ciphertext. Integrity, because every record carries an authentication tag, so a single modified byte causes the session to fail rather than pass corrupted data through. And authentication, because the server proves its identity with an X.509 certificate chain that the client validates against a trusted root, with the option of mutual authentication where the client presents a certificate of its own. Those three properties are why TLS sits underneath so much of what we operate, and understanding how the handshake establishes them is worth the time for anyone responsible for a network.

Everything TLS provides is negotiated before a single byte of application data moves. In the handshake the two sides agree on a cipher suite, derive shared key material without transmitting it, and verify identity. TLS 1.3, defined in RFC 8446, reduced this to a single round trip and removed the options that made earlier versions fragile, and the sequence is easiest to follow laid out directly.

STEPWHAT HAPPENS
ClientHelloThe client sends its supported cipher suites, the key exchange groups it prefers, and a key share for those groups, so key agreement can begin at once.
ServerHelloThe server selects a suite and a group, returns its own key share, and from this message onward everything is encrypted.
Certificate, CertificateVerifyThe server presents its certificate chain and signs the handshake to prove it holds the matching private key, now under encryption rather than in the clear.
FinishedBoth sides confirm they derived identical keys, and application data flows.

The property that makes the modern handshake matter is forward secrecy. TLS 1.3 mandates ephemeral Diffie-Hellman, ECDHE over curves such as X25519, for every session, so the keys protecting a connection are generated fresh and discarded when it closes. Capturing the traffic today yields nothing even if the server's long term private key is compromised tomorrow, because that key never encrypted the session, it only signed the handshake. This is the direct answer to the old static RSA key exchange, in which the client encrypted the premaster secret to the server's public key, so that any later disclosure of that key exposed every recorded session. TLS 1.3 removed static RSA for exactly this reason, along with the weak constructions that produced a decade of practical attacks, RC4, 3DES, CBC mode ciphers vulnerable to padding oracles, TLS level compression behind CRIME, and renegotiation. What remains is a small set of AEAD suites, AES-GCM and ChaCha20-Poly1305, that encrypt and authenticate in a single operation.

For anyone maintaining infrastructure the version policy is straightforward and worth enforcing. TLS 1.0 and 1.1 are deprecated and carry known weaknesses, and should be disabled at the server and the load balancer. TLS 1.2, defined in RFC 5246, remains safe in practice when it is restricted to AEAD suites with ECDHE key exchange, which rules out the legacy options that make it a liability. TLS 1.3 should be the default for anything new, and its resumption mechanism, including optional 0-RTT early data, deserves understanding before it is enabled, because 0-RTT trades a round trip for a replay exposure that not every application can absorb. TLS is too often treated as a checkbox, a certificate installed once and forgotten, when it is in fact the single control standing between private traffic and everyone able to see the wire. Configuring it deliberately, and revisiting that configuration as the recommendations move, is among the highest leverage actions an operator can take for the security of a system, precisely because it protects everything that passes over it without any further effort from the people it protects. The specification is RFC 8446.