Module 9 - Security

TLS/SSL & HTTPS

The padlock in your browser-how data stays private over the internet.

1The Sealed Envelope Analogy

Simple Analogy
HTTP is like a postcard-anyone handling it can read it. HTTPS is like a sealed envelope-even if someone intercepts it, they can't read the contents. TLS creates that sealed envelope using encryption.

TLS (Transport Layer Security) encrypts data between client and server. HTTPS = HTTP + TLS. SSL is the old, deprecated predecessor.

2TLS Handshake

Before encrypted communication, client and server agree on encryption:

1
Client Hello
Client sends supported TLS versions and cipher suites
2
Server Hello
Server chooses TLS version and cipher suite, sends certificate
3
Certificate Verification
Client verifies certificate is signed by trusted CA
4
Key Exchange
Client and server generate shared secret (session key)
5
Encrypted Communication
All data encrypted with session key

TLS 1.3 reduced handshake to 1 round trip (1-RTT). TLS 1.2 took 2 round trips. Even faster: 0-RTT resumption.

3Certificates

What's in a Certificate?

  • Domain name (CN)
  • Public key
  • Issuer (CA)
  • Expiration date
  • Digital signature

Certificate Chain

  • Root CA (trusted by browsers)
  • Intermediate CA (signs server certs)
  • Server certificate (your domain)

Let's Encrypt

Free, automated. 90-day certs. Most popular.

DigiCert / Comodo

Paid, longer validity, support, warranties.

4TLS Versions

VersionStatusNotes
SSL 2.0/3.0DeprecatedBroken. Never use.
TLS 1.0/1.1DeprecatedVulnerabilities. Disable.
TLS 1.2CurrentWidely supported. Still secure.
TLS 1.3ModernFaster, more secure. Use if possible.

5Common Issues

Mixed Content

HTTPS page loads HTTP resources. Browser blocks or warns.

Fix: Use HTTPS for all resources. Use protocol-relative URLs.

Certificate Expired

Users see scary warning. Site loses trust.

Fix: Automate renewal with Let's Encrypt + certbot.

Certificate Mismatch

Certificate for wrong domain.

Fix: Ensure CN/SAN matches your domain exactly.

Weak Cipher Suites

Old ciphers are breakable.

Fix: Configure server to use only strong ciphers.

6Best Practices

Enable HSTS

Force HTTPS. Browser remembers and never uses HTTP.

Use TLS 1.2+ Only

Disable TLS 1.0, 1.1, and all SSL versions.

Automate Certificate Renewal

Let's Encrypt + certbot. No manual intervention.

Enable OCSP Stapling

Server provides certificate validity. Faster, more private.

7Key Takeaways

1TLS encrypts data in transit. HTTPS = HTTP + TLS.
2Certificates prove server identity. Signed by trusted CAs.
3Use TLS 1.2+. TLS 1.3 is faster and more secure.
4Let's Encrypt: free, automated certs. No excuses for HTTP.
5Enable HSTS to force HTTPS and prevent downgrade attacks.

?Quiz

1. Browser shows 'Not Secure'. Most likely cause?

2. TLS 1.3 is faster because: