Skip to main content

SSL/TLS

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that provide secure communication over networks. They encrypt data in transit, preventing eavesdropping and tampering.

Key Concepts

  • Encryption: Data is unreadable to interceptors
  • Authentication: Certificate validates server identity
  • Integrity: Data cannot be modified without detection
  • HTTPS: HTTP over TLS (port 443)

How TLS Works

1. Client Hello: Supported cipher suites, TLS version
2. Server Hello: Chosen cipher, server certificate
3. Key Exchange: Establish shared secret (Diffie-Hellman)
4. Finished: Encrypted communication begins

Certificate Types

TypeValidationTrust LevelUse Case
DV (Domain)Domain control onlyBasicBlogs, small sites
OV (Organization)Business verificationMediumBusiness websites
EV (Extended)Extensive verificationHighestBanks, e-commerce

Getting Certificates

Free Options

  • Let's Encrypt: Automated, widely supported
  • AWS Certificate Manager: Free for AWS resources
  • Cloudflare: Free with their CDN
  • DigiCert, Sectigo, GlobalSign for OV/EV certificates

What We Like

  • Universal support: All browsers, all platforms
  • Free certificates: Let's Encrypt democratized HTTPS
  • Performance: Modern TLS is fast (TLS 1.3)
  • SEO benefit: Google prefers HTTPS sites

What We Don't Like

  • Certificate management: Expiration, renewal, deployment
  • Mixed content: HTTP resources on HTTPS pages break
  • Inspection challenges: Encrypted traffic harder to debug

Configuration Best Practices

- TLS 1.2 or 1.3 only (disable older versions)
- Strong cipher suites (ECDHE, AES-GCM)
- HSTS (HTTP Strict Transport Security)
- OCSP Stapling for faster validation

Security Headers

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

AWS Implementation

  • CloudFront: SSL termination at edge
  • ALB/NLB: SSL termination at load balancer
  • ACM: Free certificate management
  • Route 53: DNS for certificate validation

Checklist

  1. ✅ Use TLS 1.2+ only
  2. ✅ Enable HSTS
  3. ✅ Automate certificate renewal
  4. ✅ Redirect HTTP to HTTPS
  5. ✅ Use strong cipher suites
  6. ✅ Test with SSL Labs (ssllabs.com)