What TLS protects, and where it fits

TLS (Transport Layer Security), defined in RFC 8446 for version 1.3, sits between the transport layer and the application layer in the common HTTPS over TCP case. The application sends data to TLS. TLS encrypts and authenticates it. TCP carries the ciphertext.

In HTTP/3, TLS 1.3 is integrated into the QUIC handshake. The cryptographic handshake is not separate from the transport handshake. This means QUIC achieves an encrypted connection in fewer round trips than TCP plus TLS 1.3 separately.

TLS provides three properties once the handshake completes. Confidentiality: the data is encrypted and not readable by observers. Integrity: data cannot be modified in transit without detection. Authentication: one or both peers prove their identity via certificates. The most common case authenticates the server only. mTLS (mutual TLS) authenticates both peers.

TLS 1.3 reduced the handshake to one round trip (1-RTT). The client sends a ClientHello with supported cipher suites and key share data. The server responds with a ServerHello, its key share, a certificate, and a certificate verify message in a single flight. After the client validates the certificate and verifies the server's signature, the handshake is complete and application data can flow.

TLS 1.2 required two round trips for a full handshake. The reduction to 1-RTT in TLS 1.3 was achieved partly by removing insecure cipher suites that required additional negotiation messages and by making key exchange part of the initial hello.

For repeat connections, TLS 1.3 supports 0-RTT (zero round-trip) resumption using a pre-shared session ticket. The client can send application data in the first message, before the handshake completes. This is fast but has a replay caveat: 0-RTT data is vulnerable to replay attacks, so it should only be used for requests that are safe to replay (GET requests, not POST requests with side effects).

A TLS certificate binds a public key to an identity (a hostname) and is signed by a certificate authority (CA). When a client receives a server's certificate, it validates the chain: the certificate was signed by an intermediate CA, which was signed by a root CA that the client's trust store considers authoritative.

Validation checks include: the hostname in the certificate matches the hostname in the request (Subject Alternative Names), the certificate has not expired, the certificate has not been revoked (checked via CRL or OCSP), and the cryptographic signature is valid.

Certificate Transparency (CT), defined in RFC 6962, adds an audit log requirement. CAs must submit certificates to public, append-only logs. Browsers can require proof that a certificate appears in at least two CT logs before trusting it. This allows domain owners and security researchers to detect misissued certificates.

Forward secrecy (more precisely, forward secrecy is sometimes called perfect forward secrecy or PFS) means that the compromise of long-term keys does not expose past session recordings. TLS 1.3 requires forward secrecy. Every handshake uses ephemeral key exchange (ECDHE, elliptic curve Diffie-Hellman ephemeral), meaning a fresh key pair is generated for each session and discarded afterwards.

TLS 1.2 allowed non-forward-secret cipher suites using RSA key exchange. If an attacker recorded encrypted TLS 1.2 traffic and later obtained the server's private key, they could decrypt all recorded sessions. TLS 1.3 removes this risk by mandating ephemeral key exchange.

mTLS (mutual TLS) is TLS where both the client and server present certificates. The server validates the client certificate, not just the server certificate. This is used for service-to-service authentication in internal systems and API authentication where you want cryptographic proof of caller identity.