How TLS turns a best-effort, eavesdroppable connection into one that is confidential, tamper-evident, and authenticated — and the certificate and PKI machinery that makes "authenticated" mean something.
5 topics
Everything in the previous chapters assumed the network was an honest pipe. It is not. Any node on the path — a router, a coffee-shop access point, a compromised ISP — can read every byte of a plaintext HTTP request, alter it in flight, or impersonate the server you meant to reach. TLS is the layer that closes all three holes at once, and HTTPS is nothing more than HTTP carried inside a TLS session on port 443.
This chapter follows the trust outward. It starts with the three guarantees TLS actually provides and the hybrid cryptography behind them, walks through the handshake where a session key is negotiated in one round trip on TLS 1.3, then turns to the certificates that bind a public key to a domain and the chain of trust that validates them. From there it covers the public-key infrastructure that issues and revokes certificates at internet scale, and ends with mutual TLS — where the client proves its identity too — and the automation that keeps certificates from expiring at 3am.