← Study Notes DevOps


DevOps

SSL/TLS

The protocol that encrypts data in transit and authenticates the server with certificates — the padlock behind HTTPS — guarding against eavesdropping and tampering. Certificates are now free and automated via Let's Encrypt and ACME. Modern practice is TLS 1.2/1.3 only, HSTS, and auto-renewal so certificates never silently expire.


Purpose

TLS (the successor to SSL) encrypts traffic in transit and authenticates the server via certificates issued by trusted authorities — the padlock behind HTTPS. It guarantees that what you send cannot be read or tampered with en route, and that you are talking to the site you think you are.

When to Use It

Everything: browsers mark plain HTTP as insecure, APIs require it, and modern web features (HTTP/2, service workers, many browser APIs) are HTTPS-only. Internally, service-to-service TLS (often mutual TLS in a mesh) extends the same guarantees inside the network.

Trade-offs

The operational burden has collapsed — Let's Encrypt and the ACME protocol made certificates free and automatable — leaving expiry as the classic self-inflicted outage: a certificate someone forgot to renew. Old protocol versions and weak ciphers must be disabled deliberately.

Implementation

Automate issuance and renewal (Caddy does it natively; certbot or cloud-managed certs elsewhere). Allow only TLS 1.2/1.3, redirect HTTP to HTTPS, and send HSTS so browsers never downgrade. Monitor expiry dates externally — the renewal job failing silently is the failure mode that matters.