Comments by "Lawrence D’Oliveiro" (@lawrencedoliveiro9104) on "SSL, TLS, HTTPS Explained" video.

  1.  @alexandermiasoiedov6637  TLS is resistant to MITM attacks, because key-pair encryption ensures that what is encrypted at one end can only be decrypted at the other end.
    7
  2. The client has a list of CA certs that it trusts, so it will accept any server cert that is signed by one of them. TLS can also be used for two-way authentication. Also for secure communication between different parts of your own organization, you can create your own CA cert and install that at the endpoints so they can trust each other.
    6
  3. To ensure that the server you are connecting to is really who they say they are.
    1
  4. Encryption really just adds processing time at the endpoints, which should be minimal overhead on today’s fast CPUs. In terms of protocol bandwidth overhead, it shouldn’t be large.
    1
  5. Seems like the answer is “for as long as necessary”. As far as I can tell, in TLS 1.3 they don’t see any point in forcing expiry of any session keys before they have to -- there is no security gain in doing so.
    1
  6. HTTP cannot switch to TLS encryption until the Server Name Indication (SNI) has been sent. Then, based on the host name that was specified, the appropriate certificate can be selected for the encryption. Because the host name has to be sent in the clear, this can be seen as a security vulnerability. This why we have proposals for Encrypted SNI. But what encryption key do you use to send this? That encryption key is taken from the DNS. This requires a secure DNS. And there are two different proposals for that. Which is a whole other story.
    1