SSL/TLS Connections
- To connect to https://someapp.com, the broser connects to the load balancer at that domain.
- The LB presents the SSL which is checked by the browser and together they come up with a secret key.
- LB gets the encrypted data, and then decrypts it.
- The plaintext of the data is sent to the backend systems.
Why use SSL/TLSs?
Problem: Your traffic will transmit over multiple servers and computers. To ensure NO ONE else sees your message; you need TLS Encryption.
Solution: Encrypt via asymmetric encryption. So anyone can see the encrypted data but NO ONE except the intended individual can use it.
Why use Digital Certs?
Problem: How do you know app.com is the correct server and NOT a fake one? You might say that DNS records tell you who is who. Unfortunately, DNS records can be spoofed or hijacked. They do NOT prove ownership.
Solution: Digital Certs issued by a trusted authority. So you MUST trust the Certificate Authority (CA); the browser, the OS, etc all maintain their own trust store.
- Identity
It is NOT the DNS or the domain address that gives you TRUST, it is the cert that does it.
Why use Hashing/Digital Signatures?
Problem: The packet while NOT read or understood could be MODIFIED in transmit.
Solution: You attach a hash of the message as an integrity check.