Network Security — TLS, Attacks & Defences

Every packet you send crosses multiple networks you don't control. Network security is about ensuring that data arrives intact, from the right source, and unread by anyone else. Understanding the threat landscape is essential for building systems that stay secure.

Cryptography Fundamentals

Symmetric Encryption

Same key encrypts and decrypts. Fast. Problem: how do you share the key securely?

text

Asymmetric (Public Key) Encryption

Two mathematically linked keys: public key (share freely) and private key (keep secret).

Encrypt with public key → only private key can decrypt (confidentiality)
Sign with private key → anyone can verify with public key (authenticity)

RSA and ECDH (Elliptic Curve Diffie-Hellman) are common algorithms. RSA 2048-bit ≈ ECDH 256-bit in security.

Hashing

One-way function: any input → fixed-size digest. Same input always gives same output; impossible to reverse.

text

Used for: password storage (+ salt), data integrity, digital signatures, TLS certificate fingerprints.

TLS — How HTTPS Actually Works

TLS combines asymmetric crypto for the handshake (key exchange) and symmetric crypto for data (speed).

TLS 1.3 Handshake in Detail

text

Certificate Revocation

If a private key is stolen, the certificate must be revoked before it expires:

CRL (Certificate Revocation List): a signed list of revoked serial numbers — downloaded periodically
OCSP (Online Certificate Status Protocol): real-time query to the CA
OCSP Stapling: server includes fresh OCSP response with every TLS handshake — no extra round trip for client

PKI — Public Key Infrastructure

The Certificate Authority (CA) hierarchy is what makes certificate verification work globally:

text

Let's Encrypt is a free, automated CA — issues certificates via the ACME protocol. Used by ~350 million websites.

Common Attacks

Man-in-the-Middle (MITM)

Attacker intercepts traffic between client and server, potentially reading or modifying it.

Defence: TLS with certificate validation. The attacker can't forge a valid certificate for your domain without the CA's private key.

text

DDoS — Distributed Denial of Service

Flood a server with traffic from many sources (botnet) to exhaust resources.

Types:

Volumetric: saturate bandwidth (UDP flood, DNS amplification)
Protocol: exhaust connection tables (SYN flood — send SYNs, never ACK)
Application layer: send expensive requests (slow HTTP read, database queries)

Defences: CDN (absorb volumetric), SYN cookies (stateless SYN handling), rate limiting, WAF.

SYN Flood

Attacker sends many SYN packets without completing the handshake. Server allocates state for each half-open connection, filling the backlog queue.

text

SYN cookies: server encodes connection state in the ISN (Initial Sequence Number), requires no state until the ACK arrives.

DNS Spoofing / Cache Poisoning

Attacker injects false DNS records into a recursive resolver's cache, redirecting users to malicious IPs.

Defence: DNSSEC validates records with digital signatures. Source port randomisation + 16-bit transaction ID randomisation makes injection harder.

SSL Stripping

Attacker downgrades HTTPS to HTTP by intercepting the initial redirect.

Defence: HSTS (HTTP Strict Transport Security) — browser remembers "only HTTPS for this domain" for N seconds.

http

Firewalls

A firewall filters network traffic based on rules.

Stateless packet filter: evaluates each packet independently (source/dest IP, port, protocol).

Stateful inspection: tracks connection state — allows responses to established connections without explicit outbound rules.

Application-layer firewall (WAF): understands HTTP; can block SQL injection, XSS, suspicious User-Agent strings.

bash

VPNs

A VPN (Virtual Private Network) creates an encrypted tunnel between your device and a VPN server. Your traffic appears to originate from the VPN server's IP.

Use cases: secure remote access to corporate networks, bypass geographic restrictions, protect traffic on public WiFi.

Common protocols: OpenVPN, WireGuard (modern, fast, 4000 lines of code vs OpenVPN's ~600k), IPSec/IKEv2.

Zero Trust Architecture

Traditional security assumed "inside the perimeter = trusted." Modern systems assume zero trust: no implicit trust based on network location.

Principles:

Verify every request explicitly (identity, device health, context)
Least privilege — access only what's needed
Assume breach — segment networks, log everything, detect anomalies

Key Takeaways

Symmetric crypto is fast; asymmetric (public/private key) solves the key exchange problem
TLS uses asymmetric crypto for handshake + symmetric for data — 1 RTT in TLS 1.3
The CA hierarchy (PKI) enables trusting certificates from strangers
MITM attacks are defeated by certificate validation; SYN floods by SYN cookies; DNS spoofing by DNSSEC
HSTS and certificate pinning prevent protocol downgrade attacks
Modern security follows zero trust: verify every access, never assume trust by location

Network Security — TLS, Attacks & Defences

Cryptography Fundamentals

Symmetric Encryption

Same key encrypts and decrypts. Fast. Problem: how do you share the key securely?

text

Asymmetric (Public Key) Encryption

Two mathematically linked keys: public key (share freely) and private key (keep secret).

Encrypt with public key → only private key can decrypt (confidentiality)
Sign with private key → anyone can verify with public key (authenticity)

RSA and ECDH (Elliptic Curve Diffie-Hellman) are common algorithms. RSA 2048-bit ≈ ECDH 256-bit in security.

Hashing

One-way function: any input → fixed-size digest. Same input always gives same output; impossible to reverse.

text

Used for: password storage (+ salt), data integrity, digital signatures, TLS certificate fingerprints.

TLS — How HTTPS Actually Works

TLS combines asymmetric crypto for the handshake (key exchange) and symmetric crypto for data (speed).

TLS 1.3 Handshake in Detail

text

Certificate Revocation

If a private key is stolen, the certificate must be revoked before it expires:

CRL (Certificate Revocation List): a signed list of revoked serial numbers — downloaded periodically
OCSP (Online Certificate Status Protocol): real-time query to the CA
OCSP Stapling: server includes fresh OCSP response with every TLS handshake — no extra round trip for client

PKI — Public Key Infrastructure

The Certificate Authority (CA) hierarchy is what makes certificate verification work globally:

text

Let's Encrypt is a free, automated CA — issues certificates via the ACME protocol. Used by ~350 million websites.

Common Attacks

Man-in-the-Middle (MITM)

Attacker intercepts traffic between client and server, potentially reading or modifying it.

Defence: TLS with certificate validation. The attacker can't forge a valid certificate for your domain without the CA's private key.

text

DDoS — Distributed Denial of Service

Flood a server with traffic from many sources (botnet) to exhaust resources.

Types:

Volumetric: saturate bandwidth (UDP flood, DNS amplification)
Protocol: exhaust connection tables (SYN flood — send SYNs, never ACK)
Application layer: send expensive requests (slow HTTP read, database queries)

Defences: CDN (absorb volumetric), SYN cookies (stateless SYN handling), rate limiting, WAF.

SYN Flood

Attacker sends many SYN packets without completing the handshake. Server allocates state for each half-open connection, filling the backlog queue.

text

SYN cookies: server encodes connection state in the ISN (Initial Sequence Number), requires no state until the ACK arrives.

DNS Spoofing / Cache Poisoning

Attacker injects false DNS records into a recursive resolver's cache, redirecting users to malicious IPs.

Defence: DNSSEC validates records with digital signatures. Source port randomisation + 16-bit transaction ID randomisation makes injection harder.

SSL Stripping

Attacker downgrades HTTPS to HTTP by intercepting the initial redirect.

Defence: HSTS (HTTP Strict Transport Security) — browser remembers "only HTTPS for this domain" for N seconds.

http

Firewalls

A firewall filters network traffic based on rules.

Stateless packet filter: evaluates each packet independently (source/dest IP, port, protocol).

Stateful inspection: tracks connection state — allows responses to established connections without explicit outbound rules.

Application-layer firewall (WAF): understands HTTP; can block SQL injection, XSS, suspicious User-Agent strings.

bash

VPNs

A VPN (Virtual Private Network) creates an encrypted tunnel between your device and a VPN server. Your traffic appears to originate from the VPN server's IP.

Use cases: secure remote access to corporate networks, bypass geographic restrictions, protect traffic on public WiFi.

Common protocols: OpenVPN, WireGuard (modern, fast, 4000 lines of code vs OpenVPN's ~600k), IPSec/IKEv2.

Zero Trust Architecture

Traditional security assumed "inside the perimeter = trusted." Modern systems assume zero trust: no implicit trust based on network location.

Principles:

Verify every request explicitly (identity, device health, context)
Least privilege — access only what's needed
Assume breach — segment networks, log everything, detect anomalies

Key Takeaways

Symmetric crypto is fast; asymmetric (public/private key) solves the key exchange problem
TLS uses asymmetric crypto for handshake + symmetric for data — 1 RTT in TLS 1.3
The CA hierarchy (PKI) enables trusting certificates from strangers
MITM attacks are defeated by certificate validation; SYN floods by SYN cookies; DNS spoofing by DNSSEC
HSTS and certificate pinning prevent protocol downgrade attacks
Modern security follows zero trust: verify every access, never assume trust by location