TLS (Transport Layer Security)

Transport Layer Security (TLS) is the cryptographic protocol that encrypts data in transit between a client and server, providing confidentiality, integrity, and authentication for virtually all modern internet communications---from HTTPS web traffic to API calls, email delivery, and VPN tunnels.

Definition

Transport Layer Security (TLS) is a cryptographic protocol that provides encrypted, authenticated communication between two parties over a network. TLS operates between the transport layer (TCP) and the application layer (HTTP, SMTP, IMAP), creating an encrypted tunnel through which application data flows. It is the successor to the Secure Sockets Layer (SSL) protocol, with TLS 1.0 released in 1999, TLS 1.2 in 2008, and TLS 1.3 in 2018.

TLS 1.3 (RFC 8446) represents a significant simplification and security improvement over TLS 1.2: it removed support for legacy cipher suites (RC4, 3DES, static RSA key exchange), reduced the handshake from two round-trips to one (and zero for resumed connections with 0-RTT), and mandated forward secrecy for all connections.

Why It Matters

TLS secures the majority of internet traffic. Google’s Transparency Report shows that 95% of web traffic to Google services travels over HTTPS (TLS-encrypted HTTP), up from 50% in 2014. Let’s Encrypt, which provides free TLS certificates, has issued over 4 billion certificates and serves over 360 million active websites. Firefox telemetry reports that 94% of all page loads use HTTPS.

The migration from HTTP to HTTPS was driven by a combination of browser enforcement (Chrome labels HTTP sites as “Not Secure” since 2018), search engine incentives (Google prioritizes HTTPS sites in rankings since 2014), and the free certificate ecosystem enabled by Let’s Encrypt (founded 2014) and Cloudflare (free TLS since 2014).

TLS 1.3’s performance improvements are substantial. The 1-RTT handshake saves 50-100ms on initial connections and 0-RTT resumption eliminates handshake latency entirely for returning connections. For edge computing platforms like Cloudflare Workers, where total request processing time targets sub-200ms, saving 100ms on the TLS handshake is architecturally significant.

The security improvements are equally important. By removing static RSA key exchange, TLS 1.3 mandates forward secrecy—meaning the compromise of a server’s private key cannot decrypt previously recorded traffic. This eliminates the “harvest now, decrypt later” attack vector for all TLS 1.3 connections.

How It Works

A TLS 1.3 connection is established through a streamlined handshake:

ClientHello: The client sends supported cipher suites, key share(s) for key exchange (typically ECDHE with X25519 or P-256), and a random value. Unlike TLS 1.2, the client speculatively sends key shares in the first message, enabling 1-RTT completion.
ServerHello + EncryptedExtensions: The server selects the cipher suite, sends its key share, and completes the Diffie-Hellman key exchange. From this point, all remaining handshake messages are encrypted using the derived handshake keys.
Server Certificate + CertificateVerify: The server sends its X.509 certificate chain and a signature proving it possesses the private key corresponding to the certificate’s public key.
Finished: Both parties exchange “Finished” messages—MACs over the entire handshake transcript—confirming that the handshake completed without tampering.
Application data: Symmetric encryption begins using the negotiated keys. TLS 1.3 supports only AEAD cipher suites: AES-256-GCM, AES-128-GCM, and ChaCha20-Poly1305. Each record is encrypted with a unique nonce derived from the sequence number.

The entire handshake completes in 1 round-trip (approximately 10-50ms on typical networks), after which all data flows through the encrypted channel.

Stealth Cloud Relevance

TLS is the transport encryption layer for every connection in Stealth Cloud’s architecture. Client-to-edge connections terminate TLS at the nearest Cloudflare PoP, typically within the same city as the user. Edge-to-origin connections (where the Worker communicates with LLM providers) use separate TLS sessions through Cloudflare’s backbone network.

Stealth Cloud enforces TLS 1.3 exclusively—no fallback to TLS 1.2 or earlier versions. This guarantees forward secrecy on every connection, ensures the strongest available cipher suites, and minimizes handshake latency. Combined with HSTS (HTTP Strict Transport Security) headers and preloading, downgrade attacks are architecturally prevented.

TLS protects data in transit. End-to-end encryption (AES-256-GCM via the Web Crypto API) protects data from the server itself. The two layers are complementary: TLS ensures no network observer can read the traffic; application-layer encryption ensures that even the TLS-terminating edge node sees only ciphertext for the user’s actual message content.

The Stealth Cloud Perspective

TLS encrypts the pipe. Stealth Cloud encrypts what flows through it. The distinction matters because TLS trusts the server—the server terminates the TLS connection and sees the plaintext. Stealth Cloud’s architecture layers application encryption on top of TLS so that even the server at the end of the pipe sees only ciphertext. Two layers of encryption. Zero layers of trust.