#10: Moved and updated TLS introduction. #11
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ArBridgeman
reviewed
Aug 1, 2025
|
|
||
| * [Estimating: better guessing](estimating/estimating.odp) (presentation material and execises) | ||
| * [Security exaplanations as UML diagrams](security/model) | ||
| ## Software Development Tipps and Tricks |
There was a problem hiding this comment.
Suggested change
| ## Software Development Tipps and Tricks | |
| ## Software Development Tips and Tricks |
|
|
||
| Code name: TLS Tutorial | ||
|
|
||
| In version 1.0.0 we moved the non-programming-language-specific part of the existing TLS tutorial to this repository and updated the information. |
There was a problem hiding this comment.
Suggested change
| In version 1.0.0 we moved the non-programming-language-specific part of the existing TLS tutorial to this repository and updated the information. | |
| In version 1.0.0, we moved the non-programming-language-specific part of the existing TLS tutorial to this repository and updated the information. |
|
|
||
| ## Documentation | ||
|
|
||
| * #10: Move TLS t |
There was a problem hiding this comment.
want more text? Move TLS t seems maybe incomplete
|
|
||
| Simply put, TLS is meant to protect network communication against eavesdropping and offers a mechanism to verify that the other end of the connection is the one you intended to reach. | ||
|
|
||
| Since people often have a wrong perception, I will stress here that a TLS connection does not protect against malicious intent of your communication partner. |
There was a problem hiding this comment.
Suggested change
| Since people often have a wrong perception, I will stress here that a TLS connection does not protect against malicious intent of your communication partner. | |
| Since people often have an incorrect interpretation, I will stress here that a TLS connection does not protect against malicious intent of your communication partner. |
| | 2 | Data link layer | MAC | | | ||
| | 1 | Physical layer | Network adapter | | | ||
|
|
||
| The most obvious one is the physical layer. Here you find the hardware and the physical communication channel like an optical fiber. The data link layer provides a point-to-point connection between two nodes. The network layer allows you to transfer data to other nodes beyond that direct neighbor. It’s the job of the transport layer to make sure that the data arrives intact on the other side of the communication. Especially if that data is too large to fit into a single transfer unit and needs to be split at the source, correctly reassembled at the sink. |
There was a problem hiding this comment.
Suggested change
| The most obvious one is the physical layer. Here you find the hardware and the physical communication channel like an optical fiber. The data link layer provides a point-to-point connection between two nodes. The network layer allows you to transfer data to other nodes beyond that direct neighbor. It’s the job of the transport layer to make sure that the data arrives intact on the other side of the communication. Especially if that data is too large to fit into a single transfer unit and needs to be split at the source, correctly reassembled at the sink. | |
| The most obvious one is the physical layer. Here, you find the hardware and the physical communication channel like an optical fiber. The data link layer provides a point-to-point connection between two nodes. The network layer allows you to transfer data to other nodes beyond that direct neighbor. It’s the job of the transport layer to make sure that the data arrives intact on the other side of the communication. This is applicable especially when that data is too large to fit into a single transfer unit and needs to be split at the source, correctly reassembled at the sink. |
|
|
||
| TLS supports client certificates, but they are seldom used. Mostly because of the [too-many-keys problem](#the-too-many-keys-problem) we discussed earlier. Services typically do not trust public CAs enough to accept client certificates issued by someone outside their own organization. | ||
|
|
||
| That being said, there are cases where client certificates are indeed useful. Mainly in machine-to-machine communication. IT departments often use their own CAs to issue client certificates that they hand out to developers of applications that access company services via TLS. The application then has to present its client certificate during the handshake phase. Only if the service can successfully authenticate the client via its client certificate, will it accept the TLS connection. |
There was a problem hiding this comment.
consistency and second clause not a complete sentence
Suggested change
| That being said, there are cases where client certificates are indeed useful. Mainly in machine-to-machine communication. IT departments often use their own CAs to issue client certificates that they hand out to developers of applications that access company services via TLS. The application then has to present its client certificate during the handshake phase. Only if the service can successfully authenticate the client via its client certificate, will it accept the TLS connection. | |
| That being said, there are cases where client certificates are indeed useful — mainly in machine-to-machine communication. IT departments often use their own CAs to issue client certificates that they hand out to developers of applications that access company services via TLS. The application then has to present its client certificate during the handshake phase. Only if the service can successfully authenticate the client via its client certificate will it accept the TLS connection. |
|
|
||
| The words "keystore" and "truststore" are often used as synonyms. This is not precise. Truststores are a specific subset of keystores containing someone else’s public keys or certificates. If you install root CA certificates on a machine, they go into a truststore. | ||
|
|
||
| In the Java world the distinction is very strict. When the official documentation says "keystore," it really only refers to the place where you store your own keys. |
There was a problem hiding this comment.
ok to keep, i think but wanted to ping as only language-specific use case so far
|
|
||
| How can this happen? | ||
|
|
||
| Remember when we said that cryptography is based on the idea that reversing it is needs to be hard enough? We now have a lot more computing power in our hands, and new mathematical algorithms still are invented that reduce the effort of the calculations involved from unrealistic to manageable. Also, the designers of security mechanisms are human and as such sometimes plant fundamental flaws in a design that make an update unavoidable. |
There was a problem hiding this comment.
Remember when we said that cryptography is based on the idea that reversing it is needs to be hard enough?
at first glance this sentence was hard to parse, i think that maybe the "it" & assumed noun antecedent conflict with the behavior we're describing.
Remember when we said that purpose of encrypted data (or other appropriate participle noun combo) was to make it hard to do or something like that. Sorry, don't have a clear suggestion. Think folks can also figure out what's meant too, so we can leave as is.
|
|
||
| Client and server negotiate which suite and version to use by comparing which ones both support and picking the best available option. | ||
|
|
||
| The important part here is to follow the announcements in the IT security field and make sure that all deployments use and accept only TLS versions and ciphers that are still considered hard enough. The TLS configuration on a modern machine allows you to forbid the client and server to use deprecated versions. |
There was a problem hiding this comment.
Suggested change
| The important part here is to follow the announcements in the IT security field and make sure that all deployments use and accept only TLS versions and ciphers that are still considered hard enough. The TLS configuration on a modern machine allows you to forbid the client and server to use deprecated versions. | |
| The important part here is to follow the announcements in the IT security field and make sure that all deployments use and accept only TLS versions and ciphers that are still considered computationally robust enough. The TLS configuration on a modern machine allows you to forbid the client and server to use deprecated versions. |
|
|
||
| In this article, we discussed what TLS is and what you use it for. We learned about the difference between symmetric and asymmetric encryption and why the latter is only used during the phase in which the connection gets established. We covered certificates, keystores, and truststores in the context of authentication. | ||
|
|
||
| In the next part we’ll build on this information and see where — and how — [TLS comes into play when using Exasol’s analytics database](tls_with_exasol.md). |
There was a problem hiding this comment.
Suggested change
| In the next part we’ll build on this information and see where — and how — [TLS comes into play when using Exasol’s analytics database](tls_with_exasol.md). | |
| In the next part, we’ll build on this information and see where — and how — [TLS comes into play when using Exasol’s analytics database](tls_with_exasol.md). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #10.
This PR take the language-independent parts of the TLS tutorial, updates them and moves them from the Java tutorial to the general tutorial.