Skip to content

TLS Security Concepts

Transport Layer Security (TLS) is a crucial aspect of website security that ensures data exchanged between clients and servers is protected from eavesdropping, tampering, or interception. Understanding TLS concepts is essential for making informed decisions about your website's security configuration.

TLS Modes

Peakhour provides four distinct modes for handling TLS traffic, each offering different trade-offs between security, performance, and compatibility:

Disabled

TLS traffic to your site is completely disabled, and only unencrypted HTTP traffic will be allowed. This mode offers no encryption protection and should only be used for non-sensitive content or during development.

Passthrough

HTTPS requests are passed directly to your origin server without any processing by Peakhour. In this mode:

  • Peakhour acts as a transparent proxy for HTTPS traffic
  • The Web Application Firewall (WAF) becomes inactive for HTTPS requests
  • Certificate management remains entirely with your origin server
  • Origin server performance directly affects HTTPS response times

Enabled

HTTPS traffic is terminated at Peakhour's edge, providing several advantages:

  • Requires a certificate to be configured within Peakhour
  • HTTPS connections are terminated at Peakhour's globally distributed edge
  • Communication between Peakhour and your origin uses HTTP
  • WAF and other security features remain active
  • Improved performance through edge termination

Enabled + SSL Client

This mode provides end-to-end encryption:

  • Requires certificates on both Peakhour and your origin server
  • Client-to-Peakhour communication uses HTTPS
  • Peakhour-to-origin communication also uses HTTPS
  • Provides the highest level of encryption throughout the entire request path
  • Slightly higher latency due to additional SSL handshake with origin

Certificate Types

Let's Encrypt Certificates

Let's Encrypt provides free, automated domain-validated certificates that:

  • Are automatically provisioned and renewed by Peakhour
  • Require domain validation through DNS or HTTP challenges
  • Offer 90-day validity periods with automatic renewal
  • Are trusted by all major browsers and devices
  • Support multiple domains through Subject Alternative Names (SAN)

Custom Certificates

Custom certificates allow greater control and flexibility:

  • Support Extended Validation (EV) and Organization Validation (OV)
  • Can use custom Certificate Authorities
  • Allow longer validity periods (typically 1-2 years)
  • Support wildcard domains
  • Require manual renewal and management

TLS Cipher Security Levels

Understanding cipher classifications helps you balance security with compatibility. Mozilla's security framework categorizes TLS ciphers into three levels:

Modern Ciphers

These provide the strongest security and are recommended for all new implementations:

  • Examples: AES-256-GCM, ChaCha20-Poly1305
  • Security: Resistant to known cryptographic attacks
  • Compatibility: Supported by browsers from the last 5 years
  • Performance: Optimized for modern hardware
  • Use case: Default choice for maximum security

Intermediate Ciphers

These offer a balance between security and broader device compatibility:

  • Examples: AES-128-GCM, AES-256-CBC
  • Security: Good protection against most attacks
  • Compatibility: Supports older browsers and devices
  • Performance: Good performance across various platforms
  • Use case: When legacy device support is required

Old Ciphers

These provide weaker security and should generally be avoided:

  • Examples: DES, RC4, 3DES
  • Security: Vulnerable to various cryptographic attacks
  • Compatibility: Required only for very old systems
  • Performance: Often slower than modern alternatives
  • Use case: Only when absolutely necessary for ancient devices

Security Considerations

When choosing TLS configuration, consider:

  • Threat Model: What level of security does your application require?
  • Compliance Requirements: Do regulations mandate specific cipher strengths?
  • User Base: What browsers and devices do your users commonly employ?
  • Performance Impact: How does cipher choice affect page load times?
  • Maintenance Overhead: Can you manage certificate renewals effectively?

The optimal TLS configuration balances these factors while prioritizing security wherever possible.