4.3.27 · D5Computer Networks

Question bank — HTTPS — TLS handshake, certificates, CA

1,443 words7 min readBack to topic

True or false — justify

The padlock icon guarantees the website is honest and safe.
False. It only guarantees you are talking securely to the real owner of that domain; a phishing site can hold a perfectly valid certificate. Authenticity is not honesty.
HTTPS encrypts everything, including which website you are visiting.
False. The path and query are encrypted, but the hostname travels in cleartext via SNI so the server knows which certificate to send. Only recent ECH/ESNI hides it.
A self-signed certificate uses weaker encryption than a CA-signed one.
False. The cryptography (AES, RSA/ECDHE) is identical; what a self-signed cert lacks is a chain of trust to a root, so the browser cannot verify identity.
The certificate contains the symmetric session key used to encrypt page data.
False. The certificate holds the server's public key for authentication and key-bootstrap. The bulk symmetric key is derived fresh each session and never transmitted.
Once TLS is set up, HTTP is no longer involved.
False. HTTPS is literally HTTP inside the TLS tunnel — the same GET/POST methods and status codes ride encrypted. See HTTP — methods, status codes.
TLS runs before the TCP connection is established.
False. TLS needs a reliable byte stream, so the TCP — three-way handshake (SYN, SYN-ACK, ACK) completes first; then the TLS handshake begins on top.
With Diffie–Hellman, the shared secret is sent over the wire in encrypted form.
False. The secret is never sent; each side computes it independently from its own private value and the other's public value.
If a server's private key leaks tomorrow, sessions recorded today are always exposed.
False (with ECDHE). Ephemeral Diffie–Hellman throws away its key pair after each session, giving forward secrecy. It is true only for old-style RSA key transport, where the leaked key decrypts recorded pre-master secrets.
The Finished message is optional and just says "we are done."
False. Finished is a MAC over the entire handshake transcript; it proves nobody tampered with the earlier cleartext negotiation messages. Dropping it would leave the algorithm negotiation attackable.
A CA verifies that the website owner is a trustworthy business before issuing a cert.
False for domain-validated certs. A basic CA only checks you control the domain. Vetting the organisation is a separate, pricier tier (OV/EV).

Spot the error

"We use asymmetric crypto for all the traffic because it is the most secure."
Asymmetric is used only to bootstrap and to sign — it is far too slow for bulk data. The fast symmetric key handles all page bytes. This hybrid split is the whole point of Symmetric vs Asymmetric Encryption.
"The browser trusts bank.com directly because it recognises its certificate."
The browser trusts a root CA baked into its trust store, not bank.com. Trust flows transitively: root → intermediate → leaf, each link a verified signature. See Public Key Infrastructure (PKI).
"To verify a signature, you decrypt the data with the signer's private key."
You verify with the signer's public key; only the signer holds the private key. Mixing these up inverts the entire security model of Digital Signatures & Hashing.
"Since both random nonces are public, they add no security."
They are public, but each side contributes one, so neither party alone controls the derived key, and the pair makes every session's keys unique — defeating replay of an old handshake.
"The pre-master secret is generated by both client and server together."
In RSA key transport the client alone generates it, then encrypts it with the server's public key. Only the master secret is computed by both via the PRF.
"DH is secure because factoring g^a is hard."
The hard problem is the discrete logarithm: recovering from . Factoring is RSA's problem, a different assumption. See Diffie–Hellman Key Exchange.
"An expired certificate still authenticates the server, it just looks untidy."
An expired cert breaks the validity check, so the browser cannot trust it. Expiry limits the damage window if a key is quietly compromised, so it is a hard failure, not cosmetic.
"Because TLS 1.3 is 1-RTT, it skips authenticating the server."
TLS 1.3 still sends the certificate and Finished; it only pipelines the key share into ClientHello to save a round trip. Authentication is intact.

Why questions

Why can an eavesdropper record the whole DH exchange yet not learn the secret?
They see and but need ; getting there requires solving the discrete log to recover or , believed computationally infeasible.
Why does TLS mix both the client and server random values into the key?
So neither side can force a predictable key. If only one contributed randomness, a compromised or malicious peer could steer the key toward a weak or known value.
Why is a certificate needed at all if Diffie–Hellman already hides the secret?
DH hides the secret from passive watchers but a MITM can run two DH exchanges and sit in the middle. The certificate authenticates whose public value you are combining with, killing the MITM.
Why does the browser ship with root CA public keys instead of fetching them live?
The root keys are the anchor of trust; fetching them over the network would itself need something already trusted. Baking them in (an out-of-band, vendor-vetted step) bootstraps the whole chain.
Why is the domain name checked against the certificate, not just its signature?
A validly signed cert for attacker.com is still real — but it must not authenticate bank.com. Matching the requested host to the cert's name stops a valid cert being reused for the wrong site.
Why does TLS use a PRF rather than just using the pre-master secret directly as the key?
The PRF is one-way and stretches one secret into several independent keys (encryption, MAC, both directions) bound to this session's nonces, so a leak of one derived key does not reveal the others.
Why does resolving the hostname via DNS not itself provide security?
DNS only maps a name to an IP address; it does not prove the machine at that IP is genuine. That proof is TLS's job via the certificate.

Edge cases

What happens if the certificate is valid but its domain name does not match the site you typed?
The browser rejects it (a name-mismatch error). A cert for example.net cannot authenticate example.com, even if perfectly signed.
What if the server offers only cipher suites the client does not support?
The handshake fails with no agreed suite; ServerHello cannot pick one, so no secure channel forms and the connection is aborted.
What if an intermediate CA in the chain is missing from the server's response?
Verification may break because the browser cannot bridge the leaf to a trusted root. Some browsers fetch the missing intermediate, but a correct server should send the full chain.
What does 0-RTT resumption in TLS 1.3 sacrifice for its speed?
Early data sent in 0-RTT is replayable — an attacker can resend it — so it must only carry idempotent, non-state-changing requests.
If the same page is served over HTTP and HTTPS, are its cookies equally protected?
No. Only the HTTPS transfer is encrypted and integrity-checked; the HTTP one leaks cookies in cleartext, which is why "Secure" cookies refuse to travel over plain HTTP.
What if a root CA's private key is stolen?
An attacker could forge certs for any domain, so that root must be revoked/distrusted and removed from trust stores — a catastrophic, industry-wide event, which is why roots are guarded offline.