After this lesson, you will be able to: Explain how TLS works (handshake, certificates, CAs), get a certificate via Let's Encrypt or managed SSL, use Cloudflare as a security layer with Full Strict mode, and understand DNS security (DNSSEC, DoH) and Certificate Transparency.
HTTPS is non-negotiable for anything with a login or sensitive data. This lesson covers TLS at a conceptual level, getting certificates (Let's Encrypt, Cloudflare Universal SSL, Vercel managed certs), Cloudflare as a security layer and why Full Strict mode is the only correct SSL mode, DNS attacks and defenses, and Certificate Transparency monitoring.
TLS gives you three things: encryption (eavesdroppers see ciphertext), integrity (tampering is detected), and authentication (you are talking to the real server). The handshake: the client and server agree on a cipher, the server presents a certificate proving its identity, the client verifies that certificate against a trusted certificate authority, and they derive a shared session key. The browser checks the certificate is valid, not expired, issued for this domain, and chains up to a trusted root. If any check fails, you get the scary warning.
Let's Encrypt issues free, automated certificates via the ACME protocol; most servers renew them automatically every 90 days. Cloudflare Universal SSL gives every proxied domain a certificate for free. Vercel, Netlify, and similar platforms provision and renew managed certificates for you with zero configuration. You almost never buy a certificate anymore; the only paid cases are organization-validated or extended-validation certs that some enterprises want.
When a domain is proxied through Cloudflare (the orange cloud), traffic flows through Cloudflare first: it terminates TLS, absorbs DDoS, and hides your origin server's real IP so attackers cannot hit it directly. Cloudflare's SSL mode controls how it talks to your origin. Flexible (Cloudflare-to-origin is unencrypted) is dangerous and should never be used. Full encrypts to the origin but does not validate the origin certificate. Full (Strict) encrypts AND validates the origin certificate. Always use Full Strict, otherwise an attacker between Cloudflare and your origin can intercept traffic.
DNS turns names into IPs, and attacking it redirects your users. DNS hijacking compromises your registrar account or resolver to change records, so put MFA on your domain registrar. DNSSEC cryptographically signs DNS records so resolvers can detect forged answers (cache poisoning). DNS over HTTPS (DoH) encrypts the DNS query itself so a network observer cannot see or tamper with which domains you visit. Attackers also abuse DNS for exfiltration, tunneling stolen data out through DNS queries that firewalls usually allow.
Every certificate a CA issues is logged in public, append-only Certificate Transparency logs. This lets you catch a certificate issued for your domain that you did not request, an early sign of a compromised registrar or CA. Monitor crt.sh (or a CT-monitoring service) for your domains and alert on unexpected certificates.
Pick one.
Running Cloudflare in Flexible mode and believing the padlock means end-to-end encryption (the origin leg is plaintext). Forgetting to enable auto-renewal and letting a Let's Encrypt cert expire (instant outage). No MFA on the domain registrar, the single most damaging account to lose. Leaving the origin IP exposed in old DNS records or email headers, so attackers bypass Cloudflare. Never monitoring CT logs, so a mis-issued certificate goes unnoticed.
Sign in and purchase access to unlock this lesson.