Networking & Protocols
The 1-RTT handshake: key shares and ECDHE
The browser opens a TCP connection and immediately sends a ClientHello. That single message carries the cipher list AND the client’s half of the encryption key — the server can compute the shared secret on the spot and reply with encrypted data in one pass. This is how TLS 1.3 cuts two round-trips to one.
The 1-RTT handshake step by step
Step 1 — ClientHello. The client sends: the TLS version list (via the supported_versions extension), supported cipher suites, supported named groups (curves), supported signature algorithms, and a key_share extension containing at least one ECDHE public key — typically x25519.
Step 2 — ServerHello. The server picks a cipher suite (e.g. TLS_AES_128_GCM_SHA256), picks a named group from the client’s key_share, generates its own ephemeral keypair, and replies with its public key. Both sides now have each other’s ephemeral public keys and can run ECDHE to derive the shared secret.
Step 3 — Encrypted handshake. The server immediately derives the handshake traffic key from the shared secret and sends EncryptedExtensions, Certificate, CertificateVerify, and server Finished — all encrypted — back to back in the same network pass.
Step 4 — Client completes. The client derives the same handshake traffic key, decrypts the server’s messages, validates the certificate chain, validates the CertificateVerify signature over the transcript, verifies the server Finished HMAC, sends client Finished, and starts sending application data.
Total round-trips: one. ClientHello leaves the client, ServerHello + encrypted handshake arrive, client Finished + first app data leave — all in a single network exchange.
- ClientHello
- ~512 bytes
- ServerHello
- ~150 bytes
- Certificate (ECDSA P-256 chain)
- 1–3 KB
- CertificateVerify (ECDSA)
- ~70 bytes
- Server Finished
- ~50 bytes
- Client Finished
- ~50 bytes
- Total RTTs
- 1
ECDHE: the key exchange behind key shares
Both sides agree on a curve (usually x25519 for performance, or P-256 for FIPS). Each generates a private scalar (a random 256-bit integer) and computes a public point: public = private · G, where G is the curve’s base generator. Bea sends her public point in the key_share; Sven sends his back. Each side computes the shared secret by multiplying the other’s public point by their own private scalar:
- Bea:
shared = bea_private · sven_public - Sven:
shared = sven_private · bea_public
Both arrive at the same point on the curve. An eavesdropper who saw only the public points cannot recover it without solving the elliptic-curve discrete-log problem — intractable for properly sized curves on classical hardware.
Perfect Forward Secrecy (PFS)
Both the client and server use ephemeral key pairs generated fresh for this connection and discarded after it. If an attacker later steals Sven’s long-term private key from his disk, the attacker cannot decrypt past sessions — those sessions used ephemeral keys that are already gone. This is Perfect Forward Secrecy.
TLS 1.2 allowed RSA key transport: the client encrypted the session secret with the server’s long-term public key. Stealing the private key meant decrypting every recorded past session. TLS 1.3 mandates ephemeral key exchange, making PFS the default with no configuration needed.
Certificate chain validation
When the client receives Certificate, it sees a chain: the leaf certificate for the hostname, then one or more intermediate certificates. It walks the chain bottom-up:
- Verify the leaf was signed by the intermediate’s public key.
- Verify the intermediate was signed by a root.
- Confirm the root is in the local trust store (the CA bundle shipped with OS/browser).
- Check the leaf’s Subject Alternative Names (SANs) include the connection hostname.
- Check validity period (
notBefore <= now <= notAfter). - Check revocation (CRLite, stapled OCSP, or short-lived cert policy).
If any step fails, the connection terminates with a fatal alert (e.g. unknown_ca).
The transcript hash and Finished
Every byte sent during the handshake is fed into a running SHA-256 digest called the transcript hash. The Finished message is HMAC(finished_key, transcript_hash). If a single bit on the wire was flipped or replaced — by a network bug or a man-in-the-middle — the HMAC will not match and the connection aborts. This is how TLS 1.3 detects downgrade attacks: the transcript records the version the client originally proposed, so a middlebox that tries to force TLS 1.2 breaks the Finished check.
Trace a successful TLS 1.3 cold handshake from ClientHello to first encrypted application byte.
Why does TLS 1.3 mandate ephemeral key exchange (ECDHE) and remove RSA key transport?
What integrity guarantee does the TLS 1.3 transcript hash provide?
Order the certificate chain validation steps:
- 1 Receive Certificate message containing leaf + intermediate(s)
- 2 Confirm leaf certificate's SAN matches the connection hostname
- 3 Walk the chain: verify each cert's signature using the issuer's public key
- 4 Find a root in the local trust store matching the topmost issuer
- 5 Check validity period (notBefore <= now <= notAfter)
- 6 Check revocation status (CRLite, stapled OCSP, or short-lived cert policy)
Why this works
RSA vs ECDSA certificates. The signature algorithm of the server certificate is independent of the ECDHE key exchange. ECDSA P-256 certificates are roughly 5x faster to verify than RSA-2048 and produce signatures four times smaller. An edge serving a million handshakes per second pays five times the CPU bill on RSA. Cloud providers default to ECDSA chains; RSA is offered only for legacy clients that cannot handle ECDSA.
- 01Why does the server send HelloRetryRequest, and what does the client do in response?
- 02What happens when certificate chain validation fails (unknown CA)?
- 03Explain ECDHE in one paragraph. Why can both sides arrive at the same secret without exchanging it?
TLS 1.3 compresses the handshake to one RTT by embedding the client’s ECDHE public key in the first message. The server immediately runs elliptic-curve Diffie-Hellman to compute the shared secret, encrypts the rest of the handshake under a derived traffic key, and sends certificate, CertificateVerify, and Finished in the same pass. Because both sides use fresh ephemeral keys, compromising the server’s long-term signing key later cannot decrypt past sessions — this is Perfect Forward Secrecy. The transcript hash fed into every Finished message detects any tampering with handshake bytes, including downgrade attempts by middleboxes.
appears again in152
- Why GraphQL gets N+1junior
- DataLoader mechanics: tick-boundary batchingmiddle
- Batch function contracts: ordering, shapes, errorsmiddle
- Federation and lookahead: batching beyond DataLoadermiddle
- Query complexity defences: depth, cost, persisted queriesmiddle
- Senior GraphQL API: scheduling contract, tenant isolation, observabilitysenior
- Why idempotency: making retries safejunior
- Server-side state machine: four states of an idempotency keymiddle
- Outbox and inbox: effectively-once across the dual-write boundarymiddle
- Concurrency and cache architecture for idempotency at scalesenior
- Observability, production failures, and global-scale designsenior
- The event loop: one thread, three queuesjunior
- Tasks, microtasks, and scheduler.yield()middle
- Microtask starvation, Long Tasks, and LoAFsenior
- Node.js event loop: phases, nextTick, and loop lagsenior
- React, Vue, and INP observability in productionsenior
- The render pipeline: six stages from bytes to pixelsjunior
- Stage costs and the renderer process modelmiddle
- Invalidation, dirty bits, and containmiddle
- Compositor layers: promotion, overlap, and GPU memorymiddle
- DevTools flame strip and the frame lifecyclemiddle
- Layout thrash: forced synchronous layoutsenior
- BeginMainFrame, compositor-driven animations, and GPU memorysenior
- Production observability: LoAF, INP, and the full attack surfacesenior
- What V8 is and why performance varies 100×junior
- V8''''s four-tier JIT pipeline and profile-guided tieringmiddle
- Hidden classes, transition trees, and memory layoutmiddle
- Inline caches, IC states, and deoptimizationmiddle
- Orinoco GC: parallel scavenger, concurrent marking, and write barriersmiddle
- TurboFan''''s speculative engine and the deopt-loop trapsenior
- V8 in production: isolates, pointer compression, and real failuressenior
- Service worker lifecycle and cache strategiesmiddle
- Service worker edge cases: version skew, durability, and navigation trapssenior
- What the reconciler does: render vs commitjunior
- The fiber object and the double-buffer treemiddle
- Render phase purity and commit phase sub-stepsmiddle
- Reconciliation: diffing heuristics and the key trapmiddle
- Priority lanes, time-slicing, and useTransitionmiddle
- Bailout, memoisation, and tearingsenior
- React Profiler, the Compiler, and production observabilitysenior
- Rendering strategies: SSG, SSR, ISR, streaming, and hydrationjunior
- SSG, SSR, ISR, streaming, and RSC — how each worksmiddle
- Hydration cost: selective, progressive, islands, resumabilitymiddle
- Hydration mismatch: causes, detection, and the determinism rulesenior
- RSC, per-route strategy, and production observabilitysenior
- Core Web Vitals: what LCP, INP, and CLS measurejunior
- CLS: why layout shifts happen and how to stop themmiddle
- Metric tradeoffs, RUM attribution, and the CI+field loopsenior
- The full picture: URL to LCP to INP as a relay racejunior
- Eight layers traced: from the service worker to the second navigationmiddle
- Five canonical breaks: where production reliably diessenior
- The three-track method: reading traces and building a monitored systemsenior
- What is a cache stampede and why it makes things worsejunior
- Lock and single-flight: bounding concurrent rebuildsmiddle
- XFetch: coordination-free probabilistic early expirationmiddle
- Stale-while-revalidate and CDN request coalescingmiddle
- Detecting stampedes and designing TTL for productionmiddle
- Metastable failure, fencing tokens, and production postmortemssenior
- What a relation is: tables, rows, keys, and constraintsjunior
- Constraints, keys, and Postgres data typesmiddle
- Normal forms, denormalization, and why schemas stickmiddle
- JSONB, arrays, and when a side table winsmiddle
- Heap storage, TOAST, and column alignmentsenior
- Schema integrity: deferral, versioning, and production failure modessenior
- Relational vs document, wide-column, graph, and key-valuesenior
- Index-only scans, the Visibility Map, and INCLUDEsenior
- Production failure modes and the index audit playbooksenior
- pg_statistic, ANALYZE, and production observabilitymiddle
- Production failure modes and plan stabilitysenior
- MVCC: why readers and writers never wait for each otherjunior
- Row versions and snapshots: the on-disk mechanicsmiddle
- HOT updates and isolation levels: what you gain and what you paymiddle
- Vacuum and bloat: keeping the storage tax boundedmiddle
- CLOG, XID wraparound, and MultiXact: deep visibility internalssenior
- SSI internals and production autovacuum tuningsenior
- Real-world MVCC failures, deployment patterns, and distributed snapshotssenior
- Connection pools: amortising the cost of a Postgres backendjunior
- PgBouncer session, transaction, and statement modesmiddle
- Pool sizing: the (cores × 2) + spindles formula and the two-layer stackmiddle
- Pool exhaustion and idle-in-transaction: the 3 AM failure modemiddle
- Migrating to transaction mode: rollout playbook and PgBouncer 1.21 prepared statementsmiddle
- The Postgres process model and why raising max_connections degrades throughputsenior
- Pooler landscape 2026, serverless connection storms, and the full failure-mode taxonomysenior
- What a schema migration is and why it replaces ad-hoc DDLjunior
- ADD COLUMN: instant in PG 11+ vs rewrite in older Postgresjunior
- The lock-queue failure mode: why instant DDL can freeze the databasemiddle
- Safe DDL patterns: NOT VALID, CONCURRENTLY, and unsafe-op fixesmiddle
- Expand-contract: zero-downtime for breaking schema changesmiddle
- Advisory locks, migration tools, and deploy coordinationsenior
- Migration failure taxonomy and production disciplinesenior
- Why sharding exists: the single-Postgres ceilingjunior
- Shard-key selection: hash, range, list, and directory strategiesmiddle
- Partitioning vs sharding: same word, two different thingsmiddle
- Co-location and Citus: the invariant that makes sharding usablemiddle
- The hot-shard failure mode: detection, isolation, and durable policymiddle
- Schema-based sharding and multi-tenancy alternativessenior
- Online resharding, 2PC, and the operational cost of shardingsenior
- The seven acts: from CREATE TABLE to Citusjunior
- Acts 1–3 in depth: schema, indexes, and planner statisticsmiddle
- Acts 4–6 in depth: MVCC bloat, connection pooling, and safe migrationsmiddle
- Act 7 in depth: sharding, co-location, and the seven-tier tradeoff cascademiddle
- Observability, anti-patterns, and production triagesenior
- Raft roles, terms, and why majority quorums prevent split brainjunior
- How Raft replicates a log entry and decides it is safe to commitmiddle
- Raft leader election: timeouts, voting rules, and the four safety propertiesmiddle
- Raft in the real world: partitions, slow disks, and client routingmiddle
- Raft extensions: pre-vote, learners, snapshots, and linearizable readssenior
- Raft in production: membership changes, Multi-Raft, and observabilitysenior
- Where data fetching happens — and why it decides LCPjunior
- Fetch waterfalls — diagnosis and the Promise.all curemiddle
- React Server Components and Suspense streamingmiddle
- Client-side cache: TanStack Query, SWR, and stale-while-revalidatemiddle
- LCP, prefetch, and race conditions in interactive fetchingmiddle
- Senior internals: RSC payload, caching layers, and production failure modessenior
- What the three signals are: logs, metrics, and tracesjunior
- Why structured logs exist: the diary vs the spreadsheetjunior
- The production log schema: fields every line must carrymiddle
- PII redaction and log injectionsenior
- OTel Logs Data Model and audit logs as a subsystemsenior
- SLI, SLO, and the error budget: reliability by the numbersjunior
- Error budget policy, latency SLOs, and composite journeysmiddle
- Production SLO failures, self-observability, security, and the big picturesenior
- The incident loop: from pager to postmortem to preventionmiddle
- Cache lines, struct layout, and false sharingmiddle
- SIMD, SoA vs AoS, and memory bandwidthmiddle
- Cache-oblivious algorithms, PGO, and production failuressenior
- GC in production: observability, security, edge cases, and fleet governancesenior
- Batching: amortize fixed cost per operationjunior
- The batching window: size and wait timemiddle
- Batching in Kafka and Postgresmiddle
- io_uring and observability of batchingmiddle
- From Nagle to io_uring: evolution of batchingmiddle
- Backpressure, failure isolation, and batch security in productionsenior
- CI enforcement and RUM: making budgets stickmiddle
- V8 JIT pipeline, HTTP priorities, and bundle securitysenior
- The performance loop: discipline, not a projectjunior
- Classify and fix: matching bottleneck families to remediesmiddle
- Observability stack and CI gates: catching regressions before they shipmiddle
- Incident to enforcement: SLO burn to verified fix in 35 minutesmiddle
- Culture, economics, and org-scale performancesenior
- At-most-once, at-least-once, exactly-once: the three delivery contractsjunior
- The three failure legs — where duplicates and losses actually happenmiddle
- Consumer-side dedup: the cheapest path to exactly-once processingmiddle
- Kafka exactly-once semantics: idempotent producer and transactionsmiddle
- SQS visibility timeout, DLQ, and the outbox patternmiddle
- Exactly-once in production: impossibility proof, hybrid patterns, and real incidentssenior
- What OAuth is and why passwords are not the answerjunior
- Authorization code flow with PKCEmiddle
- ID token validation and JWKS cache managementmiddle
- Refresh token rotation and scope-based least privilegemiddle
- Sender-constrained tokens: DPoP and mTLSsenior
- OAuth in production: audience attacks, observability, and real failuressenior