Networking & Protocols
TLS 1.3: multiple-choice review
Crux Multiple-choice synthesis across the TLS 1.3 unit: 1-RTT key shares, forward secrecy, PSK resumption, 0-RTT replay, cipher-suite separation, and ECH.
Your altitude — climbing toward senior
ZeroJuniorMiddleSenior
You are at senior altitude — in orbitSix questions that cut across the whole unit. Each mirrors a decision you make designing or debugging a TLS deployment — not a definition to recite, but a tradeoff to weigh between speed, secrecy, and replay safety.
Goal
Confirm you can connect the 1-RTT handshake, forward secrecy, resumption, 0-RTT replay risk, cipher-suite separation, and SNI privacy — the synthesis the individual lessons built toward.
Quiz
Completed
TLS 1.2 needed two round-trips for a cold handshake; TLS 1.3 needs one. What single design change collapsed the RTT, and why does Perfect Forward Secrecy come along for free?
Heads-up Certificate validation still happens in 1-RTT — it is encrypted under the handshake traffic key in the same pass. The RTT was saved by moving the key_share into ClientHello, not by dropping authentication.
Heads-up The opposite: TLS 1.3 removed RSA key transport. RSA transport is exactly what destroys forward secrecy, because a stolen long-term key decrypts every recorded past session.
Heads-up Certificate size is unrelated to RTT count. The round-trip saving comes from embedding the ECDHE key_share early, letting the server derive the secret immediately.
Quiz
Completed
A warm PSK-resumption handshake skips certificate validation entirely. How does the client still know it is talking to the legitimate server and not an impostor?
Heads-up Resumption is authenticated: the PSK itself is the credential. Only the server holding the session-ticket encryption key can recover and use the PSK.
Heads-up There is no extra certificate fetch on resumption — that is the whole point of skipping PKI cost. The PSK provides the proof of identity instead.
Heads-up DNSSEC is unrelated to TLS resumption. The authentication carries over from the original handshake via the PSK.
Quiz
Completed
An engineer enables 0-RTT globally to cut latency. A week later, finance reports occasional duplicate transfers. What is the root cause and the correct fix?
Heads-up 0-RTT uses the same AEAD ciphers as 1-RTT data. The flaw is replay, not cipher strength — the same valid ciphertext can be delivered more than once.
Heads-up Ticket expiry causes a fresh handshake, not a duplicated mutation. The duplicate is a replay of early data that the application processed twice.
Heads-up PSK resumption is fine for any method; it is 0-RTT early data specifically that is replayable. The fix is route-level idempotency policy plus 425 Too Early, not disabling resumption.
Quiz
Completed
In TLS 1.3 the cipher suite TLS_AES_128_GCM_SHA256 no longer names the key exchange or signature algorithm — unlike TLS 1.2. What did this separation buy?
Heads-up Mid-connection rotation is KeyUpdate, which reuses the same suite. The separation is about negotiation axes, not changing the suite during the session.
Heads-up RSA key transport was removed in TLS 1.3 entirely. The separated axes are named group, signature algorithm, and AEAD+hash — all forward-secret key exchange.
Heads-up TLS 1.3 only permits AEAD ciphers; CBC-mode and the MAC-then-encrypt combinations were removed. The separation does not reintroduce them.
Quiz
Completed
A middlebox rewrites the ALPN list in ClientHello to strip 'h2' and force HTTP/1.1. The connection aborts before any data flows. Why?
Heads-up ALPN is in the plaintext ClientHello, so a middlebox can read and edit it — but it is still folded into the transcript hash, so the edit is detected by the Finished MAC.
Heads-up Source IP is unrelated. The abort is the Finished HMAC mismatch caused by the altered transcript, which is how TLS 1.3 makes the handshake tamper-evident.
Heads-up HTTP/1.1 runs fine over TLS 1.3. The rejection is the transcript-integrity check, not a protocol-version restriction.
Quiz
Completed
A security review flags that the corporate proxy can still log which hostnames employees visit, even on TLS 1.3. Which mechanism leaks this, and what closes the gap?
Heads-up In TLS 1.3 the Certificate message is encrypted under the handshake traffic key — the SAN is not visible. The plaintext leak is SNI in ClientHello, which ECH addresses.
Heads-up OCSP stapling does remove the live OCSP privacy leak, but the hostname is still exposed via plaintext SNI. Closing that gap requires ECH, not stapling.
Heads-up TLS 1.3 does not encrypt ClientHello by default; SNI, ALPN, and supported groups are visible. ECH is the opt-in extension that encrypts the sensitive inner hello.
Recap
The through-line of the unit is one chain of tradeoffs: the ECDHE key_share in ClientHello buys the 1-RTT handshake and forward secrecy together; PSK resumption trades fresh authentication for speed but stays authenticated via the ticket; 0-RTT trades a round-trip for replay exposure, contained only by idempotency plus 425 Too Early; cipher-suite separation shrinks the attack surface to five suites; and the transcript hash makes every negotiated parameter tamper-evident. SNI still leaks the hostname until ECH encrypts it. Speed, secrecy, and replay safety are the three axes you balance on every TLS decision.