TLS Security Limitations

Discussions center on the limitations of TLS/SSL encryption, including traffic interception by intermediaries, visibility of metadata and handshakes, and attacks like BREACH and CRIME.

➡️ Stable 0.7x Security

3,968

Comments

Years Active

Top Authors

#9355

Topic ID

Activity Over Time

2008

2009

2010

2011

2012

2013

166

2014

219

2015

281

2016

289

2017

276

2018

334

2019

364

2020

332

2021

281

2022

295

2023

266

2024

257

2025

334

2026

Top Contributors

tptacek (66) tialaramex (64) toast0 (19) cesarb (19) icebraining (18)

Keywords

e.g CPU megous.com SNI ON PEAP a.pid MITM PKI RSA tls traffic decrypt encrypted connection ssl keys https pid http

Sample Comments

0x0 • Feb 19, 2014 • View on HN

SSL isn't hiding anything if the attacker controls the client endpoint :)

kpcyrd • Apr 1, 2018 • View on HN

tls isn't magic, you can still observe the encrypted stream and make assumptions based on bytes sent/received on the wire, protocol patterns and timing. See the crime and breach attack.

chaitanya • May 9, 2019 • View on HN

Aren’t TLS certificates also sent in plaintext?

youngtaff • Nov 13, 2022 • View on HN

I’m guessing it doesn’t work with TLS as it’d need the keys to decrypt the traffic

jtmarmon • Feb 25, 2017 • View on HN

Wouldn't full SSL traffic be encrypted if leaked and therefore kind of irrlevant?

willstrafach • Jul 12, 2017 • View on HN

What you are describing does not make sense. TLS would be pointless if this were possible.

Spooky23 • Jun 11, 2025 • View on HN

Not always. Lots of companies intercept and potentially modify TLS traffic between network boundaries.

arthur_pryor • Mar 29, 2016 • View on HN

just because it comes over TLS, doesn't mean it's true

wyldfire • Jun 3, 2016 • View on HN

Don't most implementations at least use TLS for their implementations to preserve a modicum of sanity there?

chakalakasp • Aug 2, 2013 • View on HN

Is TLS really secure from the NSA?