InterviewStack.io LogoInterviewStack.io

TLS Protocol Security Questions

Deep understanding of transport layer security protocols and their secure deployment. Topics include TLS handshake mechanics, cipher suite negotiation, certificate validation and management, session resumption and key exchange algorithms, forward secrecy, common vulnerabilities and mitigations such as downgrade and padding oracle attacks, practical configuration for servers and clients, certificate revocation and lifecycle management, and compatibility considerations across protocol versions.

HardTechnical
27 practiced
Describe padding oracle attacks that affected CBC-mode ciphers in TLS (high-level). Explain how they exploit decryption oracles, why MAC-then-encrypt is problematic, and list practical mitigations (switch to AEAD, ensure constant-time processing, correct error handling, and using TLS 1.3).
EasyTechnical
35 practiced
Define forward secrecy (perfect forward secrecy) in the context of TLS. Explain how it is achieved at the protocol level, which key-exchange algorithms provide it (DHE, ECDHE), and why an SRE should prefer forward-secret configurations for public-facing services.
MediumSystem Design
38 practiced
Design a set of monitoring metrics and alert rules focused on TLS health for a global fleet of services. Include at minimum: certificate expiry, handshake-failure rate, TLS version negotiation distribution, missing OCSP staple, and cipher-negotiation failures. For each metric propose a reasonable alert threshold and how to avoid alert fatigue.
HardTechnical
37 practiced
Explain the HKDF-based key schedule used in TLS 1.3. Describe the roles of 'early secret', 'handshake secret' and 'master secret', how HKDF-Extract and HKDF-Expand are used with labels and context (transcript hash), and how this design improves security and simplifies key derivation compared to previous versions.
HardTechnical
36 practiced
Explain Certificate Transparency (CT) logs, cross-signed CAs, and how CT helps detect CA mis-issuance or compromise. As an SRE, how would you monitor CT logs for unexpected certificates for your domains and respond if a suspicious certificate is found?

Unlock Full Question Bank

Get access to hundreds of TLS Protocol Security interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.