SSL/TLS Learning Center
A guide to TLS, certificates, email auth and the security headers your browser cares about. Written for engineers who want a real answer — and for anyone who just inherited the renewal nightmare.
SSL / TLS basics
How browsers and servers actually agree to encrypt traffic — handshake, certificates, sessions — without the math degree.
Read articleCommon vulnerabilities
POODLE, Heartbleed, BEAST, CRIME, ROBOT — what each one was, what to look for, and why they're (mostly) extinct.
Read articleWhy monitoring matters
One expired cert ruins a Friday. A short story about regressions you didn't ship and how to catch them anyway.
Read articleSSL best practices
Our opinionated, no-bullshit checklist for getting and staying at A+ — modern ciphers, HSTS, OCSP, CT, the works.
Read articleCertificate types explained
DV, OV, EV and wildcard — the differences, when each is worth paying for, and the surprising answer for most teams (spoiler: DV).
Read article2026 trends
Post-quantum TLS
ML-KEM hybrid key exchange now ships by default in Chrome, Firefox and Safari. What's live, what's coming for certificates, and how to test your servers.
Read articleACME, ARI & 47-day certs
Public TLS lifetimes drop to 47 days in 2029. ACME automation, RFC 9773 Renewal Info, and the monitoring you still need on top.
Read articleTop 10 misconfigurations
The ten patterns we keep seeing in 2026 — incomplete chains, weak HSTS, RSA-KEX, wildcard sprawl — what they cost and how to fix each.
Read articleAI agents & bot auth
Web Bot Auth and HTTP Message Signatures (RFC 9421) finally let you cryptographically verify which AI scrapers are crawling you. The TLS angle underneath.
Read articleEmail security
Email security basics
SPF, DKIM and DMARC — what they each do, why you need all three, and how to roll them out without breaking sending.
Read articleAuthentication guide
MTA-STS, DANE, BIMI and TLS-RPT — the second wave of email auth, in plain English.
Read articleDeliverability guide
Reputation, inbox placement, what mailbox providers actually look at, and how to read your DMARC aggregate reports.
Read article