KomuraSoft LLC
Chapter 7

Comprehensive review — finish with cases

Eight cases modeled on real situations, cutting across all six chapters. When stuck, return to the matching chapter for a quick review.

Eight finishing problems — bring the three questions

The final chapter is pure exercise. Eight cases modeled on real situations, spanning all six chapters. Whenever you hesitate, return to the course motto — what is missing right now: the peer check, the secrecy, or the tamper detection?

If stuck on…Review
The padlock's coverage; the three guaranteesChapter 1
The four tools; key directionsChapter 2
Hand-computing mod; forward secrecyChapter 3
Certificate chains; the three checks; private-key handlingChapter 4
Handshake flow; SNI; 0-RTTChapter 5
Reading openssl; error triageChapter 6

Case 7-1 — What is protected, and what is not

Chapters 1–3 territory. Return to the three questions.

Q1. Case: a user says, "The site had a padlock, but it was fake — and I typed in my card number." What is the correct explanation?

Q2. Case: reviewing the course, you pick secret a = 4 in Diffie–Hellman with p = 23, g = 5. What public value A = 54 mod 23 do you send?

Q3. Case: an attacker recorded a full year of a server's HTTPS traffic. Later, the server's long-term private key (the certificate's key) leaked. What happens to the past TLS 1.3 traffic?

Case 7-2 — Separate errors from attacks

Chapters 4–6 territory. Use the translation into 'which of the three checks failed.'

Q4. Case: reproducing a man-in-the-middle in a test lab, the attacker's device presents a self-signed certificate. What does the browser do?

Q5. Case: on a link with RTT 80 ms you migrate from TLS 1.2 (2-round-trip handshake) to TLS 1.3 (1 round trip). After TCP setup, by how many milliseconds does time-to-first-encrypted-data shrink?

ms

Q6. Case: a new API client pointed at production fails certificate verification; the same URL works in a browser. Looking at the server's response in openssl s_client, which hypothesis do you check first?

Case 7-3 — Operational judgment

Finally, decisions as an operator. The structure 'what is secret, what is public' yields the answers.

Q7. Case: a server misconfiguration briefly exposed the TLS private-key file to external download. What is the appropriate response?

Q8. Case: an internal system's certificate expired, and users report "the error page doesn't even show an 'Advanced → proceed' button." What is the cause?

Closing — carry the three questions with you

Well done. This course asked you to memorize almost no algorithm internals. What it asks you to carry instead are three questions that work everywhere:

  • Is the peer genuine? — Does the chain reach the root store? Does the name match? Was private-key possession proven?
  • Is the content secret? — Was a key agreed? Is there forward secrecy? What, like SNI, remains visible anyway?
  • Has it been tampered with? — AEAD's integrity protection; Finished checking the whole handshake

At a certificate-error screen or in a security design review, walking these three in order narrows down cause and remedy. Don't silence the error — find which question is answering "no." That is the reading skill this course set out to build.