Practice the vocabulary of both sides of a connection proving their identity, not just the server.
0 / 5 completed
1 / 5
At standup, a dev mentions a connection where both the client and the server present a certificate and each verifies the other's identity, rather than only the server proving who it is. What is this connection pattern called?
Mutual TLS, or mTLS, has both the client and the server present a certificate, with each side verifying the other's identity before the connection is trusted. One-way TLS only has the server present a certificate, leaving the client's own identity completely unverified. This mutual verification is what lets two internal services authenticate each other directly, rather than relying on the network path between them being trusted by default.
2 / 5
During a design review, the team wants every internal service's certificate to be short-lived and automatically rotated by a mesh sidecar, rather than a long-lived certificate managed by hand. Which capability supports this?
Automated short-lived certificate issuance and rotation, commonly handled by a mesh sidecar or an internal certificate authority, keeps every internal service's identity certificate fresh without a person manually renewing it. Issuing a single long-lived certificate manually and reusing it indefinitely means that certificate remains a valuable, long-lasting target if it's ever compromised. This automated rotation is what makes mTLS practical to operate across a large number of internal services.
3 / 5
In a code review, a dev notices a service validating a presented client certificate's chain against its own internal certificate authority, rather than trusting any certificate that happens to be presented. What does this represent?
Certificate chain validation against a trusted internal certificate authority ensures a service only accepts a client certificate that was genuinely issued by an authority it trusts, rather than any certificate a client happens to present. Trusting any presented certificate with no validation defeats the entire purpose of requiring a client certificate in the first place. This validation step is what turns a presented certificate into an actual, trustworthy identity check.
4 / 5
An incident report shows an attacker who gained a foothold on the internal network was able to impersonate a legitimate service and receive sensitive data, because the receiving service only used one-way TLS and never verified who was actually connecting to it. What practice would prevent this?
Requiring mutual TLS makes the receiving service verify the connecting client's certificate before trusting the connection, so an attacker without a valid, internally-issued certificate can't simply impersonate a legitimate service. Continuing to rely on one-way TLS is exactly what let the impersonation in this incident succeed, since the receiving service never checked who was actually connecting. This mutual verification is a foundational control for a zero-trust internal network where the network path itself isn't assumed to be trustworthy.
5 / 5
During a PR review, a teammate asks why the team enforces mTLS between internal services instead of trusting that any traffic reaching a service from inside the private network is already legitimate. What is the reasoning?
Trusting traffic based only on network location assumes an attacker can never gain a foothold inside that network, which is an increasingly risky assumption as internal networks grow larger and more complex. mTLS verifies each side's actual cryptographic identity regardless of where the connection is coming from, closing that gap. The tradeoff is the added operational overhead of issuing, distributing, and rotating a certificate for every internal service that participates in mTLS.