{
    "slug": "encryption_in_transit",
    "term": "Encryption in Transit",
    "category": "cryptography",
    "difficulty": "intermediate",
    "short": "Encrypting data moving between systems using TLS — protecting against interception, tampering, and man-in-the-middle attacks on all network communication.",
    "long": "Encryption in transit uses TLS (Transport Layer Security) to protect data between: browsers and web servers (HTTPS), services communicating internally (mTLS), application servers and databases, and message queues. HTTPS alone is insufficient if internal traffic is unencrypted — an attacker who compromises an internal network segment can intercept database credentials. Mutual TLS (mTLS) requires both parties to present certificates, eliminating the need for credentials in service-to-service communication.",
    "aliases": [
        "TLS",
        "HTTPS",
        "mTLS",
        "in-transit encryption",
        "transport security"
    ],
    "tags": [
        "cryptography",
        "security",
        "networking"
    ],
    "misconception": "HTTPS means all traffic is encrypted — HTTPS encrypts the browser-to-server leg; database connections, internal service calls, and message queue connections are often unencrypted unless explicitly configured.",
    "why_it_matters": "A PHP application using HTTPS but connecting to MySQL over an unencrypted connection leaks database credentials and query results to anyone on the same network segment.",
    "common_mistakes": [
        "MySQL connection without SSL — credentials and all data in plaintext on the network.",
        "CURLOPT_SSL_VERIFYPEER = false — disables certificate verification, enabling MITM.",
        "Internal microservice communication over plain HTTP — encrypted external, unencrypted internal.",
        "Not using HSTS — allows the first request to be downgraded from HTTPS to HTTP."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "tls_handshake",
        "public_key_infrastructure",
        "man_in_the_middle",
        "hsts"
    ],
    "prerequisites": [
        "tls_handshake",
        "ssl_certificate_types",
        "hsts"
    ],
    "refs": [
        "https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html"
    ],
    "bad_code": "// Unverified TLS — MITM possible:\n$ch = curl_init('https://payment-api.internal');\ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Never!\n\n// MySQL without SSL:\n$pdo = new PDO('mysql:host=db.internal', 'user', 'pass');\n// Credentials and queries in plaintext",
    "good_code": "// Verified TLS:\n$ch = curl_init('https://payment-api.internal');\ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);    // Default — keep it\ncurl_setopt($ch, CURLOPT_CAINFO, '/etc/ssl/certs/ca-certificates.crt');\n\n// MySQL with TLS:\n$pdo = new PDO(\n    'mysql:host=db.internal;ssl_ca=/etc/ssl/mysql-ca.pem',\n    'user', 'pass',\n    [PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => true]\n);\n\n// mTLS with client certificate:\ncurl_setopt($ch, CURLOPT_SSLCERT, '/certs/client.crt');\ncurl_setopt($ch, CURLOPT_SSLKEY,  '/certs/client.key');",
    "quick_fix": "Enforce HTTPS for all traffic and between all internal services — use mTLS for service-to-service communication and verify CURLOPT_SSL_VERIFYPEER is never disabled in PHP",
    "severity": "critical",
    "effort": "medium",
    "created": "2026-03-16",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/encryption_in_transit",
        "html_url": "https://codeclaritylab.com/glossary/encryption_in_transit",
        "json_url": "https://codeclaritylab.com/glossary/encryption_in_transit.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Encryption in Transit](https://codeclaritylab.com/glossary/encryption_in_transit) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/encryption_in_transit"
            }
        }
    }
}