TLS Transport Layer Security — the encryption beneath HTTPS
The protocol that authenticates servers and encrypts the wire beneath most of the modern internet.
The cryptographic protocol that authenticates servers and encrypts the channel between client and server beneath HTTPS, SMTP, IMAP, MQTT and most modern application protocols. The successor to SSL — TLS 1.0 superseded SSL 3.0 in 1999; the current version is TLS 1.3 (RFC 8446, 2018). Authentication relies on a chain of X.509 certificates anchored in a publicly-trusted certificate authority.
TLS is the default on everything we publish.
Every NordBastion-operated surface — the marketing site, the customer panel, the JSON API, the agents endpoints, the status page, the .well-known registry — answers over TLS 1.2 or TLS 1.3 with a modern cipher suite, with HSTS preloaded and HTTP-on-port-80 redirected unconditionally to HTTPS. There is no plaintext path to any of our services, and there has not been one since launch.
For customer workloads, TLS lives in your hands: the VPS gives you a Linux box, and you bring whatever certificate machinery suits the application — Let's Encrypt for almost everything, a paid EV certificate if your compliance auditor demands it, a private CA for internal services. The 1 Gbps uplinks and modern AES-NI / VAES support on the underlying CPUs mean that TLS termination cost is essentially noise even at sustained line rate.
Two adjacent points worth flagging. First, TLS is not end-to-end encryption: a TLS link between a chat client and a chat server protects the wire, but the server operator can still read the message. The E2EE glossary entry draws that line precisely. Second, TLS authenticates servers by certificate; it does not authenticate the human who set up the server. PGP fills that second role for fingerprint-grade identity.
The pages that lean on this term.
The questions people actually ask.
What is the difference between SSL and TLS?
TLS is the modern name for what started life as SSL. The Netscape-era SSL 2.0 and SSL 3.0 protocols were renamed and reworked into TLS 1.0 in 1999, then TLS 1.1, 1.2 and 1.3. The terms "SSL certificate", "SSL/TLS" and so on persist in marketing copy, but every healthy modern deployment is running TLS 1.2 or TLS 1.3 under the hood. SSL 2.0 and SSL 3.0 are formally deprecated and should not be enabled anywhere.
How do I get a TLS certificate for a domain on my VPS?
The easy answer is Let's Encrypt: a free, automated certificate authority that issues 90-day domain-validated certificates over the ACME protocol. The Certbot client (or any of caddy, traefik, nginx-acme, acme.sh) handles issuance, renewal and webserver wiring with one command. We do not run a NordBastion-branded CA — Let's Encrypt is the right answer and we point at it without modification.
Is TLS the same thing as end-to-end encryption?
No. TLS protects the link between the client and the server. If the server is a chat backend or an email provider, the operator of that server can still read the message — the TLS encryption ends at their gateway. End-to-end encryption is a separate property where only the communicating endpoints hold the keys; the intermediate servers see ciphertext only. The dedicated glossary entry for end-to-end encryption covers the distinction in depth.
Does the NordBastion API require TLS?
Yes — every endpoint on api.nordbastion.com requires TLS 1.2 or TLS 1.3 with modern ciphers; HTTP requests on port 80 redirect to HTTPS without exception. The same goes for the marketing site, the customer panel, the status page and the .well-known surfaces.