Encryption in Transit

Encryption in transit protects data as it moves across networks, whether between a user's browser and a web server, between microservices within a data centre, or between cloud services. Without encryption in transit, data passes through potentially many network devices and links where it could be intercepted by attackers performing man-in-the-middle attacks, packet sniffing, or network tapping.

The most common protocol for encryption in transit is TLS, which secures HTTPS web traffic, email (SMTP/IMAP with STARTTLS), and many other application protocols. For internal communications, mutual TLS (mTLS) provides bidirectional authentication, ensuring that both the client and server verify each other's identity. VPN tunnels (using IPsec or WireGuard) can also encrypt traffic at the network layer, protecting all communications between two endpoints regardless of the application protocol.

Implementing encryption in transit requires careful configuration to be effective. This includes using current TLS versions (1.2 or 1.3), selecting strong cipher suites, enabling HTTP Strict Transport Security (HSTS) headers to prevent protocol downgrade attacks, and implementing certificate pinning for mobile applications. Organizations should also encrypt internal east-west traffic between services, not just north-south traffic from external clients, as attackers who gain a foothold inside a network can otherwise move laterally and intercept sensitive communications between internal systems.