Where Encryption Ends
A secure connection requires a TLS handshake with several round trips. If that handshake happens at a distant origin, every new connection pays a long delay. TLS termination at the edge ends the handshake on a nearby node instead.
Why It Helps
- The slow handshake round trips travel a short distance
- Session resumption lets repeat visitors skip full handshakes
- The edge keeps a warm connection pool to origin, reusing it
The edge decrypts the request, then talks to origin over a reused, often already encrypted, backend connection. The user only feels the nearby handshake.
Security Notes
- Certificates for your domain live on edge nodes, so the provider manages key material
- Traffic between edge and origin should still be encrypted to avoid a plaintext hop
- Mutual TLS can authenticate the edge to origin
Key idea
Terminating TLS at the edge moves the costly handshake near the user and reuses warm origin connections, cutting connection latency while requiring certificates on edge nodes and an encrypted edge to origin hop.