Network Security Basics
Network security is the practice of protecting data as it travels and the systems that send and receive it. For most people that comes down to a handful of fundamentals: encrypting traffic with TLS, controlling what is reachable through ports and firewalls, understanding what a VPN or proxy does (and does not) hide, keeping your IP off blacklists, knowing how devices are fingerprinted, and using strong passwords with multi-factor authentication. This guide covers each.
TLS/SSL: encrypting traffic in transit
TLS (Transport Layer Security) encrypts the connection between your browser and a server so that data - passwords, payments, page content - cannot be read or altered in transit. "SSL" is the obsolete predecessor; the term survives only as a nickname for what is really a TLS certificate. SSL 2.0/3.0 and early TLS versions are insecure and should be disabled. Use TLS 1.2 at minimum and TLS 1.3 (RFC 8446) where possible, which removes legacy ciphers and completes its handshake in a single round trip.
A valid certificate proves the server's identity and is signed by a trusted Certificate Authority. You can inspect a site's certificate - issuer, validity dates, key strength and chain - with our SSL Certificate Checker.
Ports and firewalls
A port is a numbered communication endpoint (0–65535) that lets one host run many services at once. A firewall decides which ports are reachable from where; the safe default is to deny everything and open only the ports you intentionally serve. Common well-known ports:
| Port | Service | Encrypted? |
|---|---|---|
| 22 | SSH (secure remote shell) | Yes |
| 53 | DNS | No (DoH/DoT add encryption) |
| 80 | HTTP (web, plaintext) | No |
| 443 | HTTPS (web over TLS) | Yes |
| 25 / 587 | SMTP (email submission) | 587 supports STARTTLS |
To see which ports are exposed on a host, run our Port Scanner - an unexpected open port is often the first sign of a misconfiguration.
VPNs and proxies
A VPN (Virtual Private Network) builds an encrypted tunnel from your device to a VPN server; all your traffic exits from that server's IP, hiding your real IP from websites and your activity from your ISP or the local Wi-Fi. A proxy forwards traffic for specific applications and may or may not encrypt it. Neither makes you anonymous: the provider can see your traffic, and browser fingerprinting or logins still identify you. Use them to protect data on untrusted networks and to control which IP you present, not as a cloak of invisibility.
Wondering whether a given IP belongs to a VPN, proxy or hosting provider? The VPN Checker flags addresses associated with anonymizing services.
IP blacklists
IP blacklists (also called DNSBLs) are lists of addresses observed sending spam, distributing malware or otherwise misbehaving. Mail servers and security tools check them to decide whether to accept traffic. You can land on one because a device on your network is compromised, because you inherited a "dirty" dynamic or CGNAT address, or because a mail server is misconfigured. The remedy is to identify and fix the root cause, then submit a delisting request to each list operator.
Check whether an address is currently listed across major blacklists with our IP Blacklist Checker.
MAC addresses and device fingerprinting
A MAC address is a 48-bit hardware identifier burned into a network
interface (e.g. 00:1A:2B:3C:4D:5E). It is used only on the local link - it
never travels across the internet - but it can identify your device on a shared Wi-Fi
network, which is why modern phones use randomized MAC addresses per network for privacy.
Fingerprinting goes further: websites combine signals like your browser version, screen resolution, fonts, time zone and installed plugins into a distinctive profile that can re-identify you even without cookies. Reducing the number of unique signals you expose - using a mainstream browser configuration and blocking trackers - makes you harder to fingerprint.
Password hygiene
Weak and reused passwords remain the most common cause of account compromise. Modern guidance from NIST (SP 800-63B) emphasizes length over complexity: allow long passphrases, screen new passwords against known-breached lists, and drop arbitrary "must-include-a-symbol" rules and forced periodic changes. In practice:
- Use a unique password for every account, at least 12–16 characters.
- Store them in a reputable password manager rather than reusing or memorizing.
- Turn on multi-factor authentication (MFA) everywhere it is offered.
- Never reuse a work password on personal sites, or vice versa.
Generate strong, random credentials with our Password Generator.
Related tools & reading
- SSL Certificate Checker - inspect a site's TLS certificate and chain.
- Port Scanner - find which ports are open on a host.
- VPN Checker - detect VPN, proxy and hosting IPs.
- IP Blacklist Checker - check an IP against major DNSBLs.
- Password Generator - create strong, unique passwords.
- Back to the Learning Center
Frequently asked questions
What is the difference between SSL and TLS?
They are the same family of protocol; TLS is the modern successor to SSL. The old SSL versions (2.0 and 3.0) are insecure and deprecated, and "SSL certificate" is now just a colloquial name for a TLS certificate. Today you should use TLS 1.2 or TLS 1.3 - TLS 1.3 (RFC 8446) is faster and drops obsolete ciphers entirely.
Does a VPN make me anonymous?
No. A VPN encrypts your traffic and replaces your visible IP with the VPN server's, which hides your activity from your ISP and local network and your real IP from websites. But the VPN provider can see your traffic, sites can still fingerprint your browser, and logins or cookies still identify you. A VPN improves privacy and security on untrusted networks; it does not make you anonymous.
What is an open port and is it dangerous?
A port is a numbered endpoint (0-65535) that a service listens on - 443 for HTTPS, 22 for SSH, 25 for SMTP. An "open" port means something is listening and reachable. Open ports are only dangerous when they expose a service that is unpatched, misconfigured, or should not be public. The fix is a firewall that closes everything except the ports you intentionally serve.
Why is my IP address on a blacklist?
IP blacklists (DNSBLs) list addresses seen sending spam, hosting malware, or behaving abusively. You can be listed because your own device is compromised, because you share a dynamic or CGNAT address with a previous abuser, or because your mail server is misconfigured. Check the listing reason, fix the cause, then request delisting from the specific blacklist operator.
How long should my password be?
Length beats complexity. Current NIST guidance (SP 800-63B) recommends allowing long passphrases and screening against known-breached passwords rather than forcing arbitrary character rules. Aim for at least 12-16 characters, use a unique password per site stored in a password manager, and enable multi-factor authentication wherever it is offered.
How this tool works: This tool runs in your browser and on our server in real time. Depending on the tool, results are computed directly from the input you provide or retrieved from live, authoritative data sources at the moment you run a lookup. We do not sell your data, and your lookups are kept private — any history shown here is stored only on your device.