Is TLS Enough? A Retrospective on Application-Layer Encryption

Years ago, I was part of a heated debate that every engineering team eventually faces: Is standard TLS enough, or do we need custom application-layer encryption?

We were implementing a payment solution. The provider required a backend-to-backend integration, meaning we had to take user credit card data, send it to our server, and then forward it to the provider.

My argument was that the TLS layer would be enough for it. The rest of the team disagreed. They didn't have a technical counter-argument, it was just a "lack of trust".

We ended up building a complex Dual-Keypair System:

1. The app keypair: Used to sign requests so the server could verify the data actually came from our app (Authenticity).
2. The server keypair: The app used the server's public key to encrypt the payload, ensuring only our backend could read it (Confidentiality).

It worked, but years later I realized the hidden parts we didn't consider.

1. The scale: We were small then. But if you scale to multiple server instances, you suddenly need a secure way to share those private keys. You've just turned a "payment problem" into a "key management problem".
2. The key rotation: What happens if a key is compromised or expires? If you have users on old app versions, you're stuck. You either support legacy keys forever or force your users to update, either options are bad.
3. The "hostile" client: We stored a key in the app. But unless you are using the device's hardware Secure Enclave (iOS) or Keystore (Android), your app is a hostile environment. A determined attacker can decompile the code and extract those keys.
4. The TLS termination: The only valid concern was where the TLS "ends". If your HTTPS connection terminates at a Load Balancer and the internal traffic to your web server is plain HTTP, you have a gap.

Unless you are building a banking core or a literal payment gateway, TLS is enough. If you’re worried about the "last mile" inside your VPC, solve that at the infrastructure level. Don’t bake custom crypto into your application logic unless you’re ready to manage the massive operational overhead that comes with it.

Experience taught me that "Trust issues" should be solved with better infrastructure, not more code.