This lesson covers protocols for security in Internet Programming.

HTTP vs HTTPS

​

Source: https://www.cloudflare.com/img/learning/security/glossary/what-is-ssl/http-vs-https.svg

• HTTP
  • HyperText Transfer Protocol
  • Plain text communication between client and server
  • Anyone between client and server can intercept and read the communication between clients and server
  • Internet Service Providers or Intermediaries may inject content (e.g. advertising content) into webpages without approval of website owner
• HTTPS:
  • HTTP and Cryptography Protocols
  • Secure session is set-up first between client and server
  • Transport Layer Security (TLS), known formerly as Secure Sockets Layer (SSL) is used to encrypt communication
  • TLS uses asymmetric public key infrastructure i.e. uses two keys:
    • Private Key: key is controlled by owner of website and is kept at the server to decrypt the information encrypted by the public key
    • Public Key: key available to public to encrypt the information
  • Webpage send its SSL certificate containing public key when a user connects to server.
  • Client and server do SSL/TLS handshake to establish secure connection
  • When a user connects to a webpage, the webpage will send over its SSL certificate which contains the public key necessary to start the secure session. The two computers, the client and the server, then go through a process called an SSL/TLS handshake, which is a series of back-and-forth communications used to establish a secure connection. To take a deeper dive into encryption and the SSL/TLS handshake, read about what happens in a TLS handshake.

TLS

• security protocol for privacy and data security over the Internet

• encrypting communication between web applications and servers, email, messaging, and voice over IP (VoIP)

• proposed by the Internet Engineering Task Force (IETF) in 1999.

• recent version is TLS 1.3, which was published in 2018

• TLS vs SSL

  • TLS evolved from Secure Sockets Layer (SSL), developed by Netscape.
  • TLS version 1.0 was SSL version 3.1

• TLS vs HTTPS

  • HTTPS is an implementation of TLS encryption on top of the HTTP protocol
  • website uses HTTPS by employing TLS encryption

• TLS Components

  • Encryption
    • hides the data being transferred
  • Authentication
    • ensures that the parties exchanging information are who they claim to be.
  • Integrity
    • verifies the data not been forged or tampered with

• TLS Working

  • TLS/SSL certificate is installed on origin server

  • TLS/SSL Certificate is issued to a person who owns the domain

  • TLS Handshake is initiated when a user visits webpage

  • Source: https://www.cloudflare.com/resources/images/slt3lc6tev37/3wZIhjRIjfVSmCbVqkBKzb/4a7aa34324108c725dc25fc9e7c4ea4a/tls-ssl-handshake.png

  • Handshake

    • Specify version of TLS (TLS 1.0, 1.2, 1.3, etc.) they will use
    • Decide on which cipher suites
    • Authenticate the identity of the server using the server’s TLS certificate
    • Generate session keys for encrypting messages between them after the handshake is complete

SSL

• Secure Sockets Layer, is an encryption-based Internet security protocol.
• first developed by Netscape in 1995 for the purpose of ensuring privacy, authentication, and data integrity in Internet communications.
• predecessor to the modern TLS encryption used today.

SSL Certificates

• Types of Certificates
  • Single-domain
    • applies to only one domain
  • Wildcard
    • applies to only one domain, however, also includes that domain’s subdomains
  • Multi-domain
    • multiple unrelated domains
• Validation levels
  • Domain Validation
    • least-stringent and the cheapest
    • prove one control the domain
  • Organization Validation
    • CA directly contacts the person or business requesting the certificate.
    • These certificates are more trustworthy for users.
  • Extended Validation
    • full background check of an organization before the SSL certificate can be issued.