Security

3 minute read

Published:

This lesson covers protocols for security in Internet Programming.

HTTP vs HTTPS

Source: https://www.cloudflare.com/img/learning/security/glossary/what-is-ssl/http-vs-https.svg
  • HTTP
    • HyperText Transfer Protocol
    • Plain text communication between client and server
    • Anyone between client and server can intercept and read the communication between clients and server
    • Internet Service Providers or Intermediaries may inject content (e.g. advertising content) into webpages without approval of website owner
  • HTTPS:
    • HTTP and Cryptography Protocols
    • Secure session is set-up first between client and server
    • Transport Layer Security (TLS), known formerly as Secure Sockets Layer (SSL) is used to encrypt communication
    • TLS uses asymmetric public key infrastructure i.e. uses two keys:
      • Private Key: key is controlled by owner of website and is kept at the server to decrypt the information encrypted by the public key
      • Public Key: key available to public to encrypt the information
    • Webpage send its SSL certificate containing public key when a user connects to server.
    • Client and server do SSL/TLS handshake to establish secure connection
    • When a user connects to a webpage, the webpage will send over its SSL certificate which contains the public key necessary to start the secure session. The two computers, the client and the server, then go through a process called an SSL/TLS handshake, which is a series of back-and-forth communications used to establish a secure connection. To take a deeper dive into encryption and the SSL/TLS handshake, read about what happens in a TLS handshake.

TLS

  • security protocol for privacy and data security over the Internet

  • encrypting communication between web applications and servers, email, messaging, and voice over IP (VoIP)

  • proposed by the Internet Engineering Task Force (IETF) in 1999.

  • recent version is TLS 1.3, which was published in 2018

  • TLS vs SSL

    • TLS evolved from Secure Sockets Layer (SSL), developed by Netscape.
    • TLS version 1.0 was SSL version 3.1
  • TLS vs HTTPS

    • HTTPS is an implementation of TLS encryption on top of the HTTP protocol
    • website uses HTTPS by employing TLS encryption
  • TLS Components

    • Encryption
      • hides the data being transferred
    • Authentication
      • ensures that the parties exchanging information are who they claim to be.
    • Integrity
      • verifies the data not been forged or tampered with
  • TLS Working

    • TLS/SSL certificate is installed on origin server

    • TLS/SSL Certificate is issued to a person who owns the domain

    • TLS Handshake is initiated when a user visits webpage

    • TLS Handshake
      Source: https://www.cloudflare.com/resources/images/slt3lc6tev37/3wZIhjRIjfVSmCbVqkBKzb/4a7aa34324108c725dc25fc9e7c4ea4a/tls-ssl-handshake.png
    • Handshake

      • Specify version of TLS (TLS 1.0, 1.2, 1.3, etc.) they will use
      • Decide on which cipher suites
      • Authenticate the identity of the server using the server’s TLS certificate
      • Generate session keys for encrypting messages between them after the handshake is complete

SSL

  • Secure Sockets Layer, is an encryption-based Internet security protocol.
  • first developed by Netscape in 1995 for the purpose of ensuring privacy, authentication, and data integrity in Internet communications.
  • predecessor to the modern TLS encryption used today.

SSL Certificates

  • Types of Certificates
    • Single-domain
      • applies to only one domain
    • Wildcard
      • applies to only one domain, however, also includes that domain’s subdomains
    • Multi-domain
      • multiple unrelated domains
  • Validation levels
    • Domain Validation
      • least-stringent and the cheapest
      • prove one control the domain
    • Organization Validation
      • CA directly contacts the person or business requesting the certificate.
      • These certificates are more trustworthy for users.
    • Extended Validation
      • full background check of an organization before the SSL certificate can be issued.