Security
Published:
This lesson covers protocols for security in Internet Programming.
HTTP vs HTTPS
Source: https://www.cloudflare.com/img/learning/security/glossary/what-is-ssl/http-vs-https.svg |
- HTTP
- HyperText Transfer Protocol
- Plain text communication between client and server
- Anyone between client and server can intercept and read the communication between clients and server
- Internet Service Providers or Intermediaries may inject content (e.g. advertising content) into webpages without approval of website owner
- HTTPS:
- HTTP and Cryptography Protocols
- Secure session is set-up first between client and server
- Transport Layer Security (TLS), known formerly as Secure Sockets Layer (SSL) is used to encrypt communication
- TLS uses asymmetric public key infrastructure i.e. uses two keys:
- Private Key: key is controlled by owner of website and is kept at the server to decrypt the information encrypted by the public key
- Public Key: key available to public to encrypt the information
- Webpage send its SSL certificate containing public key when a user connects to server.
- Client and server do SSL/TLS handshake to establish secure connection
- When a user connects to a webpage, the webpage will send over its SSL certificate which contains the public key necessary to start the secure session. The two computers, the client and the server, then go through a process called an SSL/TLS handshake, which is a series of back-and-forth communications used to establish a secure connection. To take a deeper dive into encryption and the SSL/TLS handshake, read about what happens in a TLS handshake.
TLS
security protocol for privacy and data security over the Internet
encrypting communication between web applications and servers, email, messaging, and voice over IP (VoIP)
proposed by the Internet Engineering Task Force (IETF) in 1999.
recent version is TLS 1.3, which was published in 2018
TLS vs SSL
- TLS evolved from Secure Sockets Layer (SSL), developed by Netscape.
- TLS version 1.0 was SSL version 3.1
TLS vs HTTPS
- HTTPS is an implementation of TLS encryption on top of the HTTP protocol
- website uses HTTPS by employing TLS encryption
TLS Components
- Encryption
- hides the data being transferred
- Authentication
- ensures that the parties exchanging information are who they claim to be.
- Integrity
- verifies the data not been forged or tampered with
- Encryption
TLS Working
TLS/SSL certificate is installed on origin server
TLS/SSL Certificate is issued to a person who owns the domain
TLS Handshake is initiated when a user visits webpage
Source: https://www.cloudflare.com/resources/images/slt3lc6tev37/3wZIhjRIjfVSmCbVqkBKzb/4a7aa34324108c725dc25fc9e7c4ea4a/tls-ssl-handshake.png Handshake
- Specify version of TLS (TLS 1.0, 1.2, 1.3, etc.) they will use
- Decide on which cipher suites
- Authenticate the identity of the server using the server’s TLS certificate
- Generate session keys for encrypting messages between them after the handshake is complete
SSL
- Secure Sockets Layer, is an encryption-based Internet security protocol.
- first developed by Netscape in 1995 for the purpose of ensuring privacy, authentication, and data integrity in Internet communications.
- predecessor to the modern TLS encryption used today.
SSL Certificates
- Types of Certificates
- Single-domain
- applies to only one domain
- Wildcard
- applies to only one domain, however, also includes that domain’s subdomains
- Multi-domain
- multiple unrelated domains
- Single-domain
- Validation levels
- Domain Validation
- least-stringent and the cheapest
- prove one control the domain
- Organization Validation
- CA directly contacts the person or business requesting the certificate.
- These certificates are more trustworthy for users.
- Extended Validation
- full background check of an organization before the SSL certificate can be issued.
- Domain Validation