HTTPS

• https://howhttps.works/

• Same “language”, just encrypted.

• Three main aspects
  1. Privacy
  2. Integrity
  3. Identification
• Imagine a “box” at each end of the “pipe” that represents the stream. One end encrypts the communication, the other end decrypts it so
  1. Eavesdroppers can’t decipher the message
  2. If someone in the middle tries to modify the message, the client and sever can detect the change.
  3. Both parties know for certain whom they are talking to.
• HTTPS uses port 443.
• Setting up HTTPS servers is difficult, so we usually use HTTP servers in development
  • Almost all production servers are now HTTPS, even when data isn’t sensitive.
• To encrypt/decrypt client and server need a shared secret.
• Trick is securely agreeing on a secret key.
• Solution: use RSA public/private keypairs.
  • Data encrypted with one key can be decrypted with the other.
  • Data encrypted with my public key can only be read by the person for whom it is intended (privacy)
  • Data encrypted with my private key can be ready by anybody (since my public key is public); but anyone reading the message can be certain it came from me (since I’m the only one with my private key) (identification)
  • Modifying an encrypted stream (even by 1 byte) results in gibberish with extremely high probability (integrity).
• Workflow that almost works:
  1. Client connects to server
  2. Server responds with public key (this can be unencrypted)
  3. Client creates secret key, encrypts it with public key, sends to server.
  4. Server decrypts message
  5. Client and server continue to communicate using shared secret key
• What is missing / what is the security hole here?
  • What if someone intercepts the public key and forges it?
  • That’s why we have certificate authorities:
• Server doesn’t just send its public key, it sends an SSL Certificate that contains
  • public key
  • IP address, owner, and other identifying information for the server
  • Name and digital signature of Certificate Authority
• In principle, the signing authority could encrypt a company’s certificate with it’s private key.
  • The public key comes pre-installed on your machine, so you can only read / make sense of certificates that are signed by trusted authorities.
• This isn’t actually how certificates work, there are intermediate steps to promote scalability.
  • But, the key point is that the Certificate Authority system provides a trusted path for your computer to get a set of public keys that can verify the identities of other parties in a secure transaction.
  • This is why setting up your own https server (without purchasing a full certificate) is difficult: You have to take special steps to configure any computer connecting to the server so that it will accept the certificate. (Or configure the browser to ignore the lack of a verifiable certificate.)
• Certificate Authority: An independent, trusted company that can verify that a public key hasn’t been forged.
  • Cloudflare
  • IdenTrust
  • DigiCert
  • GoDaddy
• More Info:
  • https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/
  • https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/
  • https://en.wikipedia.org/wiki/Certificate_authority