Skip to main content

Web Security - HTTPS, SSL, TLS and Certificates

Web Security - HTTPS, SSL, TLS and Certificates


Why is it needed?

Man-In-the-Middle attacks (someone reading the information you send and receive and may even change the message).

How is it implemented?

SSL or TLS.

SSL

This is the secure protocol i.e. a bunch of rules that creators of browsers like Chrome and IE follow.
Replaced by TLS.
Certificates are used to hold the information need for the Browsers to implement the SSL.
 


HTTPS

A secure/encrypted version of HTTP, combination of HTTP and SSL or TLS.

  • Verifies that you are talking directly to the server that you think you are talking to.
  • Ensures that only the server can read what you send it and only you can read what it sends back.

Anyone can intercept every single one of the messages you exchange with a server, including the ones where you are agreeing on the key and encryption strategy to use, and still not be able to read any of the actual data you send.

Certificates

SSL information is stored in these files. The browser then reads the contents and run some SSL algorithm to determine security.
See Signing below.

Public and Private keys

  • Public key is unique and available to anyone accessing the server.
  • Private Key lives on the Server only and is never shared.
  • The Public key is visible to everyone and is used with an Encryption algorithm to encrypt and decrypt the message being sent between Client and Server.
  • Anything encrypted with the Public key can only be decrypted by the Private key and vice-versa i.e.
    • Private key encrypts on server, Public key decrypts on client.
    • Public key encrypts on Client, Private key decrypts on Server.
    • Public key never encrypts and then decrypts the same message, it is always either the Private key encrypting and Public key decrypting or Public key encrypting and Private key decrypting.
  • Why can’t anyone decrypt the message from the Server to Client in all they need is the Public key to decrypt?
    • Not possible because not only is the Public key required but additionally there is a Cipher (random symmetric encryption key) involved, which only the Client knows of.
  • Then Public Key is contained within then Certificate returned from the Server in the initial communication.

 
  • When 2 different Keys are used it is known as Asymmetric Encryption. 

Signing

Certificate Authority (CA) – private companies that store tables of names and public keys. They act as a way to check if a certificate exists for particular website for example.
  • CA returns a message to the requestor.
  • The contents of the message are the Name and Public Key.
  • The response is a signed message.
  • The message is signed using the Certificate Authorities Private Key
  • The response is the Certificate.

(You can setup your own Self-Signed-Certificate and this takes the Certificate Authority out of the equation but unfortunately your are banking on the client to trust you are how you say you are, this is usually where you see the browser warning you not to trust this website).

HTTPS Request and the Certificate Sequence

SSLTLS_handshake
  1. User types https://www.google.ie into Chrome address bar.
  2. The Chrome browser visits the url and gets it's Certificate.
  3. The Chrome browser checks the url against the Certificate content or with the Certificate Agent to see if the Certificate matches the url.
  4. If the Certificate matches then the page is fetched.
    1. The Request is encrypted using the Public Key found in the Certificate. 
    2. The page is returned and encrypted using the Private key.
    3. The page is decrypted in by the Chrome browser for the user using the Public Key,
    4. The page is displayed to the user without error or warning.
  5. If the Certificate does not match then the user is presented with a warning, the user can proceed to load, the page is fetched and display to the user with warning.
  6. TLS Handshake https://www.ssl.com/article/ssl-tls-handshake-overview/

IIS and HTTPS

Your server can store SSL Certificates. IIS can be configured to use HTTPS and use these SSL Certificates.


You can enable HTTPS in IIS in a couple of clicks without the need to create a new certificate. Your machine may have a couple of Certificates already installed which you can install in IIS:





Labels:

Comments

Post a Comment

Popular posts from this blog

dotNET - Debugging

Debugging with .NET MSIL assemblies Visual Studio and debugging the CLR are different, I'll talk about both. MSIL Assemblies Assemblies compiled with .NET tools such as the CLR compiler are compiled into a file which contains MSIL (Microsoft Intermediate Language). At runtime the contents of the assembly are loaded into the CLR and ran as machine code. When you compile an assembly in debug a PDB file is generated alongside the DLL or EXE you've just created. The link between these 2 files is that the PDB contains the line numbers of the methods and classes as well as the file names of the original source code that created the assembly. When you launch the debugger in Visual Studio the assembly is loaded into the Debugger (similar to the CLR) along with the PDB file. The debugger now uses your PDB file contents to match the running code found in the assembly to locations in source files (hopefully in your present project). CLR CLR Inside Out (msdn magazine) .NET Framework Tools:...
7 comments
Read more

Installer CustomAction, Debugging the CustomAction, InstallState

Custom Action The Custom Action is added to the Setup Project, select the Project node and hit the Custom Action button. This allows you add an Action to a particular phase in the Installation. But first you must create the Custom Action. To Add a Custom Action you must first have a Custom Action created, this is usually in the form of a Installer Class, this should be created in a seperate project, the Installer Class is actually one of the File Templates in the C# Projects. So it's File->New Project and select Visual C# Projects. Then add a Class Library, this will prompt you for the Class Library Types , select "Installer Class". Walkthrough - Creating Custom Action (msdn). Also here's a more comprehensive document on Setup/Installer implementations, it delves into the Registry etc Getting Started with Setup Projects (SimpleTalk). Visual Studio Setup Projects and Custom Actions (Simple Talk). Create your Installer Class and then add it as a Custom Action to the ...
3 comments
Read more

dotNET - Use app.config ApplicationSettings and UserSettings

When using Settings in an Assembly or .exe you can use the Settings Designer to generate a config file using Settings. The Settings Designer provides a wrapper class which allows you to provide defaults and access the config data using Properties. But what if you're not working inside that Assembly or .exe? this presents a problem. If your loading the Assembly externally and want to access that Assembly's .config file you'll probably wish to use something in the System.Configuration namespace... unfortunately it's not of much use if you've created the .config file from the Settings Designer in Visual Studio!! This is because the Designer creates Sections and ApplicationSettings and UserSettings, the System.Configuration namespace does not provide a method to access these (it has a method to access AppSettings which are a different thing. Below I've written a workaround which locates the app.config and accesses the ApplicationSettings and UserSettings using XML i...
8 comments
Read more