Why do we need HTTPS?
* To prevent man in the middle attack
* When talking to router someone can intercept
* When routing to ISP someone can intercept
* When request is going to the destination internationally someone can intercept
* Governments, ISPs, private companies can intercept the communication if its unencrypted
* Airport wifi's hijack every request and show login page if not logged in to their network
What does HTTPS help with?
* Confidentiality - Keep the communication contents secret
* Integrity - Making sure message is not comrpomized
* Authenticity - Making sure that client is communicating with the correct server
Digital certificates
Certificates from certificate authorities, verify our ownership of the website so that clients can communicate safely.
Digital certificate certifies the ownership of the public key by the owner of the certificate
When you browse through a website through your machine, the CA signed certificate is sent to the browser. Your machine checks that the certificate is legitimate by referring to the local list of trusted authorities (check certmgr.msc). Firefox maintains its own list of trusted authorities.
CA's maybe added or removed by browser providers of their certificates can be compromised
What is SSL?
Secure sockets layer.
What is TLS?
Transport Layer Security
Difference?
SSO is less secure and removed now, TLS is implemented and used by all browsers buy we still call it SSO. For example
What is PKI scheme of issuing digital certificates?
In public key infrastructure scheme, a digital certificate is issued by a CA and it contains
* A distinguished name/
* Owners name/
* Subject
* a unique serial number for the certificate
* Owner's public key
* Issuing and expiry date
* Distinguished name of the CA
* Digital signature of the CA
* Signature algorithm
How does TLS handshake happen?
1) Client send message to server with things like what is the highest level of TLS it supports, supported cipher suite algorithms with priority etc
2) Server sends back agreed TLS protocol, cipher suite and public key
3) Client sends message encrypted with server public key
4) Server returns finished response and starts secure communication
#1 and #2 are unencrypted communication and man in the middle can intercept at that time
How to create certificate locally?
One of the way is :
* In windows powershell (admin mode) by running "New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname devlover.blogger.com" command giving certstorelocaton and dnsname parameter
this will give thumbprint that can be copied to export the certificate from local store
* To add password to our certificate in windows we can generate password by calling $password = ConvertTo-SecureString -String "mypassword1234" -Force -AsPlainText
* And then export the secure password to certificate using Export-PfxCertificate -cert cert:\localMachine\my\ -FilePath c:\mycert\testcert.pfx -Password $password
Alternatively we can also use keytool command to generate certificates. Keytool is a key and certificate management utility provided by Java
* Generate key: ystore keystore.jks
* export the generated certificate to server.cer: re.jks
* Add the certificate to truststore file: ks -keypass changeit -storepass changeit
we can verify that the certificate was added by running keytool -list command
(later update web.xml and add tag called user-data-constraint that contains a tag called transport-guarantee that contains CONFIDENTIAL)
* To prevent man in the middle attack
* When talking to router someone can intercept
* When routing to ISP someone can intercept
* When request is going to the destination internationally someone can intercept
* Governments, ISPs, private companies can intercept the communication if its unencrypted
* Airport wifi's hijack every request and show login page if not logged in to their network
What does HTTPS help with?
* Confidentiality - Keep the communication contents secret
* Integrity - Making sure message is not comrpomized
* Authenticity - Making sure that client is communicating with the correct server
Digital certificates
Certificates from certificate authorities, verify our ownership of the website so that clients can communicate safely.
Digital certificate certifies the ownership of the public key by the owner of the certificate
When you browse through a website through your machine, the CA signed certificate is sent to the browser. Your machine checks that the certificate is legitimate by referring to the local list of trusted authorities (check certmgr.msc). Firefox maintains its own list of trusted authorities.
CA's maybe added or removed by browser providers of their certificates can be compromised
What is SSL?
Secure sockets layer.
What is TLS?
Transport Layer Security
Difference?
SSO is less secure and removed now, TLS is implemented and used by all browsers buy we still call it SSO. For example
What is PKI scheme of issuing digital certificates?
In public key infrastructure scheme, a digital certificate is issued by a CA and it contains
* A distinguished name/
* Owners name/
* Subject
* a unique serial number for the certificate
* Owner's public key
* Issuing and expiry date
* Distinguished name of the CA
* Digital signature of the CA
* Signature algorithm
How does TLS handshake happen?
1) Client send message to server with things like what is the highest level of TLS it supports, supported cipher suite algorithms with priority etc
2) Server sends back agreed TLS protocol, cipher suite and public key
3) Client sends message encrypted with server public key
4) Server returns finished response and starts secure communication
#1 and #2 are unencrypted communication and man in the middle can intercept at that time
How to create certificate locally?
One of the way is :
* In windows powershell (admin mode) by running "New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname devlover.blogger.com" command giving certstorelocaton and dnsname parameter
this will give thumbprint that can be copied to export the certificate from local store
* To add password to our certificate in windows we can generate password by calling $password = ConvertTo-SecureString -String "mypassword1234" -Force -AsPlainText
* And then export the secure password to certificate using Export-PfxCertificate -cert cert:\localMachine\my\
Alternatively we can also use keytool command to generate certificates. Keytool is a key and certificate management utility provided by Java
* Generate key: ystore keystore.jks
* export the generated certificate to server.cer: re.jks
* Add the certificate to truststore file: ks -keypass changeit -storepass changeit
we can verify that the certificate was added by running keytool -list command
(later update web.xml and add tag called user-data-constraint that contains a tag called transport-guarantee that contains CONFIDENTIAL)
Comments