DNS and HTTPs ACN Presentation
Domain Names We refer to computers on the Internet (Internet hosts), by names like: sharda.ac.in These are called domain names or, if you want to be really geeky, “fully qualified domain names.” The key point is that the name identifies a particular computer – no two hosts have the same domain name.
The parts of a domain name sharda.ac.in A domain is a group of related hosts. The particular host is called sharda..ac → Academic Institute followed by a top level domain name..in → This is country (India) code top level domain.
A unique host Sharda.ac.in This is the domain name of a unique host. It is a member of the ac.in domain, but it is the only one with the name sharda. It is like a family – all the brothers and sisters have the same last name, but it would be confusing if two of them also had the same first name.
There are a limited top-level domains.edu, educational.com, commercial.gov, government.org, non profit.net, networking organizations These are called “generic” TLDs.
country code top-level domain names for every nation.in,India.us, United States.mx, Mexico.uk, United Kingdom These are called “country code” top-level domains (ccTLDs). The organization or host do not necessarily have to be in the country to register the name.
DNS search If your DNS knows the IP address it returns it. Otherwise it will contact another DNS to get the result. Etc. until it is found or determined that it does not exist, in which case an error message is returned.
How DNS Works Simplified If you want to… Call someone, you need to ask for their phone number You can’t just dial “M Y - F R I E N D” Mail someone, you need to get their address first What about the Internet? If you need to reach Google, you need their IP Does anyone know Google’s IP? Problem: People can’t remember IP addresses Need human readable names that map to IPs
Internet Names and Addresses Addresses, e.g Computer usable labels for machines Conform to structure of the network Names, e.g. Human usable labels for machines Conform to organizational structure How do you map from one to the other? Domain Name System (DNS)
BASIC DOMAIN NAME RESOLUTION 10 EVERY HOST KNOWS A LOCAL DNS SERVER SENDS ALL QUERIES TO THE LOCAL DNS SERVER IF THE LOCAL DNS CAN ANSWER THE QUERY, THEN YOU’RE DONE 1.LOCAL SERVER IS ALSO THE AUTHORITATIVE SERVER FOR THAT NAME 2.LOCAL SERVER HAS CACHED THE RECORD FOR THAT NAME OTHERWISE, GO DOWN THE HIERARCHY AND SEARCH FOR THE AUTHORITATIVE NAME SERVER EVERY LOCAL DNS SERVER KNOWS THE ROOT SERVERS USE CACHE TO SKIP STEPS IF POSSIBLE E.G. SKIP THE ROOT AND GO DIRECTLY TO.EDU IF THE ROOT FILE IS CACHED
RECURSIVE DNS QUERY PUTS THE BURDEN OF RESOLUTION ON THE CONTACTED NAME SERVER HOW DOES GOOGLE KNOW WHO TO FORWARD RESPONSES TOO? RANDOM IDS EMBEDDED IN DNS QUERIES WHAT HAVE WE SAID ABOUT KEEPING STATE IN THE NETWORK? 11 Root com ns1.google.com Google.com Where is
ITERATED DNS QUERY CONTACT SERVER REPLIES WITH THE NAME OF THE NEXT AUTHORITY IN THE HIERARCHY “I DON’T KNOW THIS NAME, BUT THIS OTHER SERVER MIGHT” THIS IS HOW DNS WORKS TODAY 12 Root com ns1.google.com Google.com Where is
DNS PROPAGATION HOW MANY OF YOU HAVE PURCHASED A DOMAIN NAME? DID YOU NOTICE THAT IT TOOK ~72 HOURS FOR YOUR NAME TO BECOME ACCESSIBLE? THIS DELAY IS CALLED DNS PROPAGATION 13 Root com ns.godaddy.com Sharda.ac.in Why would this process fail for a new DNS name?
CACHING VS. FRESHNESS DNS PROPAGATION DELAY IS CAUSED BY CACHING 14 Sharda.ac.in Cached Root Zone File Cached.com Zone File Cached.net Zone File Etc. Root com ns.godaddy.com Where is That name does not exist. Zone files may be cached for 1-72 hours
THE IMPORTANCE OF DNS 15 WITHOUT DNS… HOW COULD YOU GET TO ANY WEBSITES? YOU ARE YOUR MAILSERVER WHEN YOU SIGN UP FOR WEBSITES, YOU USE YOUR ADDRESS WHAT IF SOMEONE HIJACKS THE DNS FOR YOUR MAIL SERVER? DNS IS THE ROOT OF TRUST FOR THE WEB WHEN A USER TYPES THEY EXPECT TO BE TAKEN TO THEIR BANK’S WEBSITEWWW.ICICIBANK.COM WHAT IF THE DNS RECORD IS COMPROMISED?
HTTPs
HTTP (Hypertext Transfer Protocol) is the set of rules for transferring files (text, graphic images, sound, video, and other multimedia files) on the world wide web. HTTP uses default port 80. The client submits an HTTP request message to the server. The server, which provides resources such as HTML files and other content, or performs other functions on behalf of the client, returns a response message to the client. HTTP
Fig:Working of HTTP
Unsecured Does not use certificates Privacy Integrity Authentication HTTP Limitations Security Concerns
HTTPS = HTTP + SSL HTTPS stands for Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL. HTTPS by default uses port 443. URL's beginning with HTTPS indicate that the connection is encrypted using SSL. HTTPS
Fig:working of HTTPS
HTTPS is implemented using Secure Sockets Layer (SSL). HTTPS by purchasing an SSL Certificate. HTTPS implementation
SSL certificates becomes the "passport" or the digital document that verify that the security and authenticity of the interaction. The SSL certificate is installed on a web server to identify the business using it to encrypt sensitive data such as credit card information. SSL Certificates give a website the ability to communicate securely with its web customers. What is an SSL Certificate?
An SSL Certificate enables encryption of sensitive information during online transactions. Each SSL Certificate contains unique, authenticated information about the certificate owner. A Certificate Authority verifies the identity of the certificate owner when it is issued. Cont't
SSL Certificate interaction with the Browser and the Server
Each SSL Certificate consists of a Public key and a Private key. So during a secure communication, the browser encrypts the message using the public key and sends it to the server. The message is decrypted on the server side using the Private key. How Encryption Works ?
In Internet Explorer, you will see a lock icon in the Security Status bar. The Security Status bar is located on the right side of the Address bar. You can click the lock to view the identity of the website. If the information does not match or the certificate has expired, the browser displays an error message or warning and the status bar may turn RED. How to identify a Secure Connection ?
SSL Diagram When any modern browser is installed, it is sent with several CA issuer certificates. These issuer certificates contain a public key for the issuer, among other information. When a web designer decides to use SSL he needs to purchase a certificate that is signed using the CA's private key. The web browser starts a connection to an HTTPS site. Along with this request the client sends all supported encryption schemes. As a response to the browser's connection request, the Server sends a copy of the certificate from step 2. Along with this transmission is the server's answer to the encryption negotiation. Once a certificate is downloaded, the signature of the certificate (that was signed using the CA's private key) is checked using the CA's public key (installed in the browser in step 1. The connection succeeds, the client can now download and upload to the web site with the security of encryption.
HTTPS is slightly slower than HTTP HTTPS adds computational overhead as well as network overhead. An HTTPS server can only provide one "virtual host" behind a single socket, as opposed to multiple ones behind an http socket. This is because all security negotiation takes place before the HTTP protocol starts & hence before the server knows which URL the client is asking for. HTTPS cannot prevent stealing confidential information from the pages cached on the browser. Since in SSL data is encrypted only during transmission on the network, it is in clear text in the browser memory Disadvantages of HTTPS
URL begins with “ in case of HTTP while the URL begins with “ in case of HTTPS. HTTP is unsecured while HTTPS is secured. HTTP uses port 80 for communication while HTTPS uses port 443 for communication. HTTP operates at Application Layer while HTTPS operates at Transport Layer. No encryption is there in HTTP while HTTPS uses encryption. No certificates required in HTTP while certificates required in HTTPS. HTTP vs HTTPS:
How SSL Overcomes HTTP Security Concerns Secure Sockets Layer technology protects your Web site and makes it easy for your Web site visitors to trust you in three essential ways: Privacy An SSL Certificate enables encryption of sensitive information during online transactions. Integrity. A Certificate Authority verifies the identity of the certificate owner when it is issued. Authentication. Each SSL Certificate contains unique, authenticated information about the certificate owner.
Limitations of HTTPS An HTTPS server can only provide one "virtual host" behind a single socket, as opposed to multiple ones behind an http socket. This is because all security negotiation takes place before the HTTP protocol starts & hence before the server knows which URL the client is asking for. HTTPS cannot prevent stealing confidential information from the pages cached on the browser. Since in SSL data is encrypted only during transmission on the network, it is in clear text in the browser memory HTTPS is slightly slower than HTTP. HTTPS adds computational overhead as well as network overhead.
Thank You