Pertemuan #10 Secure HTTP (HTTPS) Kuliah Pengaman Jaringan
The Plain Text HTTP Consider the following HTTP request passed in clear text: POST /search HTTP/1.1 Host: User-Agent: Mozilla/5.0 Galeon/1.2.5 (X11; Linux i686; U;) Gecko/ Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 71 credit_card_num= &exp_date= & name=Chris%20Shiflett
Security For HTTP We need a technology for HTTP that provides: Server authentication Clients know they’re talking to the real server Client authentication Servers know they’re talking to the real client Integrity Servers & clients are safe from their data being altered Encryption Clients & servers talk privately without fear of eavesdropping Efficiency An algorithm fast enough for inexpensive clients and servers to use
Security For HTTP Ubiquity Protocols are supported by virtually all clients and servers Administrative scalability Instant secure communication for anyone, anywhere Adaptibility Supports the best known security methods of the day
HTTPS Overview Stands for HTTP Secure HTTP sent over secure transport layer (Secure Socket Layer) The most popular secure form of HTTP Pioneered by Netscape Corp. In 1994, Netscape released the spec of Secure Socket Layer By 1995, version 3.0 of SSL was released Supported by all major browsers & servers Dramatically changed the way people used the web The URL will start with instead of Some browser also display iconic security cues
HTTPS Overview
Secure Socket Layer (SSL) provides: Data Integrity Can help ensure that HTTP data can’t be changed while in transit Data Confidentiality Provides strong cryptographic techniques used to encrypt HTTP messages Identification Can offer reasonable assurance as to the identity of a Web Server Can also be used to validate the identity of a client, but this is less common
HTTPS Overview Compared with HTTP in TCP/IP Protocol Stack Server Port: 80 Server Port: 443
HTTP & HTTPS Transactions Initiate connection
HTTP & HTTPS Transactions Exchange data
HTTP & HTTPS Transactions Terminate connection
SSL Security Parameters Handshake
HTTPS Server Certificate
Site Certificate Validation SSL doesn’t require you to examine the web server But modern browser do some simple sanity checks on certificates, the steps are: Date check Check start/end date, ensure cert is still valid Signer trust check Cert is signed by well-known trusted Cerfiticate Authority Signature check Check cert integrity by applying the signing CA’s public key to the signature and comparing it to the checksum Site identity check Domain name in cert matches with the server they’re talking to
Certificate Authorities CA is used to assure that a particular public key belongs to a particular person (or domain name, for example: its-sby.edu) CA is a trusted 3 rd party that assures the identity of a public key’s owner with a digital certificate Digital cert is a document declaring a particular pub-key is owned by a particular web site CA’s role is very similar to a notary whose responsibility is to ensure the correct identity of people signing a legal document
Tunnelling Secure Traffic Through Proxies Corporate firewall proxy
Tunnelling Secure Traffic Through Proxies Proxy can’t read the encrypted HTTP header, so it won’t know where to forward the request A few modifications are needed to tell the proxy where to connect One popular technique is the HTTPS SSL tunnelling protocol
SSL Tunnelling To allow SSL traffic to flow through proxy firewalls, a tunnelling feature was added to HTTP Encrypted data is placed inside HTTP messages and sent through normal HTTP channels
SSL Tunnelling Tunnels let non-HTTP traffic flow through HTTP connections
SSL Tunnelling Direct SSL connection vs. tunnelled SSL connection