In school we got one teacher who always asks question which look easy but they are not easy.
So, can anybody please tell me in a very accurate way whats the difference between http and https authentication?
HTTPS is HTTP inside a SSL/TLS tunnel.
Like a postcard (HTTP) in an envelop (SSL/TLS).
SSL/TLS has 3 main properties :
authentication of the server : a trusted authority has signed the certificate used by the server
confidentiality : only the client and the server can decrypt the data
integrity : the data cannot be modified during the transport without the receiver notice it.
Note: SSL/TLS can be used with a certificate not signed by a trusted authority (but the client will show a warning about that)
HTTP does not scramble the data to be transmitted. That's why there is a higher chance that transmitted information is available to hackers. It operates at TCP/IP level. It uses port 80 by default.
HTTPS is a short abbreviation of Hyper Text Transfer Protocol Secure. It is highly advanced and secure version of HTTP. It uses the port no. 443 for Data Communication. It allows the secure transactions by encrypting the entire communication with SSL. It is a combination of SSL/TLS protocol and HTTP. It provides encrypted and secure identification of a network server.
Limitations of HTTPS---
HTTPS protocol can't stop stealing confidential information from the pages cached on the browser.
SSL data can be encrypted only during transmission on the network. So it can't clear the text in the browser memory.
Fot HTTP the browser performs basic handshake with the server as per the rules of HTTP protocol. It does not validate the authenticity of the server. However for HTTPS the browser validates the authenticity of the server using the SSL certificate with the client. If the certificate is authentic then ssl keys are exchanged between browser and server and all messages are encrypted thus preventing a man in the middle attack. In http there is no ssl certificate and all data is sent in plain text which is vulnerable to man in the middle attack
Related
I have been reading about ssl/tls and certificates recently to enable https for one of our websites.
As far as my current understanding goes, a ssl/tls certificate verifies that we as client are connected to the correct site or not. For that the signature inside of the certificate is used to verify whether the certificate is legitimate or not. And finally to establish a secure connection algorithms like ECDHE (Elliptic curve Diffie–Hellman) are used.
My question is if I want to connect to a website say, "www.mysite.com" and I key in "www.mysite.com" into my browser address bar, I am guaranteed that I will be connected to the correct website. So what is the purpose of having a SSL/TLS certificate installed on a web server when I know that I am keying in the proper address.
Am I missing something in my understanding of how https works?
Also ECDHE algorithm does not rely on any information like public key from the certificate to establish a secure connection.
... if I want to connect to a website say, "www.mysite.com" and I key in "www.mysite.com" into my browser address bar, I am guaranteed that I will be connected to the correct website.
You are not. With a variety of techniques like DNS spoofing, ARP spoofing, hijacked SoHo routers, ... it is possible that an attacker reroutes your traffic so that it ends up at a server controlled by the attacker and not the actual server you want to. Validating that the certificate you've got from the server is the expected one protects against such attacks.
I understand that HTTTPS is secured and it requires SSL certificate issued by CA authority to make the application secure. But what I do not understand is that its in-depth difference with HTTP.
My question, as a user, if I make a request to an application with HTTP or if I make same request to HTTPS what is the actual difference? The traffic remains same to both. Is there any traffic filtering happening if I use HTTPS?
Thanks
HTTPS, as an application protocol is just HTTP over TLS, so there are very few differences, the s in the URL and some consequences for proxy, that is all.
Now you are speaking about the traffic and the filtering. Here you have a big difference because using TLS adds confidentiality and integrity: passive listeners will see nothing about the HTTP data exchanged, including headers. The only thing visible will be the hostname (taken from the https:// URL) as this is needed at the TLS level before HTTP even happens, through a mechanism called SNI (Server Name Indication) that is now used everywhere to be able to install multiple services using TLS under different names but with a single IP address.
I could find any quick answer on google. Most probably the answer lies somewhere in RFC docs on http or https however I just couldn't (too time consuming ) get those information.
So here is the question:
Is the content of a webpage served through HTTP signed digitally by the server ? Same question for HTTPS.
If yes, how does it work correctly when using a proxy ? In my opinion the proxy could tamper the data, sign the tampered data with it's own private key, and claim that the corresponding proxy's public key is actually the genuine public key of the original server ? I am assuming that the client can't check the original server's public key, because there is a proxy which could lie.
I am sorry if this is a dump question and easy searchable on the internet, but every answer I found posed some doubts to me.
Thanks for your help :)
Content sent via HTTPS is encrypted, clients verify the authenticity of the host certificates with whom they are communicating. The server uses a TLS/SSL key/certificate which is signed by certificate authorities (CA) The CAs make sure that they only sign the certificates of the rightful owners of a domain. The certificates of the CAs them-self are installed in you browser/OS. By using these pre-installed certificates, the browser can check if the key used by the remote server is signed by a trusted CA.
A man-in-the-middle does not have the original key, nor another key signed by a CA for the domain in question. Therefore, a man-in-the-middle cannot modify the content without breaking HTTPS.
On the other hand, if you want to use a proxy to cache requests, the proxy can terminate the HTTPS connections. This means the proxy has its own connection to the server and verifies the certificates. In order to secure the connection to the client, the proxy acts as a CA and uses a HTTPS connection with self-signed certificates. To avoid that your browser complains about an insecure connection, you need to install the proxies own CA certificate.
HTTP content is not signed and can be tampered with.
Edit 2018-06-15:
I wasn't really precise with the term "signed" here. The server does not actually sign the content it sends. This means if you store the responses from the server, you cannot prove that they came from that server, in other words: standard TLS dose not provide non-repudiation. However, the authenticity of the server is established during the handshake. The client encrypts a master-key with the servers public key. Only servers in possession of the private key can decrypt the master-key and derive session keys from them.
CAs, on the other hand, actually sign the certificates. A CA cannot validly deny that it signed for the authenticity of a server certificate.
Over ssl/tls can a query string be logged as the request hops around the net before it gets to its endpoint.
I know the endpoint can log the query string. I also know the endpoint server is trusted so I don't mind any logging there.
The way points of TCP traffic will see HTTPS data as cipher text that can't be decoded.
Logging at a TCP way point would require a MITM (man-in-the-middle) attack, which would require the user to be tricked into accepting a forged certificate (which is why browsers are becoming more strict about limiting click-through).
There are proxies that do SSL inspection (a.k.a SSL intercept), which are effectively doing just such a MITM--but such proxies generate the forged certificates with a CA certificate (Certificate Authority certificate) that is installed as a trusted CA certificate on the organization's clients (often by way of GPO policies).
So if you are in such an organization, you're requests are almost certainly logged (with more detail than just your query string [a.k.a path]), and you're content is being subjected to either malware protection (usually downstream) and/or DLP (Data Loss Prevention, usually to keep you're organization's sensitive information from being leaked).
What makes https more secure than http?
The short answer is that https communication between your browser and the server are encrypted. While http traffic is sent in plain text. This means that anyone who can listen to the traffic can read it - this would include usernames and passwords). It also verifies the server to which you are connecting.
That it is encrypted. Read: en.wikipedia.org/wiki/HTTP_Secure
Anything not over HTTPS can be read by anyone snooping on your network.
Im quoting:
Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encryption and secure identification of the server.
More information on TLS:
The TLS protocol allows client/server applications to communicate across a network in a way designed to prevent eavesdropping and tampering. TLS provides endpoint authentication and communications confidentiality over the Internet using cryptography. TLS provides RSA security with 1024 and 2048 bit strengths.
Also, HTTPS verifies that the site is who it claims to be, if the certificates are correct (signed by a known CA).
All traffic is encrypted. No one on your network can see what is going on (except for knowing where those packets are going to).
The identity of the remote server can be verified using certificates. So you also know that it really is your bank that you are talking to.
Optionally (and not in wide-spread use), the identity of the client can also be verified using certificates. This would allow for secure login to a site using chip cards instead of (or in addition to) passwords.
I want to be really pedantic, as I'm a security nerd :)
HTTPS uses SSL, and it's IETF-ratified cousin, TLS. SSL/TLS can offer four security services:
1) server authentication
2) channel encryption
3) channel tamper detection
4) client authentication
Usually you'll get server auth for free, but only if the host name and the common name in the server's SSL/TLS certificate match. If they don't match your browser will warn you. You usually get the channel defenses for free too, but that's only because the server and client negotiate to require such defenses. In theory, but rarely in practice, a server and client could agree to not use one or more of the channel defenses.
Finally, client authentication is when the server wants you to present a certificate (actually, to prove you have an associated private key) to verify you are you. Client authentication is rarely used.