If I ask someone about https, they used to say Hyper Text Transfer Protocol , secure Protocol etc ... But HTTPS is more than that ,This is not only padlock in address bar in a browser and about considered for privacy. This blog is meant for same. Considering our client is in FS domain I thought to dig into it more to understand these terms and share with you.
Rise of HTTPS
HTTPS become essential component for any application running on web. Its not only for Finance or banking domain. It need to be with every website as soon as possible. World is moving to https everywhere . Usage of https is very dominant in modern web like Facebook, Gmail , Twitter and many more.
If you view TimesOfIndia you can see padlock of https in address bar , although this is not providing and sensitive data still it has https skin . Below rise of https clearly indicates that in last one year
above data shows that in last one year demand is doubled which forcing to https
Attribute to HTTPS
HTTPS security we provide at application layer and would be more clear with below proposition term
- Confidentiality: Its talk about how do i think that my communication is secret like How do i protect my passwords when i login or logging to my bank. I wanted to be sure that all banking details are protected.It should Not be interrupted by MIM (Men in Middle)
For example if one open gmail and browse through the emails and other messages , my communication should be protected and no one else is reading the content of http request.
- Integrity: Its talk about loopholes in transport layer For example suppose I have one web form which is mainly login form and it is based on http request but when user submit the form , the request is submitted through https. Here our communication is secure but Login form is on http hence someone can tweak the form actions or Malicious tracking can happen.Injected malware is another example if we dont follow Integrity
- Authenticity: This attribute talks about that intended receipent is same to whom i m thinking it should be. This attribute is mainly managed by various Certificate Authorities. If communication dont have Authenticity then DNS hijacking can happen.
The (Perceived) Barriers to HTTPS
Cost: Developer assume that it generally includes Certificate Cost also Infrastructure Cost and thus result in increased website development cost but now a days there are many CA which take minimal cost or sometimes free for certificates.
Complexity: This is myth is that setting up https involves lots of complex step at server level.
Speed: People here assume that it involve lots of encryption and decryption which will count on speed of web site to load on browser and will cause performance penalty.However in actual its reverse scenario :)
Certificate Authorities
Certificate Authorities (CA) is an entity that issues digital certificates which is an essential component for secure communication over https.
SSL and TLS
TLS HandShake
When client connect to server over https , they begin what is known as TLS handshake.
and it mean that client and server need to negotiate each other and agree on how they are going to communicate securely. This handshake consists of client's Hello and this request would be at highest level of TLS support. On further server would respond with Hello acknowledgment and it would agree on protocol version and public key back to the client.
Client would verify that public key with list of certificates authority.
This process suffice the Authenticity attribute of HTTPs. It is to note that this first communication of handshake negotiation is not encrypted.
Further Client would provide key exchange to the server and this request is encrypted with server public key and server would respond to finished to establish the communication.
After Client-Server's handshake is successful all further communication is encrypted.
Intercepting HTTPS traffic during Debugging
Fiddler can be used for debugging web applications especially for http applications and monitoring http traffic .
However for https traffic one must need to configure this tool to intercept the all requests.
One can configure from Tools> Telerik Fiddler Options and check the both options (capture and decrypt) as below.
This would add Fiddler Root certificate and would be added in trusted CAs after confirmation
Next confirmation on installing the certificates
and it finally configured , click on OK (below) and back to fiddler UI.
Now you would be able to intercept HTTPS request as below and get details on Request/Response
Using BadSSL.com
https://badssl.com/ site is very wonderful site from understanding of https because this site allows to test bad implementation of TSL. This site illustrates all which can go wrong with https and the way its configured.
For example , this site is https but its certificates is expired.
My point is that only https in address bar does not suffice all from security point of view.
It also offer a dashboard to check if your browser's HTTPS handling works as expected (which might be compromised e.g. due to security products or enterprise proxy servers).
To be continued ...
